# Splunk Infrastructure Monitoring Use Cases — Full Index > Complete listing of all 6565+ IT infrastructure monitoring use cases for Splunk across 23 technology domains. Each entry shows the use case ID, title, and criticality. For full SPL queries and implementation details, see the per-category markdown files linked below. For a concise category-level overview with descriptions, steering directives, and documentation links, see: https://fenre.github.io/splunk-monitoring-use-cases/llms.txt Machine-readable catalog (JSON): https://fenre.github.io/splunk-monitoring-use-cases/catalog.json Raw GitHub catalog (JSON): https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/catalog.json Schema reference: https://fenre.github.io/splunk-monitoring-use-cases/docs/catalog-schema.md Interactive dashboard (JavaScript SPA): https://fenre.github.io/splunk-monitoring-use-cases/ ## 1. Server & Compute Linux, Windows, macOS endpoint and server monitoring — CPU, memory, disk, processes, security events, and compliance. **Quick tip:** Deploy Splunk_TA_nix or Splunk_TA_windows on forwarders to start collecting OS metrics immediately. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-01-server-compute.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-01-server-compute.md ### 1.1 Linux Servers - UC-1.1.1 · CPU Utilization Trending (Linux) [high] - UC-1.1.2 · Memory Pressure Detection (Linux) [high] - UC-1.1.3 · Disk Capacity Forecasting (Linux) [critical] - UC-1.1.4 · Disk I/O Saturation (Linux) [high] - UC-1.1.5 · System Load Anomalies [medium] - UC-1.1.6 · Process Crash Detection (Linux) [high] - UC-1.1.7 · OOM Killer Events [critical] - UC-1.1.8 · SSH Brute-Force Detection [high] - UC-1.1.9 · Unauthorized Sudo Usage [high] - UC-1.1.10 · Cron Job Failure Monitoring [medium] - UC-1.1.11 · Kernel Panic Detection [critical] - UC-1.1.12 · NTP Time Sync Drift (Linux) [medium] - UC-1.1.13 · Zombie Process Accumulation [medium] - UC-1.1.14 · File Descriptor Exhaustion [high] - UC-1.1.15 · Network Interface Errors [medium] - UC-1.1.16 · Package Vulnerability Tracking [medium] - UC-1.1.17 · Service Availability Monitoring [critical] - UC-1.1.18 · User Account Changes [high] - UC-1.1.19 · Filesystem Read-Only Detection [critical] - UC-1.1.20 · Reboot Detection (Linux) [high] - UC-1.1.21 · Kernel Module Loading Tracking [high] - UC-1.1.22 · Sysctl Parameter Changes Detection [high] - UC-1.1.23 · Kernel Core Dump Generation [critical] - UC-1.1.24 · Kernel Ring Buffer Error Rate [high] - UC-1.1.25 · NUMA Imbalance Detection [medium] - UC-1.1.26 · CPU Frequency Scaling Events [medium] - UC-1.1.27 · CPU Steal Time Elevation (Virtual Machines) [high] - UC-1.1.28 · IRQ Imbalance Across CPU Cores [medium] - UC-1.1.29 · Context Switch Rate Anomaly Detection (Linux) [medium] - UC-1.1.30 · Scheduler Latency and Run Queue Depth [high] - UC-1.1.31 · Hugepage Allocation and Usage [medium] - UC-1.1.32 · Transparent Hugepage Compaction Stalls [high] - UC-1.1.33 · Inode Exhaustion Detection [critical] - UC-1.1.34 · RAID Array Degradation Detection [critical] - UC-1.1.35 · LVM Thin Pool Capacity Monitoring [high] - UC-1.1.36 · Multipath I/O Failover Events [critical] - UC-1.1.37 · NFS Mount Stale Handle Detection [critical] - UC-1.1.38 · Filesystem Journal Errors [high] - UC-1.1.39 · Ext4 Filesystem Errors and Recovery [high] - UC-1.1.40 · XFS Filesystem Errors and Recovery [high] - UC-1.1.41 · Disk SMART Health Monitoring [critical] - UC-1.1.42 · SSD Wear Leveling and Health [high] - UC-1.1.43 · Fstrim and TRIM Command Monitoring [medium] - UC-1.1.44 · Memory Leak Detection Per Process [high] - UC-1.1.45 · Swap Thrashing Detection [critical] - UC-1.1.46 · Slab Cache Growth Monitoring [high] - UC-1.1.47 · Page Cache Pressure and Reclaim Activity [medium] - UC-1.1.48 · NUMA Memory Imbalance Per Node [medium] - UC-1.1.49 · Memory Cgroup Limit Enforcement [high] - UC-1.1.50 · Transparent Hugepage Defragmentation Stalls [high] - UC-1.1.51 · TCP Retransmission Rate Elevation [high] - UC-1.1.52 · Connection Tracking Table Exhaustion [critical] - UC-1.1.53 · Socket Buffer Overflow Detection [high] - UC-1.1.54 · Network Namespace Monitoring [medium] - UC-1.1.55 · DNS Resolution Failure Rate [high] - UC-1.1.56 · Firewall Rule Hit Tracking (iptables/nftables) [medium] - UC-1.1.57 · ARP Table Overflow Detection [high] - UC-1.1.58 · Network Bond Failover Events (Linux) [critical] - UC-1.1.59 · Network Team Failover Detection (Linux) [critical] - UC-1.1.60 · MTU Mismatch Detection [medium] - UC-1.1.61 · TCP TIME_WAIT Accumulation [medium] - UC-1.1.62 · Network Bandwidth Utilization by Interface (Linux) [medium] - UC-1.1.63 · Dropped Packets by Network Interface [high] - UC-1.1.64 · Network Latency Monitoring (Ping RTT) [medium] - UC-1.1.65 · Auditd Rule Violation Detection [critical] - UC-1.1.66 · SELinux Denial Monitoring [high] - UC-1.1.67 · AppArmor Profile Violation Detection [high] - UC-1.1.68 · Rootkit Detection via File Integrity [critical] - UC-1.1.69 · SUID/SGID Binary Changes [critical] - UC-1.1.70 · /etc/passwd Modifications [critical] - UC-1.1.71 · /etc/shadow Modifications [critical] - UC-1.1.72 · SSH Public Key Changes [critical] - UC-1.1.73 · PAM Authentication Failure Tracking [high] - UC-1.1.74 · Login from Unusual Source IPs [high] - UC-1.1.75 · Failed su Attempts [high] - UC-1.1.76 · Privilege Escalation Detection [critical] - UC-1.1.77 · Unauthorized Cron Job Additions [critical] - UC-1.1.78 · Open Port Changes [critical] - UC-1.1.79 · Setcap Binary Monitoring [critical] - UC-1.1.80 · Systemd Unit Failures [high] - UC-1.1.81 · Systemd Timer Missed Triggers [medium] - UC-1.1.82 · D-State (Uninterruptible Sleep) Process Detection [critical] - UC-1.1.83 · Process CPU Affinity Changes [medium] - UC-1.1.84 · Runaway Process Detection (CPU Hog) [high] - UC-1.1.85 · Memory Hog Detection [high] - UC-1.1.86 · Fork Bomb Detection [critical] - UC-1.1.87 · Process Namespace Breakout Detection [critical] - UC-1.1.88 · Container Escape Attempt Detection [critical] - UC-1.1.89 · Syslog Flood Detection [high] - UC-1.1.90 · Journal Disk Usage Monitoring [medium] - UC-1.1.91 · Log Rotation Failures [medium] - UC-1.1.92 · Auditd Daemon Health [high] - UC-1.1.93 · Rsyslog Queue Backlog Monitoring [medium] - UC-1.1.94 · Failed Log Forwarding [high] - UC-1.1.95 · TCP Connection Establishment Rate [medium] - UC-1.1.96 · NUMA Hit/Miss Ratio Tracking [medium] - UC-1.1.97 · CPU C-State Residency Monitoring [medium] - UC-1.1.98 · TLB Shootdown Rate Monitoring [medium] - UC-1.1.99 · Kernel Lock Contention Detection [medium] - UC-1.1.100 · Softirq Rate Monitoring [medium] - UC-1.1.101 · Context Switch Anomalies Detection [medium] - UC-1.1.102 · EDAC Memory Error Tracking [critical] - UC-1.1.103 · IPMI Sensor Threshold Violations [critical] - UC-1.1.104 · Thermal Throttling Detection [critical] - UC-1.1.105 · Fan Speed Anomalies [critical] - UC-1.1.106 · Power Supply State Changes [critical] - UC-1.1.107 · Hardware Clock Drift Detection [high] - UC-1.1.108 · Password Policy Violation Detection [medium] - UC-1.1.109 · Account Expiry Monitoring [medium] - UC-1.1.110 · Inactive User Detection [medium] - UC-1.1.111 · World-Writable File Detection [high] - UC-1.1.112 · Unowned File Detection [high] - UC-1.1.113 · SETUID Audit and Tracking [critical] - UC-1.1.114 · Open File Handle Per-Process Monitoring [medium] - UC-1.1.115 · Listening Port Compliance [high] - UC-1.1.116 · Installed Package Drift Detection [medium] - UC-1.1.117 · Configuration File Change Tracking (/etc) [critical] - UC-1.1.118 · System Reboot Frequency Anomaly [medium] - UC-1.1.119 · Defunct (Zombie) Process Accumulation [medium] - UC-1.1.120 · Symbolic Link Chain Depth Monitoring [medium] - UC-1.1.121 · Bootloader Configuration Changes [critical] - UC-1.1.122 · Systemd Unit State Monitoring [high] - UC-1.1.123 · Linux Cgroup Resource Pressure (PSI) [medium] - UC-1.1.124 · Linux Entropy Pool Depletion [medium] - UC-1.1.125 · Linux Journal / Journald Health [medium] - UC-1.1.126 · Chrony / NTP Time Synchronization Drift [high] - UC-1.1.127 · Swap Activity Rate Trending [medium] - UC-1.1.128 · Filesystem Inode Exhaustion [critical] - UC-1.1.129 · Linux Softirq / Hardirq Time [medium] - UC-1.1.130 · TCP Connection State Distribution (Linux) [medium] - UC-1.1.131 · Linux OOM Killer Invocation Tracking [critical] ### 1.2 Windows Servers - UC-1.2.1 · CPU Utilization Trending (Windows) [high] - UC-1.2.2 · Memory Utilization & Paging (Windows) [high] - UC-1.2.3 · Disk Space Monitoring (Windows) [critical] - UC-1.2.4 · Windows Service Failures [critical] - UC-1.2.5 · Event Log Flood Detection [medium] - UC-1.2.6 · Failed Login Monitoring [high] - UC-1.2.7 · Account Lockout Tracking [high] - UC-1.2.8 · Privileged Group Changes [critical] - UC-1.2.9 · Windows Update Compliance [medium] - UC-1.2.10 · Scheduled Task Failures [medium] - UC-1.2.11 · Blue Screen of Death (BSOD) [critical] - UC-1.2.12 · RDP Session Monitoring [high] - UC-1.2.13 · PowerShell Script Execution [high] - UC-1.2.15 · DNS Server Health [high] - UC-1.2.16 · DHCP Scope Exhaustion [high] - UC-1.2.17 · Certificate Expiration [high] - UC-1.2.19 · Group Policy Processing Failures [medium] - UC-1.2.20 · Print Spooler Issues [low] - UC-1.2.21 · Disk I/O Queue Length (Windows) [high] - UC-1.2.22 · Process Handle Leak Detection [high] - UC-1.2.23 · Non-Paged Pool Exhaustion [critical] - UC-1.2.24 · Network Interface Utilization (Windows) [high] - UC-1.2.25 · Processor Queue Length [medium] - UC-1.2.26 · Security Log Cleared [critical] - UC-1.2.27 · New Service Installation [high] - UC-1.2.28 · Windows Firewall Rule Changes [high] - UC-1.2.29 · Registry Run Key Modification (Persistence) [critical] - UC-1.2.30 · LSASS Memory Access (Credential Dumping) [critical] - UC-1.2.31 · Kerberos Authentication Failures [high] - UC-1.2.32 · WMI Event Subscription Persistence [critical] - UC-1.2.33 · Audit Policy Changes [critical] - UC-1.2.34 · AppLocker / WDAC Policy Violations [high] - UC-1.2.35 · Windows Defender Threat Detections [critical] - UC-1.2.36 · DCSync Attack Detection [critical] - UC-1.2.37 · Kerberoasting Detection (SPN Ticket Requests) [critical] - UC-1.2.38 · AD Object Deletion Monitoring [critical] - UC-1.2.39 · Domain Trust Changes [critical] - UC-1.2.40 · WHEA Hardware Error Reporting [high] - UC-1.2.41 · Volume Shadow Copy Failures [high] - UC-1.2.42 · .NET CLR Performance Monitoring [medium] - UC-1.2.43 · Failover Cluster Event Monitoring [critical] - UC-1.2.44 · SMB Share Access Anomalies [high] - UC-1.2.45 · Windows Time Service (W32Time) Issues [high] - UC-1.2.46 · DFS-R Replication Backlog [high] - UC-1.2.47 · Application Crash (WER) Trending [medium] - UC-1.2.48 · PowerShell Script Block Logging [high] - UC-1.2.49 · Lateral Movement via Explicit Credentials [critical] - UC-1.2.50 · DNS Debug Query Logging [medium] - UC-1.2.51 · Process Creation with Command Line Auditing [high] - UC-1.2.52 · NIC Teaming / LBFO Failover (Windows) [high] - UC-1.2.53 · BitLocker Recovery Events [high] - UC-1.2.54 · Windows Event Forwarding (WEF) Health [high] - UC-1.2.55 · Suspicious Token Manipulation [critical] - UC-1.2.56 · Sysmon Network Connection Monitoring [high] - UC-1.2.57 · Thread Count Exhaustion [high] - UC-1.2.58 · Storage Spaces Health Monitoring [critical] - UC-1.2.59 · DCOM / COM+ Application Errors [medium] - UC-1.2.60 · Code Integrity / Driver Signing Violations [critical] - UC-1.2.61 · Data Deduplication Health [medium] - UC-1.2.62 · TCP Connection State Monitoring (Windows) [medium] - UC-1.2.63 · Windows Installer Failures [medium] - UC-1.2.64 · Event Log Channel Size / Overflow [high] - UC-1.2.65 · Pass-the-Hash / NTLM Relay Detection [critical] - UC-1.2.66 · Sysmon File Creation in Suspicious Paths [high] - UC-1.2.67 · Golden Ticket Detection (TGT Anomalies) [critical] - UC-1.2.68 · NTFS Corruption and Self-Healing [critical] - UC-1.2.69 · Page File Usage & Exhaustion [high] - UC-1.2.70 · Context Switch Rate Anomalies (Windows) [medium] - UC-1.2.71 · Scheduled Task Creation (Persistence) [high] - UC-1.2.72 · WinRM / Remote PowerShell Connections [high] - UC-1.2.73 · LDAP Query Performance (DC Health) [high] - UC-1.2.76 · AdminSDHolder Modification [critical] - UC-1.2.77 · SPN Modification (Targeted Kerberoasting) [critical] - UC-1.2.78 · DSRM Account Usage [critical] - UC-1.2.79 · Sysmon DNS Query Logging [medium] - UC-1.2.81 · SMBv1 Usage Detection [high] - UC-1.2.82 · Credential Guard Status Monitoring [high] - UC-1.2.83 · Boot Configuration Changes (BCDEdit) [critical] - UC-1.2.84 · Sysmon Named Pipe Monitoring [high] - UC-1.2.86 · NTLM Audit and Restriction Monitoring [medium] - UC-1.2.87 · DPAPI Credential Backup (DC) [critical] - UC-1.2.88 · Windows Search Indexer Issues [low] - UC-1.2.89 · System Uptime & Unexpected Restarts (Windows) [medium] - UC-1.2.90 · Shadow Copy Deletion (Ransomware Indicator) [critical] - UC-1.2.91 · USB / Removable Device Auditing [medium] - UC-1.2.92 · Remote Desktop Gateway Session Monitoring [medium] - UC-1.2.93 · Group Policy Object (GPO) Modification Auditing [critical] - UC-1.2.94 · Windows Subsystem for Linux (WSL) Activity [medium] - UC-1.2.95 · Windows Container Health Monitoring [medium] - UC-1.2.96 · DNS Server Zone Transfer Monitoring [critical] - UC-1.2.97 · Print Spooler Vulnerability Monitoring (PrintNightmare) [critical] - UC-1.2.98 · NPS / RADIUS Authentication Monitoring [medium] - UC-1.2.100 · PKI / Certificate Authority Health [critical] - UC-1.2.101 · File Share Access Auditing (SMB) [medium] - UC-1.2.102 · Software Restriction / AppLocker Bypass Detection [critical] - UC-1.2.103 · Terminal Services / RDP Session Tracking [medium] - UC-1.2.104 · Disk Latency and I/O Performance (Windows) [high] - UC-1.2.105 · Windows Defender Exclusion Monitoring [critical] - UC-1.2.106 · Local Administrator Group Membership Changes [critical] - UC-1.2.107 · DFS Replication Health Monitoring [high] - UC-1.2.108 · Kerberos Constrained Delegation Abuse [critical] - UC-1.2.109 · Windows Time Service (W32Time) Drift [high] - UC-1.2.110 · PowerShell Constrained Language Mode Bypass [critical] - UC-1.2.111 · Windows Firewall Rule Tampering [critical] - UC-1.2.112 · BITS Transfer Abuse Detection [high] - UC-1.2.113 · COM Object Hijacking Detection [high] - UC-1.2.114 · LSASS Memory Protection Monitoring [critical] - UC-1.2.115 · Logon Session Anomalies (Type 3 / Network Logon) [high] - UC-1.2.116 · WMI Persistence Detection [critical] - UC-1.2.117 · NIC Teaming & Network Adapter Failures (Windows) [high] - UC-1.2.118 · ASR (Attack Surface Reduction) Rule Monitoring [critical] - UC-1.2.119 · Registry Run Key Persistence Monitoring [critical] - UC-1.2.120 · BitLocker Recovery & Compliance Monitoring [high] - UC-1.2.121 · DNS Client Query Anomalies [medium] - UC-1.2.122 · Local Account Creation & Modification [critical] - UC-1.2.123 · Token Manipulation / Privilege Escalation [critical] - UC-1.2.124 · Process Injection Detection (Sysmon) [critical] - UC-1.2.125 · Cluster Shared Volume (CSV) Health [high] - UC-1.2.126 · DCOM Activation Failures [medium] - UC-1.2.127 · Automatic Windows Update Compliance [high] - UC-1.2.128 · Service Account Logon Anomalies [critical] - UC-1.2.129 · Sysmon Driver/Image Load Monitoring [high] - UC-1.2.130 · Scheduled Task Modification for Persistence [critical] - UC-1.2.131 · Windows Print Spooler Health [medium] - UC-1.2.132 · Windows Scheduled Task Failures [medium] - UC-1.2.133 · Windows WMI Repository Health [medium] - UC-1.2.134 · Windows Pending Reboot Detection [medium] ### 1.3 macOS Endpoints - UC-1.3.1 · System Resource Monitoring [medium] - UC-1.3.2 · FileVault Encryption Status [high] - UC-1.3.3 · Gatekeeper and SIP Status [medium] - UC-1.3.4 · Software Update Compliance [medium] - UC-1.3.5 · Application Crash Monitoring [low] - UC-1.3.6 · macOS Gatekeeper and XProtect Status [medium] ### 1.4 Bare-Metal / Hardware - UC-1.4.1 · Hardware Sensor Monitoring [high] - UC-1.4.2 · RAID Degradation Alerts [critical] - UC-1.4.3 · Power Supply Failure [critical] - UC-1.4.4 · Predictive Disk Failure [high] - UC-1.4.5 · Firmware Version Compliance [medium] - UC-1.4.6 · Memory ECC Error Trending [high] - UC-1.4.7 · BMC Out-of-Band Connectivity Health [high] - UC-1.4.8 · PCIe Link Width and Speed Degradation [medium] [PCI DSS] - UC-1.4.9 · Out-of-Band Sensor Threshold Breach (IPMI) [critical] - UC-1.4.10 · Disk Controller and HBA Health [high] - UC-1.4.11 · Boot Order and UEFI/BIOS Configuration Drift [medium] ## 2. Virtualization VMware vSphere, Hyper-V, and KVM virtual infrastructure — host contention, VM sprawl, and capacity planning. **Quick tip:** Install Splunk Add-on for VMware and connect to vCenter to pull ESXi host and VM performance data. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-02-virtualization.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-02-virtualization.md ### 2.1 VMware vSphere - UC-2.1.1 · ESXi Host CPU Contention [high] - UC-2.1.2 · ESXi Host Memory Ballooning [high] - UC-2.1.3 · Datastore Capacity Trending [critical] - UC-2.1.4 · Datastore Latency Spikes [high] - UC-2.1.5 · VM Snapshot Sprawl [high] - UC-2.1.6 · vMotion Tracking [low] - UC-2.1.7 · HA Failover Events [critical] - UC-2.1.8 · DRS Imbalance Detection [medium] - UC-2.1.9 · VM Sprawl Detection [medium] - UC-2.1.10 · vSAN Health Monitoring [high] - UC-2.1.11 · ESXi Host Hardware Alerts [high] - UC-2.1.12 · VM Resource Over-Allocation [medium] - UC-2.1.13 · vCenter Alarm Correlation [medium] - UC-2.1.14 · ESXi Patch Compliance [medium] - UC-2.1.15 · VM Creation/Deletion Audit [medium] - UC-2.1.16 · VM Network I/O and Dropped Packets [high] - UC-2.1.17 · VM Disk IOPS Trending and Throttling [high] - UC-2.1.18 · VMware Tools Status and Version Compliance [medium] - UC-2.1.19 · Distributed vSwitch Port Health and Errors [high] - UC-2.1.20 · Resource Pool Utilization and Limits [medium] - UC-2.1.21 · ESXi Host Unexpected Reboot Detection [critical] - UC-2.1.22 · vCenter Service Health [critical] - UC-2.1.23 · VM Unexpected Power State Changes [critical] - UC-2.1.24 · ESXi Host NTP Clock Drift [medium] - UC-2.1.25 · Storage I/O Control (SIOC) Throttling [high] - UC-2.1.26 · VM Hardware Version Compliance [medium] - UC-2.1.27 · VM Disk Consolidation Needed [high] - UC-2.1.28 · Thin-Provisioned Disk Growth Rate [high] - UC-2.1.29 · VM Affinity and Anti-Affinity Rule Violations [medium] - UC-2.1.30 · Storage DRS Recommendations and Actions [medium] - UC-2.1.31 · Fault Tolerance Status and Replication Lag [critical] - UC-2.1.32 · ESXi Host Certificate Expiration [high] - UC-2.1.33 · ESXi Host Lockdown Mode Compliance [medium] - UC-2.1.34 · Orphaned VMDK Files on Datastores [medium] - UC-2.1.35 · VM Guest OS Disk Space via VMware Tools [high] - UC-2.1.36 · VM Encryption and vTPM Compliance [medium] - UC-2.1.37 · VM Template Inventory and Staleness [low] - UC-2.1.38 · ESXi Host Syslog Forwarding Health [medium] - UC-2.1.39 · ESXi Host Firewall Rule Audit [medium] - UC-2.1.40 · VM NUMA Alignment [medium] - UC-2.1.41 · ESXi Host Coredump Configuration [medium] - UC-2.1.42 · VM CPU Ready Time Percentage [high] - UC-2.1.43 · VM Disk I/O Latency per Datastore [high] - UC-2.1.44 · ESXi Host Certificate Renewal Compliance [critical] - UC-2.1.45 · VM Snapshot Age Alerting [high] - UC-2.1.46 · vCenter Alarm Acknowledgment Tracking [medium] - UC-2.1.47 · VM Network Packet Loss and Retransmit [high] - UC-2.1.48 · VMware DRS Effectiveness [medium] ### 2.2 Microsoft Hyper-V - UC-2.2.1 · VM Performance Monitoring [high] - UC-2.2.2 · Hyper-V Replication Health [high] - UC-2.2.3 · Cluster Shared Volume Health [critical] - UC-2.2.4 · Live Migration Tracking [low] - UC-2.2.5 · Integration Services Version [low] - UC-2.2.6 · Hyper-V Host Resource Utilization [high] - UC-2.2.7 · Dynamic Memory Pressure and Effectiveness [high] - UC-2.2.8 · Checkpoint Age and Sprawl [high] - UC-2.2.9 · Virtual Switch Dropped Packets and Network Errors [high] - UC-2.2.10 · Failover Cluster Node Health and Quorum [critical] - UC-2.2.11 · Storage Spaces Direct (S2D) Health [critical] - UC-2.2.12 · VM Generation and Secure Boot Compliance [medium] - UC-2.2.13 · Hyper-V Event Log Error Trending [medium] - UC-2.2.14 · VM Resource Metering for Chargeback [low] - UC-2.2.15 · Hyper-V VM State Changes [high] ### 2.3 KVM / Proxmox / oVirt - UC-2.3.1 · Guest VM Resource Monitoring [medium] - UC-2.3.2 · Host Overcommit Detection [high] - UC-2.3.3 · VM Lifecycle Events [medium] - UC-2.3.4 · KVM Guest Agent Heartbeat [high] - UC-2.3.5 · Libvirt Network Filter and Firewall Rule Audit [medium] - UC-2.3.6 · Virtual Disk Backing Chain and Snapshot Age [high] - UC-2.3.7 · KVM Host CPU Model and Migration Compatibility [medium] - UC-2.3.8 · Virtio Driver and Balloon Status in Guests [medium] - UC-2.3.9 · QEMU Process Crash and Zombie Detection [critical] - UC-2.3.10 · Storage Pool Capacity Monitoring [high] - UC-2.3.11 · Proxmox Backup Server Job Status [critical] - UC-2.3.12 · Proxmox Cluster Corosync and Quorum Health [critical] - UC-2.3.13 · Proxmox HA Group and Fence Status [high] - UC-2.3.14 · ZFS Pool Health for Proxmox/KVM [critical] - UC-2.3.15 · VM Disk Cache Mode Audit [medium] - UC-2.3.16 · Libvirt Daemon Health and Responsiveness [critical] - UC-2.3.17 · Proxmox VE Cluster Monitoring [high] ### 2.4 Cross-Platform Virtualization - UC-2.4.1 · Guest OS End-of-Life Tracking [high] - UC-2.4.2 · VM Backup Coverage Validation [critical] - UC-2.4.3 · VM-to-Host Density Trending [medium] - UC-2.4.4 · VM Provisioning Time Tracking [low] - UC-2.4.5 · Virtualization License Compliance [high] - UC-2.4.6 · Multi-Hypervisor Fleet Inventory [medium] - UC-2.4.7 · oVirt / RHV Data Center Health [medium] ### 2.5 End-User Computing / VDI Endpoints - UC-2.5.1 · IGEL Device Fleet Online/Offline Status [critical] - UC-2.5.2 · IGEL Firmware Version Compliance [high] - UC-2.5.3 · IGEL UMS Server Health Monitoring [critical] - UC-2.5.4 · IGEL Device Heartbeat Loss Detection [high] - UC-2.5.5 · IGEL OS Endpoint Syslog Error Monitoring [high] - UC-2.5.6 · IGEL UMS Security Audit Log Monitoring [high] - UC-2.5.7 · IGEL Device Resource Utilization [medium] - UC-2.5.8 · IGEL Device Unscheduled Reboot Detection [medium] - UC-2.5.9 · IGEL Cloud Gateway Connection Health [high] - UC-2.5.10 · IGEL Device Configuration Drift Detection [medium] ### 2.6 Citrix Virtual Apps & Desktops - UC-2.6.1 · Citrix Session Logon Duration Breakdown [critical] - UC-2.6.2 · ICA/HDX Session Latency and Quality [critical] - UC-2.6.3 · Citrix Connection Failure Analysis [critical] - UC-2.6.4 · VDA Machine Registration Health [critical] - UC-2.6.5 · Citrix Delivery Controller Service Health [critical] - UC-2.6.6 · Citrix Machine Power State Management [high] - UC-2.6.7 · ICA/HDX Virtual Channel Bandwidth Consumption [medium] - UC-2.6.8 · Citrix Provisioning Services (PVS) vDisk Streaming Health [critical] - UC-2.6.9 · Citrix Profile Management Load Time [high] - UC-2.6.10 · Citrix StoreFront Authentication and Enumeration Health [high] - UC-2.6.11 · Citrix License Server Utilization and Compliance [high] - UC-2.6.12 · Citrix Application Usage and Popularity Analytics [medium] - UC-2.6.13 · Citrix Federated Authentication Service (FAS) Certificate Health [high] - UC-2.6.14 · Citrix Workspace Environment Management (WEM) Optimization Effectiveness [medium] - UC-2.6.15 · Citrix Session Recording Compliance Monitoring [high] - UC-2.6.16 · Citrix Cloud Connector Health [critical] - UC-2.6.17 · uberAgent Experience Score Monitoring [critical] - UC-2.6.18 · Application Unresponsiveness (UI Hangs) Detection [high] - UC-2.6.19 · Application Startup Duration Tracking [high] - UC-2.6.20 · Browser Performance per Web Application [medium] - UC-2.6.21 · Machine Boot and Shutdown Duration Analysis [medium] - UC-2.6.22 · Per-Application CPU and Memory Consumption [high] - UC-2.6.23 · Application Crash and Error Reporting [high] - UC-2.6.24 · Citrix Site Delivery Group Capacity and Health [critical] - UC-2.6.25 · Citrix NetScaler ADC Performance via uberAgent [high] - UC-2.6.26 · Per-Application Network Performance [medium] - UC-2.6.27 · Endpoint Security Analytics (ESA) Threat Detection [critical] - UC-2.6.28 · Local Host Cache (LHC) Sync Status and Mode Transitions [critical] - UC-2.6.29 · Machine Catalog Image Pipeline Health [high] - UC-2.6.30 · MCS Provisioning and Identity Disk Health [high] - UC-2.6.31 · Citrix Zone Topology and Zone Preference Failover [high] - UC-2.6.32 · Hypervisor Connection Health Monitoring [critical] - UC-2.6.33 · Citrix Autoscale Capacity Events [high] - UC-2.6.34 · Maintenance Mode and Drain Operations Tracking [medium] - UC-2.6.35 · Pre-Launch and Lingering Session Management [medium] - UC-2.6.36 · Session Reliability and Auto Client Reconnect [high] - UC-2.6.37 · HDX Adaptive Transport (EDT) and Graphics Mode [high] - UC-2.6.38 · Universal Print Server Health and Printing Failures [medium] - UC-2.6.39 · USB and Peripheral Redirection Failures [medium] - UC-2.6.40 · Citrix App Layering Health and Layer Attach Status [high] - UC-2.6.41 · FSLogix and Profile Container Health [high] - UC-2.6.42 · Citrix Configuration Change Audit Trail [high] - UC-2.6.43 · Citrix Site Database Connectivity from Controllers [critical] - UC-2.6.44 · VDA Disk IOPS and Write Cache Utilization [high] - UC-2.6.45 · Machine Boot Storm Detection and Mitigation [high] - UC-2.6.46 · Citrix Monitor OData Load Index Trending [high] - UC-2.6.47 · Workspace App Client Version Distribution [medium] - UC-2.6.48 · Published Application Inventory Drift [medium] - UC-2.6.49 · Stuck Sessions and Ghost Session Detection [high] - UC-2.6.50 · VDA BSOD and Machine Stability Tracking [critical] - UC-2.6.51 · Citrix StoreFront Server IIS Health [high] - UC-2.6.52 · VDA Software and OS Version Lifecycle Tracking [medium] - UC-2.6.53 · Citrix Delivery Group Desktop Assignment Changes [medium] - UC-2.6.54 · RDS Licensing Validation for Multi-Session Hosts [high] - UC-2.6.55 · GPU Driver Version and License Status (NVIDIA GRID / vGPU) [high] - UC-2.6.56 · Citrix Cloud Service Health Status Monitoring [critical] - UC-2.6.57 · Citrix Cloud Connector Deep Health (HealthData API) [critical] - UC-2.6.58 · Citrix Analytics for Performance Data Export [high] - UC-2.6.59 · Citrix Analytics for Security Risk Indicators [critical] - UC-2.6.60 · Identity Provider (SAML/AAD) Integration Failures [critical] - UC-2.6.61 · Citrix HDX Rendezvous Protocol Path Selection [high] - UC-2.6.62 · Citrix Workspace Service Feed Availability [high] - UC-2.6.63 · DaaS Autoscale Cloud Economics Tracking [high] - UC-2.6.64 · Citrix Endpoint Management Device Enrollment Failures [high] - UC-2.6.65 · Citrix Endpoint Management MDM/MAM Policy Compliance [critical] - UC-2.6.66 · Citrix Endpoint Management App Distribution Failures [high] - UC-2.6.67 · Citrix Endpoint Management Device Certificate Expiry [high] - UC-2.6.68 · Citrix Endpoint Management Remote Wipe/Lock Action Tracking [critical] - UC-2.6.69 · Citrix Endpoint Management Server Health [high] - UC-2.6.70 · Citrix ShareFile Storage Zone Controller Health [high] - UC-2.6.71 · Citrix ShareFile DLP Policy Violation Tracking [critical] - UC-2.6.72 · Citrix ShareFile Mass Download and Data Exfiltration Detection [critical] - UC-2.6.73 · Citrix ShareFile API Rate Limiting and Auth Failures [high] - UC-2.6.74 · Citrix ShareFile User Activity Audit Trail [high] - UC-2.6.75 · End-to-End Citrix Session Launch Time [critical] - UC-2.6.76 · Citrix Client Ecosystem and Platform Distribution [medium] - UC-2.6.77 · Citrix Per-Application Perceived Performance (Startup vs Hang vs Network) [high] - UC-2.6.78 · Citrix Session Recording Pipeline and Storage Health [high] - UC-2.6.79 · Citrix Secure Private Access (ZTNA) Session Monitoring [high] ## 3. Containers & Orchestration Docker, Kubernetes, OpenShift container platforms — crash loops, OOM kills, resource limits, and orchestration health. **Quick tip:** Deploy Splunk Connect for Kubernetes (SCK) to ingest container logs and cluster events. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-03-containers-orchestration.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-03-containers-orchestration.md ### 3.1 Docker - UC-3.1.1 · Container Crash Loops [critical] - UC-3.1.2 · Container OOM Kills [critical] - UC-3.1.3 · Container CPU Throttling [high] - UC-3.1.4 · Container Memory Utilization [high] - UC-3.1.5 · Image Vulnerability Scanning [medium] - UC-3.1.6 · Privileged Container Detection [high] - UC-3.1.7 · Container Sprawl [low] - UC-3.1.8 · Docker Daemon Errors [high] - UC-3.1.9 · Docker Daemon Health and Version Drift [medium] - UC-3.1.10 · Container Image Vulnerability Scanning Results [high] - UC-3.1.11 · Docker Daemon Resource Limits Monitoring [high] - UC-3.1.12 · Compose Service Health [medium] - UC-3.1.13 · Container Restart Loop Detection [critical] - UC-3.1.14 · Docker Network Overlay Issues [high] - UC-3.1.15 · Image Layer Bloat Analysis [low] - UC-3.1.16 · Docker Volume Usage Trending [high] - UC-3.1.17 · Container Resource Limit Enforcement [high] - UC-3.1.18 · Docker Build Cache Efficiency [low] - UC-3.1.19 · Container Log Driver Health [high] - UC-3.1.20 · Docker Registry Mirror Health [medium] - UC-3.1.21 · Container Runtime Security Events [high] - UC-3.1.22 · Container Health Check Failures [high] - UC-3.1.23 · Container Network I/O Anomalies [medium] - UC-3.1.24 · Docker Exec Session Audit [high] - UC-3.1.25 · Docker Socket Exposure Detection [critical] - UC-3.1.26 · Image Pull Failures and Registry Connectivity [high] - UC-3.1.27 · Dangling Images and Volume Cleanup [medium] - UC-3.1.28 · Docker Swarm Service Replica Health [critical] - UC-3.1.29 · Container Filesystem Write Rate [medium] ### 3.2 Kubernetes - UC-3.2.1 · Pod Restart Rate [critical] - UC-3.2.2 · Pod Scheduling Failures [high] - UC-3.2.3 · Node NotReady Detection [critical] - UC-3.2.4 · Resource Quota Exhaustion [high] - UC-3.2.5 · Persistent Volume Claims [high] - UC-3.2.6 · Deployment Rollout Failures [critical] - UC-3.2.7 · Control Plane Health [critical] - UC-3.2.8 · etcd Cluster Health [critical] - UC-3.2.9 · Ingress Error Rates [high] - UC-3.2.10 · CrashLoopBackOff Detection [critical] - UC-3.2.11 · HPA Scaling Events [medium] - UC-3.2.12 · RBAC Audit [high] - UC-3.2.13 · Certificate Expiration [high] - UC-3.2.14 · Container Image Pull Failures [high] - UC-3.2.15 · DaemonSet Completeness [medium] - UC-3.2.16 · Kubernetes PersistentVolume Claim Capacity [high] - UC-3.2.17 · Kubernetes HorizontalPodAutoscaler Status [high] - UC-3.2.18 · Kubernetes Ingress Backend Health [critical] - UC-3.2.19 · Kubernetes DaemonSet Missing Pods [high] - UC-3.2.20 · Kubernetes Job and CronJob Failure Rate [high] - UC-3.2.21 · Kubernetes Admission Webhook Latency [medium] - UC-3.2.22 · Pod Security Admission Violations [high] - UC-3.2.23 · RBAC Audit Log Analysis [high] - UC-3.2.24 · HPA Scale-Out Event Correlation [medium] - UC-3.2.25 · PV/PVC Capacity Monitoring [high] - UC-3.2.26 · etcd Health and Latency [critical] - UC-3.2.27 · Ingress Controller Error Rates [high] - UC-3.2.28 · Node Pressure Conditions (Disk/Memory/PID) [critical] - UC-3.2.29 · CronJob Failure Tracking [high] - UC-3.2.30 · Init Container Failures [high] - UC-3.2.31 · Sidecar Injection Validation [medium] - UC-3.2.32 · Namespace Quota Utilization Trending [high] - UC-3.2.33 · Node Drain Events [high] - UC-3.2.34 · Cluster DNS Resolution Failures [critical] - UC-3.2.35 · Pod Anti-Affinity Violations [medium] - UC-3.2.36 · Namespace Resource Limit Enforcement [high] - UC-3.2.37 · Pod Disruption Budget Violations [high] - UC-3.2.38 · Vertical Pod Autoscaler Recommendations [medium] - UC-3.2.39 · Kubernetes Events Anomaly Detection [high] - UC-3.2.40 · Persistent Volume Snapshot Status [medium] - UC-3.2.41 · Service Endpoint Health [critical] - UC-3.2.42 · Kubelet Certificate Rotation [high] - UC-3.2.43 · Container Probe Failure Analysis [high] - UC-3.2.44 · Node Pool Auto-Repair Events [medium] - UC-3.2.45 · Admission Webhook Latency [medium] - UC-3.2.46 · Cluster Autoscaler Pending Pods [high] ### 3.3 OpenShift - UC-3.3.1 · Cluster Version & Upgrade Status [medium] - UC-3.3.2 · Operator Degraded Detection [high] - UC-3.3.3 · Build Failure Monitoring [medium] - UC-3.3.4 · SCC Violation Detection [high] - UC-3.3.5 · Helm Release Drift Detection [medium] - UC-3.3.6 · Operator Health Monitoring [high] - UC-3.3.7 · Build Config Failures [medium] - UC-3.3.8 · Route TLS Expiry Detection [critical] - UC-3.3.9 · Cluster Version Upgrade Status [medium] - UC-3.3.10 · Image Stream Tag Drift [medium] - UC-3.3.11 · Operator Subscription Health [high] - UC-3.3.12 · Project Resource Quota Exhaustion [high] - UC-3.3.13 · MachineSet Scaling Failures [high] - UC-3.3.14 · Node NotReady Detection [critical] - UC-3.3.15 · OAuth Access Token Audit [high] - UC-3.3.16 · DeploymentConfig Rollout Failures [high] - UC-3.3.17 · MachineConfigPool Degradation [critical] - UC-3.3.18 · etcd Leader Changes [high] - UC-3.3.19 · Ingress Controller Errors [high] - UC-3.3.20 · Cluster Certificate Expiry [critical] - UC-3.3.21 · ClusterRole and ClusterRoleBinding Changes [high] - UC-3.3.22 · Pod Security Admission Violations [high] - UC-3.3.23 · Console and API Access Audit [medium] - UC-3.3.24 · MachineHealthCheck Remediations [high] - UC-3.3.25 · LimitRange Enforcement Tracking [medium] ### 3.4 Container Registries - UC-3.4.1 · Image Push/Pull Audit [medium] - UC-3.4.2 · Vulnerability Scan Results [high] - UC-3.4.3 · Storage Quota Monitoring [low] - UC-3.4.4 · Registry Image Vulnerability Scan Results [high] - UC-3.4.5 · Registry Authentication and Authorization Failures [high] - UC-3.4.6 · Registry Replication Lag and Consistency [medium] - UC-3.4.7 · Registry Image Tag Retention and Orphan Cleanup [low] - UC-3.4.8 · Registry TLS and Certificate Expiration [critical] - UC-3.4.9 · Container Image Vulnerability Age [critical] ### 3.5 Service Mesh & Serverless Containers - UC-3.5.1 · Istio Mesh Traffic Monitoring [high] - UC-3.5.2 · Sidecar Proxy Health [high] - UC-3.5.3 · mTLS Certificate Expiry [critical] - UC-3.5.7 · Envoy Proxy Error Rates [high] - UC-3.5.8 · Circuit Breaker Trips [high] - UC-3.5.9 · Service Mesh Control Plane Health [critical] - UC-3.5.10 · Ingress Gateway Latency [high] - UC-3.5.11 · Sidecar Injection Validation [medium] - UC-3.5.12 · Rate Limiting and Traffic Policy Compliance [medium] - UC-3.5.13 · eBPF Network Observability (Cilium Hubble) [high] - UC-3.5.14 · eBPF Process-Level Security Observability (Tetragon) [critical] - UC-3.5.15 · eBPF Auto-Instrumented Service Metrics (Beyla) [high] - UC-3.5.16 · Kubernetes Event Correlation with Application Traces [high] - UC-3.5.17 · Kubernetes Resource Quota and LimitRange Compliance [medium] ### 3.6 Container & Kubernetes Trending - UC-3.6.1 · Pod Restart Rate Trending [medium] - UC-3.6.2 · Container Image Vulnerability Trending [high] - UC-3.6.3 · Deployment Velocity Trending [medium] - UC-3.6.4 · Resource Request vs Limit Utilization Trending [medium] - UC-3.6.5 · Kubernetes Event Error Rate Trending [medium] - UC-3.6.6 · Ingress Traffic Volume Trending [medium] ## 4. Cloud Infrastructure AWS, Azure, GCP cloud infrastructure — API auditing, cost anomalies, resource drift, and security posture. **Quick tip:** Enable CloudTrail/Activity Log and use the respective Splunk TA to start collecting API audit events. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-04-cloud-infrastructure.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-04-cloud-infrastructure.md ### 4.1 Amazon Web Services (AWS) - UC-4.1.1 · Unauthorized API Calls [high] - UC-4.1.2 · Root Account Usage [critical] - UC-4.1.3 · Security Group Changes [high] - UC-4.1.4 · IAM Policy Changes [high] - UC-4.1.5 · Console Login Without MFA [high] - UC-4.1.6 · EC2 Instance State Changes [medium] - UC-4.1.7 · S3 Bucket Policy Changes [critical] - UC-4.1.8 · GuardDuty Finding Ingestion [critical] - UC-4.1.9 · VPC Flow Log Analysis [high] - UC-4.1.10 · EC2 Performance Monitoring [medium] - UC-4.1.11 · RDS Performance Insights [high] - UC-4.1.12 · Lambda Error Rate Monitoring [medium] - UC-4.1.13 · EKS/ECS Cluster Health [high] - UC-4.1.14 · Cost Anomaly Detection [medium] - UC-4.1.15 · Config Compliance Monitoring [medium] - UC-4.1.16 · KMS Key Usage Audit [medium] - UC-4.1.17 · Elastic IP Association [low] - UC-4.1.18 · CloudFormation Stack Drift [medium] - UC-4.1.19 · WAF Blocked Request Analysis [medium] - UC-4.1.20 · Reserved Instance Utilization [low] - UC-4.1.21 · ALB/NLB Access Logs and 5xx Errors [high] - UC-4.1.22 · ELB Target Health and Unhealthy Hosts [critical] - UC-4.1.23 · CloudFront Cache Hit Ratio and Origin Errors [high] - UC-4.1.24 · SQS Queue Depth and Age of Oldest Message [high] - UC-4.1.25 · SQS Dead-Letter Queue Message Count [critical] - UC-4.1.26 · DynamoDB Throttled Requests and Consumed Capacity [high] - UC-4.1.27 · API Gateway 4xx/5xx and Throttling [high] - UC-4.1.28 · EBS Volume Status and Burst Balance [high] - UC-4.1.29 · EC2 Spot Instance Interruption Notices [high] - UC-4.1.30 · CloudTrail Log File Delivery Failures [critical] - UC-4.1.31 · CloudWatch Alarm State Changes [medium] - UC-4.1.32 · NAT Gateway Bytes Processed and Connection Tracking [medium] - UC-4.1.33 · VPN Connection State and Tunnel Status [critical] - UC-4.1.34 · AWS Organizations SCP and OU Changes [high] - UC-4.1.35 · S3 Replication Lag and Failed Replication [high] - UC-4.1.36 · ElastiCache/Redis CPU and Evictions [high] - UC-4.1.37 · SNS Delivery Failures and Bounce/Complaint [high] - UC-4.1.38 · EventBridge Rule Invocation and Failed Invocations [medium] - UC-4.1.39 · AWS Backup Restore Job Failures [critical] - UC-4.1.40 · Route 53 Health Check Failures [critical] - UC-4.1.41 · Redshift Cluster Health and Connection Count [high] - UC-4.1.42 · Step Functions Execution Failures [high] - UC-4.1.43 · EFS Burst Credit Balance and Throughput [medium] - UC-4.1.44 · Inspector Vulnerability and Finding Trends [high] - UC-4.1.45 · Systems Manager (SSM) Patch Compliance [high] - UC-4.1.46 · Direct Connect Virtual Interface BGP State [critical] - UC-4.1.47 · Glue Job Run Failures and Duration [high] - UC-4.1.48 · Athena Query Execution Failures and Bytes Scanned [medium] - UC-4.1.49 · FSx for Lustre/Windows Capacity and Throughput [medium] - UC-4.1.50 · Trusted Advisor Check Results and Cost Optimization [low] - UC-4.1.51 · Lambda Concurrent Executions and Throttling [high] - UC-4.1.52 · ECR Image Scan Findings [high] - UC-4.1.53 · CloudWatch Logs Subscription Filter Errors [medium] - UC-4.1.54 · Kinesis Data Stream Iterator Age and Throttling [high] - UC-4.1.55 · Secrets Manager Secret Rotation and Access [high] - UC-4.1.56 · AWS Lambda Cold Start Monitoring [medium] - UC-4.1.57 · AWS ECS Task Placement Failures [high] - UC-4.1.58 · AWS Transit Gateway Attachment Health [high] - UC-4.1.59 · S3 Suspicious Access Patterns [high] - UC-4.1.60 · Security Hub Alert Aggregation [high] - UC-4.1.61 · Network ACL Changes [high] - UC-4.1.62 · RDS Performance Insights Trending [medium] - UC-4.1.63 · ECS Service Health [high] - UC-4.1.64 · EKS Control Plane Audit [high] - UC-4.1.65 · GuardDuty Severity Analysis [high] - UC-4.1.66 · AWS Config Rule Compliance Drift [medium] - UC-4.1.67 · SNS Delivery Failures [high] - UC-4.1.68 · SQS Dead Letter Queue Growth [high] - UC-4.1.69 · CloudFront Error Rates by Distribution [high] - UC-4.1.70 · Route 53 Health Check Failover Validation [critical] - UC-4.1.71 · Systems Manager Patch Compliance [medium] - UC-4.1.72 · Transit Gateway Route Table Attachment Health [high] - UC-4.1.73 · ELB Target Health Check Failures [critical] - UC-4.1.74 · IAM Access Analyzer Findings [medium] - UC-4.1.75 · AWS Backup Job Status [critical] - UC-4.1.76 · Lambda Layer Version Compliance [medium] - UC-4.1.77 · AWS Fargate Task Health [high] ### 4.2 Microsoft Azure - UC-4.2.1 · Azure Activity Log Monitoring [medium] - UC-4.2.2 · Entra ID Sign-In Anomalies [critical] - UC-4.2.3 · Entra ID Privilege Escalation [critical] - UC-4.2.4 · NSG Flow Log Analysis [high] - UC-4.2.5 · Azure VM Performance [medium] - UC-4.2.6 · Azure SQL Performance [high] - UC-4.2.7 · AKS Cluster Health [high] - UC-4.2.8 · Azure Key Vault Access Audit [high] - UC-4.2.9 · Defender for Cloud Alerts [critical] - UC-4.2.10 · Storage Account Access Anomalies [medium] - UC-4.2.11 · Resource Health Events [high] - UC-4.2.12 · Cost Management Alerts [low] - UC-4.2.13 · App Service (Web App) HTTP 5xx and Slot Swap [high] - UC-4.2.14 · Azure Load Balancer Health Probe Failures [critical] - UC-4.2.15 · Azure Backup Job Failures [critical] - UC-4.2.16 · Logic Apps Run Failures [high] - UC-4.2.17 · Service Bus Queue Message Count and Dead Letter [high] - UC-4.2.18 · Cosmos DB RU Consumption and Throttling [high] - UC-4.2.19 · Azure Front Door / CDN Origin Errors and Cache Hit [high] - UC-4.2.20 · Event Grid Delivery Failures [high] - UC-4.2.21 · Azure Container Registry Pull/Push and Vulnerability Scan [medium] - UC-4.2.22 · Azure Firewall Rule Hit and Threat Intel [high] - UC-4.2.23 · Azure Database for MySQL/PostgreSQL Metrics [high] - UC-4.2.24 · Azure Monitor Alert State Changes [medium] - UC-4.2.25 · Entra ID Conditional Access Blocked Sign-Ins [high] - UC-4.2.26 · Azure Service Health and Planned Maintenance [high] - UC-4.2.27 · Azure Policy Compliance and Non-Compliant Resources [medium] - UC-4.2.28 · Azure App Service Plan CPU and Memory [high] - UC-4.2.29 · Azure Front Door Origin Health [critical] - UC-4.2.30 · NSG Flow Log Threat Hunting [high] - UC-4.2.31 · Azure Policy Compliance Trending [medium] - UC-4.2.32 · Key Vault Access Audit [high] - UC-4.2.33 · App Service Health Metrics [high] - UC-4.2.34 · AKS Diagnostics and Errors [high] - UC-4.2.35 · Cost Management Anomaly Detection [medium] - UC-4.2.36 · Azure Firewall Threat Intelligence Hits [high] - UC-4.2.37 · Front Door WAF Blocks [high] - UC-4.2.38 · Logic App Run Failures [medium] - UC-4.2.39 · Event Hub Capture Lag [high] - UC-4.2.40 · Azure Backup Job Health [critical] - UC-4.2.41 · Private Link DNS Resolution [high] - UC-4.2.42 · Azure Monitor Alert Rule Health [medium] - UC-4.2.43 · Defender for Cloud Recommendations [medium] - UC-4.2.44 · Azure Resource Lock Changes [high] - UC-4.2.45 · Azure Container Instances Health [high] - UC-4.2.46 · Azure Application Gateway and WAF Health [critical] - UC-4.2.47 · Azure VPN Gateway Tunnel Status [critical] - UC-4.2.48 · Azure ExpressRoute Circuit Health [critical] - UC-4.2.49 · Azure Redis Cache Performance [high] - UC-4.2.50 · Azure Data Factory Pipeline Failures [high] - UC-4.2.51 · Azure API Management (APIM) Health [high] - UC-4.2.52 · Azure Virtual Desktop Session Health [high] - UC-4.2.53 · Azure Traffic Manager Endpoint Health [high] - UC-4.2.54 · Azure Bastion Session Audit [medium] - UC-4.2.55 · Azure Network Watcher Connection Troubleshooting [medium] - UC-4.2.56 · Azure Storage Queue Depth and Poison Messages [high] - UC-4.2.57 · Azure Managed Disk Performance Throttling [high] ### 4.3 Google Cloud Platform (GCP) - UC-4.3.1 · Audit Log Monitoring [high] - UC-4.3.2 · IAM Policy Changes [critical] - UC-4.3.3 · VPC Flow Log Analysis [high] - UC-4.3.4 · GKE Cluster Health [high] - UC-4.3.5 · Security Command Center [critical] - UC-4.3.6 · GCE Instance Monitoring [medium] - UC-4.3.7 · BigQuery Audit and Cost [medium] - UC-4.3.8 · Cloud Run/Functions Errors [medium] - UC-4.3.9 · Cloud Load Balancing Backend Health and Request Count [critical] - UC-4.3.10 · Cloud Pub/Sub Subscription Backlog and Dead Letter [high] - UC-4.3.11 · Cloud Storage (GCS) Request Metrics and Cost [medium] - UC-4.3.12 · Cloud SQL Instance Metrics and Replication Lag [high] - UC-4.3.13 · Cloud Build Build Failures and Duration [high] - UC-4.3.14 · GKE Node Pool Autoscaling and Upgrade Events [high] - UC-4.3.15 · Cloud CDN Cache Hit Ratio and Egress [medium] - UC-4.3.16 · Artifact Registry Push/Pull and Vulnerability Scan [medium] - UC-4.3.17 · Cloud Logging Export Sink and Exclusion Filter [medium] - UC-4.3.18 · Cloud IAM Policy and Binding Changes (Beyond SetIamPolicy) [high] - UC-4.3.19 · Cloud Billing Budget Alerts and Anomaly [medium] - UC-4.3.20 · Cloud Armor Security Policy and DDoS Metrics [high] - UC-4.3.21 · Cloud Run Revision Traffic and Error Rate [high] - UC-4.3.22 · Dataproc Cluster and Job Failures [high] - UC-4.3.23 · VPC Service Controls Perimeter Violations [critical] - UC-4.3.24 · GCP Cloud Run Cold Start Rate [medium] - UC-4.3.25 · BigQuery Slot Usage Monitoring [high] - UC-4.3.26 · GKE Autopilot Pod Scaling [medium] - UC-4.3.27 · Cloud Armor WAF Events [high] - UC-4.3.28 · VPC Service Controls Violations [critical] - UC-4.3.29 · Pub/Sub Subscription Backlog [high] - UC-4.3.30 · Security Command Center Findings [high] - UC-4.3.31 · Cloud KMS Key Rotation Compliance [medium] - UC-4.3.32 · Cloud Logging Sink Health [high] - UC-4.3.33 · GKE Node Auto-Repair Events [medium] - UC-4.3.34 · Dataflow Pipeline Health [high] - UC-4.3.35 · Cloud SQL Connection Limits [high] - UC-4.3.36 · Memorystore (Redis) Health [high] - UC-4.3.37 · Cloud CDN Cache Performance [medium] - UC-4.3.38 · GCS Bucket Policy Changes [critical] - UC-4.3.39 · Anthos Service Mesh Health [high] - UC-4.3.40 · GCP Cloud Run Task Health [high] ### 4.4 Multi-Cloud & Cloud Management - UC-4.4.1 · Terraform Drift Detection [medium] - UC-4.4.2 · Cross-Cloud Identity Correlation [medium] - UC-4.4.3 · Multi-Cloud Cost Dashboard [medium] - UC-4.4.4 · Cloud Resource Tagging Compliance [low] - UC-4.4.5 · Cloud Resource Inventory and Drift Summary [medium] - UC-4.4.6 · Multi-Cloud Security Posture (CSPM) Findings [high] - UC-4.4.7 · Cross-Cloud Log Ingestion Pipeline Health [high] - UC-4.4.8 · Cloud Spend by Tag or Project (Chargeback) [medium] - UC-4.4.9 · Reserved Capacity and Savings Plan Utilization (Multi-Cloud) [low] - UC-4.4.10 · Cloud API Rate Limit and Throttling (429) Trends [medium] - UC-4.4.11 · Cloud Encryption and Key Rotation Compliance [high] - UC-4.4.12 · Multi-Cloud Identity and Access Anomalies [high] - UC-4.4.13 · Cloud Provider Status and Incident Correlation [medium] - UC-4.4.14 · Cloud Trail and Diagnostic Logging Gaps [critical] - UC-4.4.15 · Cloud Resource Tag Compliance and Drift [medium] - UC-4.4.16 · Cross-Region Replication and Backup Verification [high] - UC-4.4.17 · Cloud Quota and Service Limit Utilization [high] - UC-4.4.18 · Cloud Endpoint and DNS Resolution Health [medium] - UC-4.4.19 · Multi-Cloud Cost Anomaly and Spike Detection [high] - UC-4.4.20 · Multi-Cloud DNS Resolution Latency [medium] - UC-4.4.21 · Cloud Resource Tag Coverage Trending [medium] - UC-4.4.22 · Cross-Cloud Identity Federation Monitoring [high] - UC-4.4.23 · Multi-Cloud DNS Resolution Health [high] - UC-4.4.24 · Hybrid Connectivity Status [critical] - UC-4.4.25 · Multi-Cloud Secret Management Audit [critical] - UC-4.4.26 · Cross-Cloud Resource Tagging Compliance [medium] - UC-4.4.27 · Multi-Cloud Egress Cost Comparison [medium] - UC-4.4.28 · Hybrid Identity Synchronization Health [high] - UC-4.4.29 · Multi-Cloud Backup Recovery Testing [high] - UC-4.4.30 · Cloud Provider API Rate Limit Monitoring [high] - UC-4.4.31 · Multi-Cloud Certificate Expiry Tracking [critical] ### 4.5 Serverless & FaaS - UC-4.5.1 · Lambda Invocation Errors and Failed Invocations [high] - UC-4.5.2 · Lambda Cold Start and Init Duration Latency [medium] - UC-4.5.3 · Lambda Concurrent Execution Limits and Throttling [high] - UC-4.5.4 · Azure Functions Host and Worker Health [high] - UC-4.5.5 · Azure Functions Execution Duration [medium] - UC-4.5.6 · Azure Functions Queue Trigger Backlog and Failures [high] - UC-4.5.7 · GCP Cloud Functions Memory Utilization [medium] - UC-4.5.8 · GCP Cloud Functions Timeout Monitoring [high] - UC-4.5.9 · Serverless Cost Tracking by Function [medium] - UC-4.5.10 · Lambda Dead Letter Queue Depth and Message Rate [high] - UC-4.5.11 · AWS Step Functions Execution Failures [high] - UC-4.5.12 · Azure Durable Functions Orchestration Health [high] - UC-4.5.13 · Lambda Provisioned Concurrency Utilization [medium] - UC-4.5.14 · API Gateway Integration Latency for Serverless Backends [medium] - UC-4.5.15 · GCP Cloud Functions Retry and Error Rate Trending [high] - UC-4.4.32 · Cloud Control Plane API Call Volume Anomaly (MLTK) [critical] ### 4.6 Cloud Infrastructure Trending - UC-4.6.1 · Cloud Resource Count Trending [medium] - UC-4.6.2 · Lambda/Function Invocation Volume Trending [medium] - UC-4.6.3 · Cloud Security Finding Trending [high] - UC-4.6.4 · S3/Blob Storage Growth Trending [medium] - UC-4.6.5 · Cloud Network Traffic Volume Trending [medium] - UC-4.6.6 · CloudTrail/Activity Log Event Volume Trending [medium] ## 5. Network Infrastructure Routers, switches, firewalls, load balancers, wireless (Cisco C9800, Meraki MR, HPE Aruba), SD-WAN (Cisco, Fortinet, VeloCloud, Aruba EdgeConnect, Versa, Cato SASE), DNS/DHCP/DDI (BlueCat, Infoblox, Windows/BIND), network flow & packet analytics (NetFlow, Zeek, SPAN/TAP), network management platforms, CDN monitoring (CloudFront, Akamai, Fastly), ThousandEyes DEM, carrier signaling, gNMI streaming telemetry, and telecom CDR — MPLS/IS-IS/BFD, multicast, QoS, IPv6, NTP, topology discovery, and network assurance. **Quick tip:** Configure syslog from network devices to Splunk. Install Splunk Add-on for Cisco or vendor-specific TA. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-05-network-infrastructure.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-05-network-infrastructure.md ### 5.1 Routers & Switches - UC-5.1.1 · Interface Up/Down Events [critical] - UC-5.1.2 · Interface Error Rates [high] - UC-5.1.3 · Interface Utilization [high] - UC-5.1.4 · BGP Peer State Changes [critical] - UC-5.1.5 · OSPF Neighbor Adjacency [critical] - UC-5.1.6 · Spanning Tree Topology Change [high] - UC-5.1.7 · Configuration Change Detection [high] - UC-5.1.8 · Device CPU/Memory Utilization [high] - UC-5.1.9 · Device Uptime / Reload Tracking [medium] - UC-5.1.10 · VLAN Configuration Changes [medium] - UC-5.1.11 · Power Supply / Fan Failures [critical] - UC-5.1.12 · ARP/MAC Table Anomalies [medium] - UC-5.1.13 · ACL Deny Logging [medium] - UC-5.1.14 · SNMP Authentication Failures [medium] - UC-5.1.15 · Environmental Monitoring [high] - UC-5.1.16 · Route Table Flapping [critical] - UC-5.1.17 · Duplex Mismatch Detection [high] - UC-5.1.18 · CDP/LLDP Neighbor Changes [medium] - UC-5.1.19 · PoE Power Budget Monitoring [high] - UC-5.1.20 · EIGRP Neighbor Flapping [critical] - UC-5.1.21 · CRC Error Trending [high] - UC-5.1.22 · Syslog Source Health [high] - UC-5.1.23 · HSRP/VRRP State Changes [critical] - UC-5.1.24 · Network Device Configuration Backup Freshness [high] - UC-5.1.25 · Network Configuration Drift Detection [high] - UC-5.1.26 · Network Device Firmware Version Compliance [medium] - UC-5.1.27 · Interface Error Rate Trending [high] - UC-5.1.28 · STP Topology Change Rate [high] - UC-5.1.29 · ARP Table Size Trending [medium] - UC-5.1.30 · MAC Address Table Capacity [medium] - UC-5.1.31 · QoS Policy Drops per Class [medium] - UC-5.1.32 · Network Device End-of-Life Tracking [medium] - UC-5.1.33 · Half-Duplex Negotiation Anomaly [medium] - UC-5.1.34 · PoE Power Budget Utilization [medium] - UC-5.1.35 · LLDP / CDP Neighbor Change Detection [medium] - UC-5.1.36 · Port Utilization and Congestion Alerts (Meraki MS) [medium] - UC-5.1.37 · Power over Ethernet (PoE) Consumption Tracking (Meraki MS) [medium] - UC-5.1.38 · Spanning Tree Protocol (STP) Topology Changes (Meraki MS) [high] - UC-5.1.39 · Port Security Violations and Rogue Device Detection (Meraki MS) [critical] - UC-5.1.40 · Switch Interface Up/Down Events and Link Flapping (Meraki MS) [high] - UC-5.1.41 · VLAN Configuration Mismatches and Tagging Violations (Meraki MS) [medium] - UC-5.1.42 · MAC Flooding and Bridge Table Exhaustion (Meraki MS) [high] - UC-5.1.43 · DHCP Snooping Violations (Meraki MS) [high] - UC-5.1.44 · Broadcast Storm Detection and Mitigation (Meraki MS) [critical] - UC-5.1.45 · Switch CPU and Memory Utilization (Meraki MS) [medium] - UC-5.1.46 · Stack Unit and Redundancy Health (Meraki MS) [high] - UC-5.1.47 · Trunk Link Utilization and Performance (Meraki MS) [medium] - UC-5.1.48 · QoS Queue Drops and Priority Violations (Meraki MS) [medium] - UC-5.1.49 · Port Access Control List (ACL) Hits and Block Events (Meraki MS) [medium] - UC-5.1.50 · Cable Test Results and Port Diagnostics (Meraki MS) [medium] - UC-5.1.51 · Uplink Health and Failover Events (Meraki MS) [critical] - UC-5.1.52 · Cellular Gateway Signal Strength Trending (Meraki MG) [medium] - UC-5.1.53 · Cellular Data Usage and Overage Monitoring (Meraki MG) [medium] - UC-5.1.54 · Carrier Connection Health and Network Performance (Meraki MG) [high] - UC-5.1.55 · SIM Status and Plan Monitoring (Meraki MG) [medium] - UC-5.1.56 · Junos Chassis Alarm Monitoring (Juniper) [critical] - UC-5.1.57 · Junos Commit History and Configuration Rollback Audit (Juniper) [high] - UC-5.1.58 · Junos Routing Engine Failover Monitoring (Juniper) [critical] - UC-5.1.59 · Junos Virtual Chassis Health (Juniper) [high] - UC-5.1.60 · Arista MLAG Health and Consistency (Arista) [critical] - UC-5.1.61 · Arista EOS Agent Health Monitoring (Arista) [high] - UC-5.1.62 · Arista CloudVision Telemetry Alerts (Arista) [high] - UC-5.1.63 · Aruba CX VSF Stack Health (HPE Aruba) [high] - UC-5.1.64 · Aruba CX VSX Redundancy Monitoring (HPE Aruba) [critical] - UC-5.1.65 · MPLS LDP Session and Label Distribution Health [critical] - UC-5.1.66 · RSVP-TE Tunnel State and Path Errors [critical] - UC-5.1.67 · IS-IS Adjacency and SPF Calculation Monitoring [critical] - UC-5.1.68 · BFD Session State for IGP Fast Failure Detection [critical] - UC-5.1.69 · IPv6 Interface and Neighbor Discovery Monitoring [medium] - UC-5.1.70 · NTP Stratum and Peer Health on Network Devices [high] - UC-5.1.71 · QoS DSCP Marking and Classification Visibility [medium] - UC-5.1.72 · PIM Neighbor and Multicast Group State Monitoring [medium] - UC-5.1.73 · IGMP Snooping and Multicast Group Membership [medium] - UC-5.1.74 · VLAN Configuration Change and VTP Audit [high] - UC-5.1.75 · Network Topology Discovery and Source-of-Truth Reconciliation [medium] ### 5.2 Firewalls - UC-5.2.1 · Top Denied Traffic Sources [medium] - UC-5.2.2 · Policy Change Audit [critical] - UC-5.2.3 · Threat Detection Events [critical] - UC-5.2.4 · VPN Tunnel Status [high] - UC-5.2.5 · High-Risk Port Exposure [high] - UC-5.2.6 · Geo-IP Anomaly Detection [high] - UC-5.2.7 · Connection Rate Anomalies [high] - UC-5.2.8 · Certificate Inspection Failures [medium] - UC-5.2.9 · URL Filtering Blocks [medium] - UC-5.2.10 · Admin Access Audit [high] - UC-5.2.11 · Firewall Resource Utilization [high] - UC-5.2.12 · NAT Pool Exhaustion [high] - UC-5.2.13 · Session Table Exhaustion [critical] - UC-5.2.14 · Firewall HA Failover Events [critical] - UC-5.2.15 · Botnet/C2 Traffic Detection [critical] - UC-5.2.16 · SSL/TLS Decryption Failures [high] - UC-5.2.17 · Firewall Rule Hit Count Analysis [medium] - UC-5.2.18 · Threat Prevention Signature Coverage [high] - UC-5.2.19 · VPN Tunnel Status and Path Monitoring (Meraki MX) [critical] - UC-5.2.20 · Content Filtering and URL Category Blocks (Meraki MX) [high] - UC-5.2.21 · IDS/IPS Alert Analysis and Threat Scoring (Meraki MX) [critical] - UC-5.2.22 · Malware Detection and AMP File Reputation Events (Meraki MX) [critical] - UC-5.2.23 · Firewall Rule Hit Analysis and Top Denied Flows (Meraki MX) [medium] - UC-5.2.24 · Traffic Shaping Effectiveness and QoS Policy Analysis (Meraki MX) [medium] - UC-5.2.25 · Site-to-Site VPN Latency and Performance (Meraki MX) [medium] - UC-5.2.26 · Client VPN Connections and Remote Access Patterns (Meraki MX) [medium] - UC-5.2.27 · NAT Pool Usage and Exhaustion Alerts (Meraki MX) [high] - UC-5.2.28 · BGP Peering Status and Route Stability (Meraki MX) [high] - UC-5.2.29 · Threat Intelligence Correlation and IoC Matching (Meraki MX) [critical] - UC-5.2.30 · Geo-Blocking Event Tracking and Geographic Policy Enforcement (Meraki MX) [medium] - UC-5.2.31 · Application Visibility and Network Application Trending (Meraki MX) [medium] - UC-5.2.32 · Bandwidth by Application and Department (Meraki MX) [medium] - UC-5.2.33 · WAN Link Quality Monitoring — Jitter, Latency, Packet Loss (Meraki MX) [high] - UC-5.2.34 · Internet Uplink Failover Events and Recovery Time (Meraki MX) [critical] - UC-5.2.35 · Cellular Modem Failover Activation and Usage (Meraki MX) [high] - UC-5.2.36 · Warm Spare Failover and Appliance Redundancy (Meraki MX) [critical] - UC-5.2.37 · Auto VPN Path Changes and Tunnel Switching (Meraki MX) [medium] - UC-5.2.38 · Connection Rate Analysis and DOS Detection (Meraki MX) [critical] - UC-5.2.39 · Data Loss Prevention (DLP) Event Analysis (Meraki MX) [critical] - UC-5.2.40 · Meraki VPN Tunnel and Failover Health [high] - UC-5.2.41 · Juniper SRX IDP/IPS Event Monitoring (Juniper SRX) [high] - UC-5.2.42 · Juniper SRX Screen Counter Monitoring (Juniper SRX) [high] - UC-5.2.43 · Juniper SRX Cluster Failover Events (Juniper SRX) [critical] - UC-5.2.44 · FortiGate Security Fabric Health Monitoring (Fortinet) [high] - UC-5.2.45 · FortiGate SD-WAN Health Check and SLA Monitoring (Fortinet) [high] - UC-5.2.46 · FortiGate Web Filter and Application Control Events (Fortinet) [medium] - UC-5.2.47 · Check Point ClusterXL Failover Events (Check Point) [critical] - UC-5.2.48 · Check Point Policy Install and Publish Tracking (Check Point) [high] - UC-5.2.49 · Check Point SecureXL Acceleration Status (Check Point) [high] - UC-5.2.50 · Check Point CoreXL CPU Distribution (Check Point) [high] - UC-5.2.51 · Check Point Log Rate and Capacity (Check Point) [high] - UC-5.2.52 · Check Point Anti-Spoofing Violations (Check Point) [critical] - UC-5.2.53 · Check Point HTTPS Inspection Status and Bypass (Check Point) [high] - UC-5.2.54 · Check Point Gateway Connection Table Utilization (Check Point) [critical] ### 5.3 Load Balancers & ADCs - UC-5.3.1 · Pool Member Health Status (F5 BIG-IP) [critical] - UC-5.3.2 · Virtual Server Availability (F5 BIG-IP) [critical] - UC-5.3.3 · Connection and Throughput Trending (F5 BIG-IP) [medium] - UC-5.3.4 · SSL Certificate Expiry (F5 BIG-IP) [high] - UC-5.3.5 · HTTP Error Rate by VIP (F5 BIG-IP) [high] - UC-5.3.6 · Response Time Degradation (F5 BIG-IP) [high] - UC-5.3.7 · Session Persistence Issues (F5 BIG-IP) [medium] - UC-5.3.8 · WAF Policy Violations (F5 BIG-IP ASM) [high] - UC-5.3.9 · Connection Queue Depth (F5 BIG-IP) [critical] - UC-5.3.10 · Backend Server Error Code Distribution (F5 BIG-IP) [high] - UC-5.3.11 · Rate Limiting and DDoS Mitigation Events (F5 BIG-IP) [critical] - UC-5.3.12 · iRule/Policy Errors (F5 BIG-IP) [high] - UC-5.3.13 · Citrix ADC Virtual Server Health and State (NetScaler) [critical] - UC-5.3.14 · Citrix ADC Service Group Member Health (NetScaler) [high] - UC-5.3.15 · Citrix ADC SSL Certificate Expiration Monitoring (NetScaler) [critical] - UC-5.3.16 · Citrix ADC High Availability Failover Monitoring (NetScaler) [critical] - UC-5.3.17 · Citrix ADC GSLB Site and Service Health (NetScaler) [high] - UC-5.3.18 · Citrix Gateway / VPN Session Monitoring (NetScaler) [high] - UC-5.3.19 · Citrix ADC Content Switching Policy Hit Rate (NetScaler) [medium] - UC-5.3.20 · Citrix ADC System Resource Utilization (NetScaler) [high] - UC-5.3.21 · Citrix ADC Responder and Rewrite Policy Errors (NetScaler) [medium] - UC-5.3.22 · Citrix ADC SSL Offload Performance (NetScaler) [high] ### 5.4 Wireless Infrastructure - UC-5.4.1 · AP Offline Detection [critical] - UC-5.4.2 · Client Association Failures [medium] - UC-5.4.3 · Channel Utilization [medium] - UC-5.4.4 · Rogue AP Detection [high] - UC-5.4.5 · Client Count Trending [low] - UC-5.4.6 · RF Interference Events [medium] - UC-5.4.7 · Wireless Authentication Trends [medium] - UC-5.4.8 · RADIUS Authentication Failures [critical] - UC-5.4.9 · Client Roaming Analysis [medium] - UC-5.4.10 · Wireless IDS/IPS Events [critical] - UC-5.4.11 · Band Steering Effectiveness [low] - UC-5.4.12 · Wireless Client Association Failures (Meraki MR) [high] - UC-5.4.13 · RSSI/Signal Strength Degradation Detection (Meraki MR) [medium] - UC-5.4.14 · Excessive Client Roaming Activity (Meraki MR) [medium] - UC-5.4.15 · SSID Performance Ranking and Trend Analysis (Meraki MR) [medium] - UC-5.4.16 · WiFi Channel Utilization and Interference Detection (Meraki MR) [high] - UC-5.4.17 · Rogue and Unauthorized AP Detection — Air Marshal (Meraki MR) [critical] - UC-5.4.18 · Client Device Type Distribution and Compliance (Meraki MR) [medium] - UC-5.4.19 · Band Steering Effectiveness Assessment (Meraki MR) [medium] - UC-5.4.20 · 802.1X Authentication Failures and RADIUS Issues (Meraki MR) [high] - UC-5.4.21 · Wireless Latency Analysis by SSID and Location (Meraki MR) [medium] - UC-5.4.22 · Splash Page Engagement and Redirection Analytics (Meraki MR) [low] - UC-5.4.23 · Multicast and Broadcast Storm Detection (Meraki MR) [high] - UC-5.4.24 · Wireless Health Score Trending (Meraki MR) [medium] - UC-5.4.25 · Connected Client Count Trending and Capacity Planning (Meraki MR) [medium] - UC-5.4.26 · Top Talker Analysis and Bandwidth Hogs (Meraki MR) [medium] - UC-5.4.27 · Connection Duration and Session Quality (Meraki MR) [low] - UC-5.4.28 · AP Uptime and Availability Monitoring (Meraki MR) [critical] - UC-5.4.29 · Mesh Network Link Quality and Backhaul Health (Meraki MR) [high] - UC-5.4.30 · Guest Network Access Patterns and Usage (Meraki MR) [low] - UC-5.4.31 · WiFi Geolocation and Location Analytics (Meraki MR) [low] - UC-5.4.32 · Wireless Client Association and Roaming Failures (Meraki MR) [medium] - UC-5.4.33 · AP Health and Radio Status Monitoring (HPE Aruba) [high] - UC-5.4.34 · Aruba ClearPass RADIUS Authentication Health (HPE Aruba) [critical] - UC-5.4.35 · Aruba Air Monitor — WIDS/WIPS Events (HPE Aruba) [high] - UC-5.4.36 · Aruba Dynamic Segmentation Policy Enforcement (HPE Aruba) [high] - UC-5.4.37 · Aruba Client Experience and Connectivity Score (HPE Aruba) [medium] - UC-5.4.38 · Cisco C9800 WLC AP Join Failures [critical] - UC-5.4.39 · Cisco C9800 Client Authentication and Session Monitoring [high] - UC-5.4.40 · Cisco C9800 RF Performance and Channel Assignment [medium] ### 5.5 SD-WAN - UC-5.5.1 · Tunnel Health Monitoring [critical] - UC-5.5.2 · Site Availability [critical] - UC-5.5.3 · Application SLA Violations [high] - UC-5.5.4 · Path Failover Events [medium] - UC-5.5.5 · Control Plane Health [high] - UC-5.5.6 · Certificate Expiration [medium] - UC-5.5.7 · Bandwidth Utilization per Site [medium] - UC-5.5.8 · Jitter and Latency per Tunnel [high] - UC-5.5.9 · Application Routing Decisions [medium] - UC-5.5.10 · WAN Link Utilization per Transport [high] - UC-5.5.11 · OMP Route Table Monitoring [high] - UC-5.5.12 · BFD Session Monitoring [critical] - UC-5.5.13 · Edge Device Resource Utilization [high] - UC-5.5.14 · Firmware Version Compliance [medium] - UC-5.5.15 · DPI Application Visibility [medium] - UC-5.5.16 · Cloud OnRamp Performance [high] - UC-5.5.17 · Security Policy Violations (UTD) [critical] - UC-5.5.18 · vManage Cluster Health [critical] - UC-5.5.19 · Transport Circuit SLA Tracking [medium] - UC-5.5.20 · Hub-and-Spoke vs Full-Mesh Topology Validation [medium] - UC-5.5.21 · VMware VeloCloud Orchestrator Tunnel Health [critical] - UC-5.5.22 · Aruba EdgeConnect SD-WAN Tunnel and Application Performance [critical] - UC-5.5.23 · Versa Networks SD-WAN Path Quality and Routing Decisions [high] - UC-5.5.24 · Fortinet SD-WAN Health-Check and SLA Compliance [high] - UC-5.5.25 · Cato Networks SASE Event Monitoring [high] ### 5.6 DNS & DHCP - UC-5.6.1 · DNS Query Volume Trending [medium] - UC-5.6.2 · NXDOMAIN Spike Detection [high] - UC-5.6.3 · SERVFAIL Rate Monitoring [high] - UC-5.6.4 · DNS Tunneling Detection [high] - UC-5.6.5 · DHCP Scope Exhaustion [high] - UC-5.6.6 · DHCP Rogue Server Detection [high] - UC-5.6.7 · DNS Record Change Audit [medium] - UC-5.6.8 · DNS Latency Monitoring [medium] - UC-5.6.9 · DNS Cache Hit Ratio [medium] - UC-5.6.10 · DNSSEC Validation Failures [high] - UC-5.6.11 · DHCP Lease Duration Analysis [low] - UC-5.6.12 · DNS Query Type Distribution [medium] - UC-5.6.13 · Failed DHCP Assignments and IP Pool Exhaustion (Meraki) [high] - UC-5.6.14 · DNS Resolution Performance and Failures (Meraki) [medium] - UC-5.6.15 · DHCP Pool Exhaustion and Address Allocation Issues (Meraki) [high] - UC-5.6.16 · DHCP Lease Exhaustion and Scope Utilization [high] - UC-5.6.17 · DNS Query Latency and Resolution Failure by Resolver [high] - UC-5.6.18 · BlueCat DNS Edge Query Analytics [high] - UC-5.6.19 · BlueCat DHCP Lease Utilization and Scope Health [high] ### 5.7 Network Flow Data - UC-5.7.1 · Top Talkers Analysis [medium] - UC-5.7.2 · Anomalous Traffic Patterns [high] - UC-5.7.3 · Bandwidth by Application [medium] - UC-5.7.4 · East-West Traffic Monitoring [medium] - UC-5.7.5 · Data Exfiltration Detection [critical] - UC-5.7.6 · Port Scan Detection [high] - UC-5.7.7 · Protocol Distribution Analysis [medium] - UC-5.7.8 · Multicast Traffic Monitoring [medium] - UC-5.7.9 · Unauthorized VLAN Traffic Detection [critical] - UC-5.7.10 · Long-Duration Flow Detection [high] - UC-5.7.11 · Zeek (Bro) Connection Log Analysis [high] - UC-5.7.12 · SPAN/TAP Port and Packet Broker Health [high] ### 5.8 Network Management Platforms - UC-5.8.1 · DNA Center Assurance Alerts (Cisco Catalyst Center) [medium] - UC-5.8.2 · Meraki Organization Monitoring [medium] - UC-5.8.3 · SNMP Trap Consolidation [medium] - UC-5.8.4 · Network Device Inventory [low] - UC-5.8.5 · Network Device Backup Compliance [high] - UC-5.8.7 · Network Configuration Drift Detection [high] - UC-5.8.8 · SNMP Polling Gap Detection [medium] - UC-5.8.9 · SSL/TLS Certificate Expiration Tracking (Meraki) [medium] - UC-5.8.10 · Firmware Update Compliance and Version Tracking (Meraki) [medium] - UC-5.8.11 · API Call Rate Monitoring and Rate Limit Alerts (Meraki) [medium] - UC-5.8.12 · License Expiration Tracking and Renewal Alerts (Meraki) [critical] - UC-5.8.13 · Network Device Inventory and Change Audit (Meraki) [medium] - UC-5.8.14 · Admin Activity Logging and Access Control Audit (Meraki) [critical] - UC-5.8.15 · Admin Privilege Changes and Permission Escalation (Meraki) [critical] - UC-5.8.16 · Alert Volume Trending and Alert Fatigue Analysis (Meraki) [medium] - UC-5.8.17 · Network Health Score Aggregation and Executive Reporting (Meraki) [medium] - UC-5.8.18 · Device Online/Offline Status Monitoring (Meraki) [critical] - UC-5.8.19 · Multi-Organization Comparison and Benchmarking (Meraki) [low] - UC-5.8.20 · Configuration Change Window Compliance (Meraki) [medium] - UC-5.8.21 · Webhook Delivery Failure Tracking (Meraki) [medium] - UC-5.8.22 · API Error Rate and Endpoint Health (Meraki) [medium] - UC-5.8.23 · Dashboard Configuration and Export Backup (Meraki) [low] - UC-5.8.24 · Network Device Configuration Backup and Drift [high] - UC-5.8.25 · SNMP Trap Storm Detection [high] - UC-5.8.26 · CDN Origin Hit Rate and Cache Efficiency (CloudFront / Akamai / Fastly) [high] - UC-5.8.27 · CDN Edge Error Rate and 5xx Response Monitoring [critical] ### 5.9 Cisco ThousandEyes - UC-5.9.1 · Network Latency Monitoring (Agent-to-Server) [critical] - UC-5.9.2 · Network Packet Loss Monitoring [critical] - UC-5.9.3 · Network Jitter Monitoring [high] - UC-5.9.4 · Agent-to-Agent Latency and Throughput [high] - UC-5.9.5 · Path Hop Count Analysis [medium] - UC-5.9.6 · Network Path Change Detection [high] - UC-5.9.7 · WAN Link Quality Scoring [high] - UC-5.9.8 · BGP Reachability Monitoring [critical] - UC-5.9.9 · BGP Path Change Trending [high] - UC-5.9.10 · BGP Update Volume Tracking [medium] - UC-5.9.11 · BGP AS Path Monitoring [high] - UC-5.9.12 · Prefix Reachability by Region [high] - UC-5.9.13 · DNS Availability Monitoring [critical] - UC-5.9.14 · DNS Resolution Time Trending [high] - UC-5.9.15 · DNSSEC Validity Monitoring [high] - UC-5.9.16 · DNS Provider Comparison [medium] - UC-5.9.17 · DNS Trace Delegation Chain Monitoring [medium] - UC-5.9.18 · Network Outage Event Detection [critical] - UC-5.9.19 · ISP Performance Degradation Alerts [critical] - UC-5.9.20 · DNS Issue Event Tracking [high] - UC-5.9.21 · Proxy Issue Detection [high] - UC-5.9.22 · Local Agent Issue Monitoring [medium] - UC-5.9.23 · Internet Outage Correlation with Internal Alerts [high] - UC-5.9.24 · Endpoint Experience Score Monitoring [high] - UC-5.9.25 · Remote Worker Connectivity Health [high] - UC-5.9.26 · VPN Path Performance [high] - UC-5.9.27 · Endpoint Connection Type and Network Score [medium] - UC-5.9.28 · Geographic Workforce Performance Comparison [medium] - UC-5.9.29 · SD-WAN Overlay vs Underlay Performance [high] - UC-5.9.30 · SASE Secure Edge Performance [high] - UC-5.9.31 · Multi-Cloud Network Performance [high] - UC-5.9.32 · CDN Edge Network Performance [medium] - UC-5.9.33 · Cloud Provider Path Visualization [medium] - UC-5.9.34 · HTTP Server Availability Monitoring (ThousandEyes) [critical] - UC-5.9.35 · HTTP Server Response Time Tracking (ThousandEyes) [high] - UC-5.9.36 · HTTP Server Throughput Analysis (ThousandEyes) [medium] - UC-5.9.37 · Page Load Completion Rate (ThousandEyes) [critical] - UC-5.9.38 · Page Load Duration Trending (ThousandEyes) [high] - UC-5.9.39 · API Endpoint Completion Rate (ThousandEyes) [critical] - UC-5.9.40 · API Response Time Monitoring (ThousandEyes) [high] - UC-5.9.41 · Transaction Test Completion Rate (ThousandEyes) [critical] - UC-5.9.42 · Transaction Duration Analysis (ThousandEyes) [high] - UC-5.9.43 · SaaS Application Response Time Comparison (ThousandEyes) [high] - UC-5.9.44 · Multi-Region SaaS Availability (ThousandEyes) [high] - UC-5.9.45 · FTP Server Availability and Throughput (ThousandEyes) [medium] - UC-5.9.46 · ThousandEyes Alert Severity Distribution [high] - UC-5.9.47 · ThousandEyes Alert Timeline Trending [medium] - UC-5.9.48 · ThousandEyes Activity Log Audit Trail [medium] - UC-5.9.49 · ThousandEyes Data Collection Health Monitoring [high] - UC-5.9.50 · ThousandEyes ITSI Service Health (Content Pack) [high] - UC-5.9.51 · Splunk On-Call Incident Routing from ThousandEyes [medium] - UC-5.9.52 · ThousandEyes Trace Span Analysis and Drill-Down [medium] - UC-5.9.53 · Cross-Platform Correlation (ThousandEyes Network + Splunk APM) [high] - UC-5.9.54 · MTTR Reduction via Network vs Application Isolation [high] ### 5.10 Carrier and Service Provider Signaling - UC-5.10.1 · Diameter Signaling Health Monitoring [critical] - UC-5.10.2 · Diameter Subscriber Data Accounting [high] - UC-5.10.3 · Mobile Subscriber RADIUS Session Tracking [high] - UC-5.10.4 · Carrier SIP Trunk Failure Analysis [critical] - UC-5.10.5 · SIP Registration Storm Detection [critical] - UC-5.10.6 · SIP Post-Dial Delay Monitoring [high] ### 5.11 gNMI / gRPC Streaming Telemetry - UC-5.11.1 · Interface Utilization via gNMI Streaming Counters [critical] - UC-5.11.2 · Interface Error and Discard Streaming [high] - UC-5.11.3 · BGP Peer State Change Detection via ON_CHANGE [critical] - UC-5.11.4 · System CPU and Memory Utilization Streaming [high] - UC-5.11.5 · Optical Transceiver Health Monitoring [high] - UC-5.11.6 · QoS Queue Depth and Drop Streaming [high] - UC-5.11.7 · LLDP Topology Change Detection [medium] - UC-5.11.8 · BGP Prefix Count and Route Churn Monitoring [high] - UC-5.11.9 · Hardware Component Health (Fan, PSU, Temperature) [high] - UC-5.11.10 · Telegraf gNMI Collector Pipeline Health [high] - UC-5.11.11 · ACL Hit Counter Analysis via Streaming Telemetry [medium] ### 5.12 Telecommunications & CDR Analytics - UC-5.12.1 · CDR Call Failure Statistics [high] - UC-5.12.2 · Call Volume Trending by Destination [medium] - UC-5.12.3 · Call Duration Distribution Analysis [medium] - UC-5.12.4 · SIP Trunk Utilization [high] - UC-5.12.5 · VoIP MOS Score Monitoring [high] - UC-5.12.6 · Signaling Storm Detection [critical] - UC-5.12.7 · IMS Registration Failure Rate [critical] - UC-5.12.8 · Number Portability Request Tracking [medium] - UC-5.12.9 · Roaming Usage Anomaly [high] - UC-5.12.10 · Toll Fraud Detection [critical] - UC-5.3.23 · Citrix ADC AppFlow Export Health [high] - UC-5.3.24 · Citrix ADC Web Application Firewall (WAF) Violations [critical] - UC-5.3.25 · Citrix ADC Bot Management Detection [high] - UC-5.3.26 · Citrix ADC nFactor Authentication Pipeline Failures [critical] - UC-5.3.27 · Citrix ADC Surge Queue and Spillover Events [high] - UC-5.3.28 · Citrix ADC TCP Connection Multiplexing Analysis [medium] - UC-5.3.29 · Citrix ADC Frontend vs Backend RTT Analysis [high] - UC-5.3.30 · Citrix ADC Integrated Cache Hit Ratio [medium] - UC-5.3.31 · Citrix ADC Compression Savings and CPU Impact [medium] - UC-5.3.32 · Citrix ADC DNS/ADNS Service Health [high] - UC-5.3.33 · Citrix SDX Platform Health (Partition Resources) [high] - UC-5.3.34 · Citrix ADC Cluster Configuration Replication [critical] - UC-5.3.35 · Citrix ADC AAA Audit Trail and Command Logging [high] - UC-5.3.36 · Citrix ADC API Gateway Policy Evaluation [high] - UC-5.3.37 · Citrix ADC Pooled Licensing Utilization [high] - UC-5.3.38 · Citrix SD-WAN Virtual Path Loss, Jitter, and Latency [critical] - UC-5.3.39 · Citrix SD-WAN Application Steering and QoS Enforcement [high] - UC-5.3.40 · Citrix SD-WAN WAN Link Health and Standby Failover [critical] - UC-5.3.41 · Citrix SD-WAN High Availability and VRRP Status [critical] - UC-5.3.42 · Citrix SD-WAN Orchestrator Config Push Failures [high] ## 6. Storage & Backup SAN, NAS, object storage, and backup systems — capacity trends, latency, IOPS, and backup job monitoring. **Quick tip:** Install vendor TAs (NetApp, Pure Storage, etc.) and configure REST API or syslog collection. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-06-storage-backup.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-06-storage-backup.md ### 6.1 SAN / NAS Storage - UC-6.1.1 · Volume Capacity Trending [critical] - UC-6.1.2 · Storage Latency Monitoring [critical] - UC-6.1.3 · IOPS Trending per Volume [high] - UC-6.1.4 · Disk Failure Alerts [critical] - UC-6.1.5 · Replication Lag Monitoring [critical] - UC-6.1.6 · Controller Failover Events [critical] - UC-6.1.7 · Thin Provisioning Overcommit [high] - UC-6.1.8 · Snapshot Space Consumption [high] - UC-6.1.9 · Fibre Channel Port Errors [high] - UC-6.1.10 · Storage Array Firmware Compliance [medium] - UC-6.1.11 · Isilon Cluster and Node Health [critical] - UC-6.1.12 · Isilon Capacity and Performance Trending [high] - UC-6.1.13 · TrueNAS / FreeNAS Pool Health [critical] - UC-6.1.14 · Ceph Cluster Health and OSD Status [critical] - UC-6.1.15 · NFS Export Availability [high] - UC-6.1.16 · SMB / CIFS Share Availability [high] - UC-6.1.17 · RAID Rebuild Progress and Estimated Completion [high] - UC-6.1.18 · NetApp ONTAP Performance Counters [high] - UC-6.1.19 · Pure Storage Array Health [critical] - UC-6.1.20 · iSCSI Session Monitoring [high] - UC-6.1.21 · Multipath Failover Events [critical] - UC-6.1.22 · Fibre Channel Port Error Rate (Array) [high] - UC-6.1.23 · LUN Latency Trending [critical] - UC-6.1.24 · Aggregate Space Forecasting [high] - UC-6.1.25 · Snapshot Schedule Compliance [medium] - UC-6.1.26 · Deduplication Savings Ratio [medium] - UC-6.1.27 · MDS Inter-Switch Link (ISL) Utilization [critical] - UC-6.1.28 · MDS Slow Drain Detection [critical] - UC-6.1.29 · MDS Zone Configuration Compliance [high] - UC-6.1.30 · MDS FLOGI Database Monitoring [high] - UC-6.1.31 · MDS VSAN Health and Isolation Events [critical] - UC-6.1.32 · MDS SAN Fabric Oversubscription Ratio [medium] ### 6.2 Object Storage - UC-6.2.1 · Bucket Capacity Trending [medium] - UC-6.2.2 · Access Pattern Anomalies [high] - UC-6.2.3 · Public Bucket Detection [critical] - UC-6.2.4 · Lifecycle Policy Compliance [medium] - UC-6.2.5 · Cross-Region Replication Lag [high] - UC-6.2.6 · S3 and Azure Blob Lifecycle Policy Compliance [medium] - UC-6.2.7 · Cross-Region Replication Lag (SLA) [high] - UC-6.2.8 · Bucket Policy Change Audit [critical] - UC-6.2.9 · Pre-Signed URL Abuse Detection [high] - UC-6.2.10 · Storage Class Transition Tracking [medium] - UC-6.2.11 · Object Versioning Compliance [high] - UC-6.2.12 · Object Lock Integrity [critical] ### 6.3 Backup & Recovery - UC-6.3.1 · Backup Job Success Rate [critical] - UC-6.3.2 · Backup Job Duration Trending [medium] - UC-6.3.3 · Missed Backup Detection [critical] - UC-6.3.4 · Backup Storage Capacity [high] - UC-6.3.5 · Restore Test Tracking [high] - UC-6.3.6 · Backup SLA Compliance [critical] - UC-6.3.7 · Backup Data Volume Trending [medium] - UC-6.3.8 · Tape Library Health [medium] - UC-6.3.9 · Veeam Backup Job Monitoring [critical] - UC-6.3.10 · Backup Data Growth Rate [medium] - UC-6.3.11 · Veeam Backup Job Status Summary [critical] - UC-6.3.12 · Commvault Job Completion [critical] - UC-6.3.13 · Backup RPO and RTO Compliance [critical] - UC-6.3.14 · Tape Library Robotics and Drive Health [high] - UC-6.3.15 · DR Rehearsal Tracking [high] - UC-6.3.16 · Backup Window Utilization [medium] - UC-6.3.17 · Incremental Backup Chain Integrity [critical] - UC-6.3.18 · Backup Data Growth Trending by Workload [medium] - UC-6.3.19 · Windows Backup Job Monitoring [high] - UC-6.3.20 · Backup Target Capacity and Growth Rate [high] - UC-6.3.21 · Restore Job Success and Duration Trending [critical] - UC-6.3.22 · Backup Job Overlap and Schedule Conflict Detection [medium] - UC-6.3.23 · Immutable Backup and Ransomware Recovery Readiness [critical] - UC-6.3.24 · Tape Library Slot Utilization [medium] ### 6.4 File Services - UC-6.4.1 · File Access Audit [high] - UC-6.4.2 · Ransomware Indicator Detection [critical] - UC-6.4.3 · DFS Replication Health [high] - UC-6.4.4 · Share Permission Changes [high] - UC-6.4.5 · Large File Transfer Detection [high] - UC-6.4.6 · Backup Encryption and Key Access Audit [high] - UC-6.4.12 · DFS Replication Backlog and Connectivity Health [high] - UC-6.4.13 · NFS Export Capacity and Client Load [medium] - UC-6.4.14 · SMB Share Access Audit [high] - UC-6.4.15 · File Server Capacity Trending [high] - UC-6.4.16 · Ransomware File Extension Detection [critical] - UC-6.4.17 · CIFS Connection Monitoring [medium] - UC-6.4.18 · File Deletion Volume Anomaly [critical] ## 7. Database & Data Platforms SQL Server, Oracle, PostgreSQL, MongoDB, and data platforms — slow queries, deadlocks, replication, and connection pools. **Quick tip:** Install Splunk DB Connect or vendor TA to collect database logs and performance metrics. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-07-database-data-platforms.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-07-database-data-platforms.md ### 7.1 Relational Databases - UC-7.1.1 · Slow Query Detection [critical] - UC-7.1.2 · Deadlock Monitoring [critical] - UC-7.1.3 · Connection Pool Exhaustion [critical] - UC-7.1.4 · Replication Lag Monitoring [critical] - UC-7.1.5 · Tablespace / Data File Growth [high] - UC-7.1.6 · Backup Success Verification [critical] - UC-7.1.7 · Login Failure Monitoring [high] - UC-7.1.8 · Long-Running Transaction Detection [high] - UC-7.1.9 · Index Fragmentation [medium] - UC-7.1.10 · TempDB Contention (SQL Server) [high] - UC-7.1.11 · Buffer Cache Hit Ratio [medium] - UC-7.1.12 · Database Availability Group Health [critical] - UC-7.1.13 · Schema Change Detection [high] - UC-7.1.14 · Query Plan Regression [high] - UC-7.1.15 · Privilege Escalation Audit [critical] ### 7.2 NoSQL Databases - UC-7.2.1 · Cluster Membership Changes [critical] - UC-7.2.2 · Replication Lag / Consistency [critical] - UC-7.2.3 · Read/Write Latency Trending [high] - UC-7.2.4 · Shard Imbalance Detection [high] - UC-7.2.5 · Compaction Monitoring [medium] - UC-7.2.6 · GC Pause Detection [critical] - UC-7.2.7 · Connection Count Monitoring [high] - UC-7.2.8 · Index Build Monitoring [medium] - UC-7.2.9 · Memory Utilization [high] - UC-7.2.10 · Elasticsearch Cluster Health [critical] - UC-7.2.11 · MongoDB Oplog Window [critical] - UC-7.2.12 · MongoDB WiredTiger Cache Pressure [high] - UC-7.2.13 · MongoDB Atlas Cluster Alerts [critical] - UC-7.2.14 · Cassandra Compaction Backlog and Throughput [high] - UC-7.2.15 · Redis Memory Fragmentation (Cache Tier) [medium] - UC-7.2.16 · DynamoDB Throttling Events [high] - UC-7.2.17 · CouchDB Replication Conflicts [high] - UC-7.2.18 · MongoDB Oplog Window Sufficiency [critical] - UC-7.2.19 · Cassandra Tombstone Accumulation [high] - UC-7.2.20 · Redis Eviction Rate [high] - UC-7.2.21 · HBase RegionServer Failover Events [critical] - UC-7.2.22 · CouchDB View Build Times [medium] - UC-7.2.23 · MongoDB Index Inefficiency (Usage vs Size) [medium] ### 7.3 Cloud-Managed Databases - UC-7.3.1 · RDS/Aurora Performance Insights [high] - UC-7.3.2 · Automated Failover Events [critical] - UC-7.3.3 · Read Replica Lag [high] - UC-7.3.4 · Storage Auto-Scaling Events [medium] - UC-7.3.5 · Maintenance Window Tracking [medium] - UC-7.3.6 · Redis Memory Fragmentation Ratio [medium] - UC-7.3.7 · Redis Keyspace Hit / Miss Ratio [medium] - UC-7.3.8 · Aurora Serverless Scaling Events [medium] - UC-7.3.9 · Azure Cosmos DB RU Consumption [high] - UC-7.3.10 · Cloud Spanner Instance Health [critical] - UC-7.3.11 · Managed Database Failover Events (Multi-Cloud) [critical] - UC-7.3.12 · Azure SQL Database DTU Exhaustion [critical] - UC-7.3.13 · Cloud SQL Storage Auto-Grow Events [medium] - UC-7.3.14 · Managed Backup Retention Compliance [critical] - UC-7.3.15 · Read Replica Lag Trending (Percentiles) [high] - UC-7.3.16 · Azure SQL Managed Instance Resource Utilization [high] - UC-7.3.17 · Azure SQL Managed Instance Failover Group Status [critical] ### 7.4 Data Warehouses & Analytics Platforms - UC-7.4.1 · Query Performance Trending [high] - UC-7.4.2 · Cluster Scaling Events [medium] - UC-7.4.3 · Data Pipeline Health [critical] - UC-7.4.4 · Credit / Cost per Query [high] - UC-7.4.5 · Warehouse Utilization [medium] - UC-7.4.6 · Elasticsearch Cluster Health and Shard Status [critical] - UC-7.4.7 · Elasticsearch Index Size and Document Count Trending [medium] - UC-7.4.8 · ClickHouse Query Performance [medium] - UC-7.4.9 · Snowflake Warehouse Credit Usage [high] - UC-7.4.10 · Databricks Cluster Utilization [medium] - UC-7.4.11 · Redshift Query Queue Depth [high] - UC-7.4.12 · BigQuery Cost Anomalies [high] - UC-7.4.13 · Snowflake Query Spillage (Bytes Spilled to Local/Remote Storage) [high] - UC-7.4.14 · Databricks Job Failure Rate [critical] - UC-7.4.15 · Azure Synapse Analytics SQL Pool Performance [high] - UC-7.4.16 · Azure Synapse Pipeline Execution Health [high] - UC-7.1.16 · Open Cursor Leak Detection [high] - UC-7.1.17 · Database Connection Pool Exhaustion [critical] - UC-7.1.18 · Long-Running Query and Blocking Session Detection [high] - UC-7.1.19 · Table and Index Bloat and Maintenance Window [medium] - UC-7.1.20 · Database Backup and Archive Log Retention Verification [critical] - UC-7.1.21 · Database User and Privilege Change Audit [high] - UC-7.1.22 · PostgreSQL WAL Growth [high] - UC-7.1.23 · PostgreSQL Vacuum Activity [high] - UC-7.1.24 · PostgreSQL Connection Pool Monitoring (PgBouncer) [high] - UC-7.1.25 · MySQL / MariaDB InnoDB Buffer Pool Hit Ratio [medium] - UC-7.1.26 · MySQL Binary Log Space Usage [medium] - UC-7.1.27 · Oracle Tablespace Utilization [high] - UC-7.1.28 · PostgreSQL Replication Lag (Streaming) [critical] - UC-7.1.29 · MySQL InnoDB Buffer Pool Hit Ratio Monitoring [medium] - UC-7.1.30 · Oracle Tablespace Growth Trending [high] - UC-7.1.31 · SQL Server Always On AG Health and Replica Sync [critical] - UC-7.1.32 · Database Backup Chain Validation [critical] - UC-7.1.33 · Long-Running Query Detection (Active Sessions) [high] - UC-7.1.34 · Deadlock Frequency by Database [high] - UC-7.1.35 · Connection Pool Exhaustion (Application vs Database Limit) [critical] - UC-7.1.36 · Index Fragmentation Maintenance Priority [medium] - UC-7.1.37 · Temp Tablespace Usage (Oracle TEMP) [high] - UC-7.1.38 · Query Plan Regression (Runtime vs Baseline) [high] - UC-7.1.39 · Database Patch Compliance [high] - UC-7.1.40 · Database Audit Log Tampering Detection [critical] ### 7.5 Search & Analytics Platforms - UC-7.5.1 · Elasticsearch Cluster Health (Red / Yellow) [critical] - UC-7.5.2 · Elasticsearch Shard Allocation Failures [critical] - UC-7.5.3 · OpenSearch Index Performance [high] - UC-7.5.4 · OpenSearch Search Latency [high] - UC-7.5.5 · Elasticsearch Indexing Rate Monitoring [medium] - UC-7.5.6 · Solr Query Cache Hit Ratio [medium] - UC-7.5.7 · Solr Replication Lag [high] - UC-7.5.8 · Elasticsearch Disk Watermark Alerts [critical] - UC-7.5.9 · Elasticsearch JVM Heap Pressure [critical] - UC-7.5.10 · OpenSearch Snapshot / Backup Status [critical] - UC-7.5.11 · Elasticsearch Circuit Breaker Trips [high] - UC-7.5.12 · Elasticsearch Thread Pool Rejections [critical] - UC-7.5.13 · Elasticsearch Search Latency and Slow Queries [high] - UC-7.5.14 · Elasticsearch ILM Policy Failures [high] - UC-7.5.15 · Elasticsearch Snapshot Failures [critical] - UC-7.5.16 · Elasticsearch Cross-Cluster Replication Lag [critical] - UC-7.5.17 · Elasticsearch Pending Cluster Tasks [high] - UC-7.5.18 · Elasticsearch Fielddata and Cache Evictions [medium] - UC-7.5.19 · Elasticsearch Segment Merge Pressure [medium] - UC-7.5.20 · Solr Core Admin Health [high] - UC-7.5.21 · Elasticsearch Ingest Pipeline Error Rate [high] ### 7.6 Database Trending - UC-7.6.1 · Database Connection Pool Utilization Trending [high] - UC-7.6.2 · Slow Query Volume Trending [high] - UC-7.6.3 · Replication Lag Trending [high] - UC-7.6.4 · Database Backup Size Trending [medium] - UC-7.6.5 · Index Fragmentation Trending [medium] ## 8. Application Infrastructure Web servers, application servers, message queues, CDNs, and DNS — HTTP errors, response times, and SSL certificates. **Quick tip:** Forward web server access/error logs and install the appropriate TA for structured field extraction. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-08-application-infrastructure.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-08-application-infrastructure.md ### 8.1 Web Servers & Reverse Proxies - UC-8.1.1 · HTTP Error Rate Monitoring [critical] - UC-8.1.2 · Response Time Trending [high] - UC-8.1.3 · Request Rate Trending [medium] - UC-8.1.4 · Top Error URIs [medium] - UC-8.1.5 · SSL Certificate Monitoring [critical] - UC-8.1.6 · Upstream Backend Health [critical] - UC-8.1.7 · Bot and Crawler Detection [medium] - UC-8.1.8 · Connection Pool Saturation [high] - UC-8.1.9 · Slow POST Detection [medium] - UC-8.1.10 · Configuration Reload Tracking [medium] - UC-8.1.11 · NGINX Upstream Response Errors [high] - UC-8.1.12 · Apache mod_security WAF Blocks [high] - UC-8.1.13 · IIS Worker Process Recycling [medium] - UC-8.1.14 · SSL Certificate Expiry Countdown [critical] - UC-8.1.15 · HAProxy Backend Health State [critical] - UC-8.1.16 · Web Server Thread Pool Exhaustion [high] - UC-8.1.17 · IIS Web Server Monitoring [high] - UC-8.1.18 · IIS Application Pool Crashes & Recycling [high] ### 8.2 Application Servers & Runtimes - UC-8.2.1 · JVM Heap Utilization [critical] - UC-8.2.2 · Garbage Collection Impact [high] - UC-8.2.3 · Thread Pool Exhaustion [critical] - UC-8.2.4 · Application Error Rate [critical] - UC-8.2.5 · Deployment Tracking [high] - UC-8.2.6 · Connection Pool Monitoring [high] - UC-8.2.7 · Session Count Trending [medium] - UC-8.2.8 · .NET CLR Performance [high] - UC-8.2.9 · Node.js Event Loop Lag [high] - UC-8.2.10 · Class Loading Issues [medium] - UC-8.2.11 · PHP-FPM Pool Monitoring [high] - UC-8.2.12 · Tomcat JMX Thread Pool Utilization [high] - UC-8.2.13 · WildFly / JBoss Datasource Pool Usage [high] - UC-8.2.14 · JVM Garbage Collection Pause Time (STW) [critical] - UC-8.2.15 · .NET CLR Memory Pressure [high] - UC-8.2.16 · Node.js Event Loop Lag (High Resolution) [high] - UC-8.2.17 · Python WSGI Worker Pool Exhaustion [high] - UC-8.2.18 · Tomcat Active Session Count [medium] - UC-8.2.19 · WebLogic Stuck Threads [critical] - UC-8.2.20 · JBoss / WildFly Deployment Failures [critical] - UC-8.2.21 · Spring Boot Actuator Health Down [critical] - UC-8.2.22 · .NET Exception Rate Trending [high] - UC-8.2.23 · Jira Data Center Performance [medium] ### 8.3 Message Queues & Event Streaming - UC-8.3.1 · Consumer Lag Monitoring [critical] - UC-8.3.2 · Queue Depth Trending [high] - UC-8.3.3 · Broker Health Monitoring [critical] - UC-8.3.4 · Under-Replicated Partitions [critical] - UC-8.3.5 · Dead Letter Queue Monitoring [high] - UC-8.3.6 · Message Throughput Trending [medium] - UC-8.3.7 · Topic/Queue Creation Audit [medium] - UC-8.3.8 · Consumer Group Rebalancing [high] - UC-8.3.9 · Partition Leader Elections [high] - UC-8.3.10 · Message Age Monitoring [high] - UC-8.3.11 · RabbitMQ Queue Monitoring [high] - UC-8.3.12 · ZooKeeper Ensemble Health [high] - UC-8.3.13 · Kafka Consumer Lag Monitoring (Consumer Group) [critical] - UC-8.3.14 · RabbitMQ Queue Depth Alerts [high] - UC-8.3.15 · Azure Service Bus Dead Letter Monitoring [high] - UC-8.3.16 · Kafka Connect Task Failures [critical] - UC-8.3.17 · Kafka Topic Partition Skew [high] - UC-8.3.18 · RabbitMQ Memory Alarm [critical] - UC-8.3.19 · ActiveMQ Broker Store Usage [high] - UC-8.3.20 · NATS JetStream Consumer Ack Lag [high] - UC-8.3.21 · MSMQ Queue Depth Monitoring [high] ### 8.4 API Gateways & Service Mesh - UC-8.4.1 · API Error Rate by Endpoint [critical] - UC-8.4.2 · API Latency Percentiles [high] - UC-8.4.3 · Rate Limiting Events [medium] - UC-8.4.4 · Authentication Failures [high] - UC-8.4.5 · Service-to-Service Call Failures [critical] - UC-8.4.6 · Circuit Breaker Activations [critical] - UC-8.4.7 · API Consumer Usage Tracking [medium] - UC-8.4.8 · mTLS Certificate Expiration [critical] - UC-8.4.9 · HAProxy Backend and Frontend Health [high] - UC-8.4.10 · Kong Rate Limit Violations [medium] - UC-8.4.11 · AWS API Gateway 4xx/5xx Trends [critical] - UC-8.4.12 · Apigee Policy Violations [high] - UC-8.4.13 · API Response Time SLA Breaches [critical] - UC-8.4.14 · API Key Abuse Detection [high] - UC-8.4.15 · GraphQL Query Depth Violations [medium] - UC-8.4.16 · API Version Deprecation Tracking [medium] ### 8.5 Caching Layers - UC-8.5.1 · Cache Hit/Miss Ratio [high] - UC-8.5.2 · Memory Utilization [high] - UC-8.5.3 · Eviction Rate Trending [high] - UC-8.5.4 · Connection Count Monitoring [medium] - UC-8.5.5 · Replication Lag (Redis) [high] - UC-8.5.6 · Slow Command Detection [high] - UC-8.5.7 · Key Expiration Trending [medium] - UC-8.5.8 · Memcached Hit Ratio and Eviction Rate [medium] - UC-8.5.9 · Squid Proxy Cache Hit Ratio [medium] - UC-8.5.10 · Varnish Cache Hit Rate and Backend Health [medium] - UC-8.5.11 · Synthetic Transaction Monitoring [high] - UC-8.5.12 · Website Page Load Time Breakdown [medium] ### 8.6 Network Service Availability - UC-8.6.1 · SSH Service Availability Monitoring [high] - UC-8.6.2 · FTP / SFTP Service Availability Monitoring [medium] - UC-8.6.10 · Envoy Proxy Upstream Health [high] - UC-8.6.11 · HashiCorp Vault Seal Status and Token Count [critical] - UC-8.6.12 · HashiCorp Consul Service Health [high] - UC-8.6.13 · HashiCorp Nomad Job and Allocation Status [high] - UC-8.6.14 · Asterisk / FreePBX Call Quality and Trunk Status [high] - UC-8.6.16 · NTP Stratum Drift [high] - UC-8.6.17 · DNS Recursive Query Volume [medium] - UC-8.6.18 · TFTP Unauthorized Access [high] - UC-8.6.19 · SNMP Community String Audit [high] ### 8.7 Application Trending - UC-8.7.1 · User Session Volume Trending [medium] - UC-8.7.2 · API Endpoint Latency Percentile Trending [high] - UC-8.7.3 · Application Error Budget Burn Rate Trending [high] - UC-8.7.4 · Cache Hit Ratio Trending [medium] - UC-8.7.5 · Message Queue Backlog Trending [medium] ## 9. Identity & Access Management Active Directory, Entra ID, LDAP, MFA, and PAM — authentication failures, privilege escalation, and identity governance. **Quick tip:** Enable Windows Security Event Log collection from DCs with Splunk_TA_windows for immediate AD visibility. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-09-identity-access-management.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-09-identity-access-management.md ### 9.1 Active Directory / Entra ID - UC-9.1.1 · Brute-Force Login Detection [critical] - UC-9.1.2 · Account Lockout Monitoring [high] - UC-9.1.3 · Privileged Group Membership Changes [critical] - UC-9.1.4 · Service Account Anomalies [critical] - UC-9.1.5 · Kerberos Ticket Anomalies [critical] - UC-9.1.6 · Password Policy Violations [medium] - UC-9.1.7 · GPO Modification Detection [critical] - UC-9.1.8 · AD Replication Monitoring [high] - UC-9.1.9 · LDAP Query Performance [medium] - UC-9.1.10 · Stale Account Detection [medium] - UC-9.1.11 · Entra ID Risky Sign-Ins [critical] - UC-9.1.12 · Conditional Access Policy Failures [high] - UC-9.1.13 · AD Certificate Services Certificate Expiration [high] - UC-9.1.14 · Service Account Password Age [medium] - UC-9.1.15 · Kerberoasting Detection [critical] - UC-9.1.16 · Golden Ticket Indicators [critical] - UC-9.1.17 · Entra Conditional Access Policy Changes [critical] - UC-9.1.18 · Hybrid Join Device Compliance [high] - UC-9.1.19 · LAPS Password Rotation Failures [high] - UC-9.1.20 · AD Replication Topology Changes [critical] - UC-9.1.21 · AdminSDHolder Modification [critical] - UC-9.1.22 · GPO Tampering Detection [critical] - UC-9.1.23 · Entra PIM Activation Audit [critical] - UC-9.1.24 · Stale Computer Account Cleanup [medium] - UC-9.1.25 · AD Forest Trust Changes [critical] - UC-9.1.26 · Certificate Template Abuse (ESC Attacks) [critical] - UC-9.1.27 · Active Directory Replication [critical] - UC-9.1.28 · AD Certificate Services (ADCS) Anomalies [critical] ### 9.2 LDAP Directories - UC-9.2.1 · Bind Failure Monitoring [high] - UC-9.2.2 · Search Performance Degradation [medium] - UC-9.2.3 · Schema Modification Audit [critical] - UC-9.2.4 · Replication Health Monitoring [high] - UC-9.2.5 · Azure AD / Entra ID Conditional Access Policy Evaluation Failures [medium] - UC-9.2.6 · LDAP Query Volume Anomalies [high] - UC-9.2.7 · Bind Failure Rate Spikes [high] - UC-9.2.8 · Active Directory Schema Modification Audit [critical] - UC-9.2.9 · LDAP Signing Enforcement [high] - UC-9.2.10 · LDAPS Certificate Validation [high] - UC-9.2.11 · LDAP Channel Binding Status [high] - UC-9.2.12 · LDAP Referral Chaining Monitoring [medium] ### 9.3 Identity Providers (IdP) & SSO - UC-9.3.1 · MFA Challenge Failure Rate [high] - UC-9.3.2 · Impossible Travel Detection [critical] - UC-9.3.3 · Token Anomaly Detection [critical] - UC-9.3.4 · Application Access Patterns [medium] - UC-9.3.5 · IdP Availability Monitoring [critical] - UC-9.3.6 · Phishing-Resistant MFA Adoption [medium] - UC-9.3.7 · Session Hijacking Detection [critical] - UC-9.3.8 · SAML Assertion Replay Detection [critical] - UC-9.3.9 · OAuth Token Abuse [critical] - UC-9.3.10 · SSO Session Hijacking Indicators [critical] - UC-9.3.11 · Federated Trust Modifications [critical] - UC-9.3.12 · Consent Grant Abuse [critical] [GDPR] - UC-9.3.13 · App Registration Secret Expiry [high] - UC-9.3.14 · Multi-Tenant App Access Anomalies [high] - UC-9.3.15 · OAuth Scope Creep Detection [high] - UC-9.3.16 · Token Endpoint Rate Limiting [medium] ### 9.4 Privileged Access Management (PAM) - UC-9.4.1 · Privileged Session Audit [critical] - UC-9.4.2 · Password Checkout Tracking [high] - UC-9.4.3 · Break-Glass Account Usage [critical] - UC-9.4.4 · Credential Rotation Compliance [high] - UC-9.4.5 · Suspicious Session Commands [critical] - UC-9.4.6 · Vault Health Monitoring [critical] - UC-9.4.7 · Federated Identity Provider Health [critical] - UC-9.4.8 · API Token Usage Anomaly [high] - UC-9.4.9 · Cross-Domain Trust Change Detection [critical] - UC-9.4.10 · Just-in-Time Access Request Monitoring [high] - UC-9.4.11 · Identity Sync Failure Detection [critical] - UC-9.4.12 · RADIUS / TACACS+ Server Response Time [high] - UC-9.4.13 · Active Directory Domain Controller Response Time [high] - UC-9.4.14 · CyberArk Session Recording Alerts [critical] - UC-9.4.15 · Privileged Session Duration Anomalies [high] - UC-9.4.16 · Vault Synchronization Failures [critical] - UC-9.4.17 · Just-in-Time Access Request Analysis [high] - UC-9.4.18 · Emergency Break-Glass Account Usage [critical] - UC-9.4.19 · Shared Account Concurrent Login Detection [critical] - UC-9.4.20 · PAM Agent Health Monitoring [high] ### 9.5 Cloud Identity Providers — Okta & Duo - UC-9.5.1 · Okta Authentication Failures [critical] - UC-9.5.2 · Okta MFA Bypass Attempts [critical] - UC-9.5.3 · Okta Suspicious Sign-In Activity [high] - UC-9.5.4 · Okta Admin Console Changes [critical] - UC-9.5.5 · Okta Policy Modifications [critical] - UC-9.5.6 · Okta New Admin Creation [critical] - UC-9.5.7 · Duo Authentication Denials [high] - UC-9.5.8 · Duo Device Trust Posture [high] - UC-9.5.9 · Duo Enrollment Anomalies [medium] - UC-9.5.10 · Federated SSO Token Abuse [critical] - UC-9.5.11 · Impossible Travel Detection (Okta) [high] - UC-9.5.12 · Okta API Rate Limit Monitoring [medium] - UC-9.5.13 · Okta App Assignment Changes [high] - UC-9.5.14 · Duo Push Fraud Detection [critical] - UC-9.5.15 · Okta User Lifecycle Events (Provisioning / Deprovisioning) [high] ### 9.6 Endpoint & Mobile Device Management - UC-9.6.1 · Device Compliance Status and Policy Enforcement [high] - UC-9.6.2 · Mobile Device Enrollment and MDM Status Tracking [medium] - UC-9.6.3 · Geofencing Alerts and Location-Based Policy Triggers [medium] - UC-9.6.4 · Mobile Security Policy Violations and App Restrictions [high] - UC-9.6.5 · Lost Mode Device Activation and Recovery Tracking [high] - UC-9.6.6 · Mobile App Deployment Success Rate and Distribution Status [medium] ### 9.7 Identity & Access Trending - UC-9.7.1 · Authentication Volume Trending [medium] - UC-9.7.2 · MFA Adoption Rate Trending [high] - UC-9.7.3 · Privileged Account Activity Trending [high] - UC-9.7.4 · Service Account Usage Trending [medium] - UC-9.7.5 · Conditional Access Policy Block Trending [medium] - UC-9.7.6 · Password Reset Volume Trending [medium] - UC-9.7.7 · Identity Provider Availability Trending [high] ## 10. Security Infrastructure Next-gen firewalls, IDS/IPS, endpoint protection, email security, web security, vulnerability management, SIEM & SOAR, and certificate/PKI — threat detection and SecOps. ESCU detections are distributed across subcategories 10.1–10.8. **Quick tip:** Forward firewall logs (syslog) and install the vendor TA (Palo Alto, Fortinet, etc.). Use `import_sse_detections.py` to import ESCU detections, then `redistribute_sse_ucs.py` to place them in the right subcategories. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-10-security-infrastructure.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-10-security-infrastructure.md ### 10.1 Next-Gen Firewalls (Security-Focused) - UC-10.1.1 · Threat Prevention Event Trending [critical] - UC-10.1.2 · Wildfire / Sandbox Verdicts [critical] - UC-10.1.3 · C2 Communication Detection [critical] - UC-10.1.4 · DNS Sinkhole Hits [critical] - UC-10.1.5 · SSL Decryption Coverage [high] - UC-10.1.6 · Cisco ASA Reconnaissance Command Activity [high] - UC-10.1.7 · Cisco ASA - AAA Policy Tampering [high] - UC-10.1.8 · Cisco ASA - Core Syslog Message Volume Drop [high] - UC-10.1.9 · Cisco ASA - Device File Copy Activity [high] - UC-10.1.10 · Cisco ASA - Device File Copy to Remote Location [high] - UC-10.1.11 · Cisco ASA - Logging Disabled via CLI [high] - UC-10.1.12 · Cisco ASA - Logging Filters Configuration Tampering [high] - UC-10.1.13 · Cisco ASA - Logging Message Suppression [high] - UC-10.1.14 · Cisco ASA - New Local User Account Created [high] - UC-10.1.15 · Cisco ASA - Packet Capture Activity [high] - UC-10.1.16 · Cisco ASA - Reconnaissance Command Activity [high] - UC-10.1.17 · Cisco ASA - User Account Deleted From Local Database [high] - UC-10.1.18 · Cisco ASA - User Account Lockout Threshold Exceeded [high] - UC-10.1.19 · Cisco ASA - User Privilege Level Change [high] - UC-10.1.20 · ESXi Firewall Disabled [high] - UC-10.1.21 · Abnormally High Number Of Cloud Security Group API Calls [high] - UC-10.1.22 · ASL AWS Defense Evasion Impair Security Services [high] - UC-10.1.23 · Allow File And Printing Sharing In Firewall [high] - UC-10.1.24 · Allow Inbound Traffic By Firewall Rule Registry [high] - UC-10.1.25 · Allow Inbound Traffic In Firewall Rule [high] - UC-10.1.26 · Allow Network Discovery In Firewall [high] - UC-10.1.27 · Disabling Firewall with Netsh [high] - UC-10.1.28 · Firewall Allowed Program Enable [high] - UC-10.1.29 · Linux Auditd Disable Or Modify System Firewall [high] - UC-10.1.30 · Linux Iptables Firewall Modification [high] - UC-10.1.31 · Linux Stdout Redirection To Dev Null File [high] - UC-10.1.32 · Linux System Network Discovery [high] - UC-10.1.33 · Windows Delete or Modify System Firewall [high] - UC-10.1.34 · Windows Firewall Rule Added [high] - UC-10.1.35 · Windows Firewall Rule Deletion [high] - UC-10.1.36 · Windows Firewall Rule Modification [high] - UC-10.1.37 · Windows Impair Defense Disable Defender Firewall And Network [high] - UC-10.1.38 · Windows Modify Registry Delete Firewall Rules [high] - UC-10.1.39 · Windows Modify Registry to Add or Modify Firewall Rule [high] - UC-10.1.40 · Windows Modify System Firewall with Notable Process Path [high] - UC-10.1.41 · Windows Remote Services Allow Rdp In Firewall [high] - UC-10.1.42 · Windows Set Network Profile Category to Private via Registry [high] - UC-10.1.43 · Windows System Network Connections Discovery Netsh [high] - UC-10.1.44 · Cisco Secure Firewall - Binary File Type Download [high] - UC-10.1.45 · Cisco Secure Firewall - Bits Network Activity [high] - UC-10.1.46 · Cisco Secure Firewall - Blocked Connection [high] - UC-10.1.47 · Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt [high] - UC-10.1.48 · Cisco Secure Firewall - Communication Over Suspicious Ports [high] - UC-10.1.49 · Cisco Secure Firewall - Connection to File Sharing Domain [high] - UC-10.1.50 · Cisco Secure Firewall - File Download Over Uncommon Port [high] - UC-10.1.51 · Cisco Secure Firewall - High EVE Threat Confidence [high] - UC-10.1.52 · Cisco Secure Firewall - High Priority Intrusion Classification [high] - UC-10.1.53 · Cisco Secure Firewall - High Volume of Intrusion Events Per Host [high] - UC-10.1.54 · Cisco Secure Firewall - Intrusion Events by Threat Activity [high] - UC-10.1.55 · Cisco Secure Firewall - Lumma Stealer Activity [high] - UC-10.1.56 · Cisco Secure Firewall - Lumma Stealer Download Attempt [high] - UC-10.1.57 · Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt [high] - UC-10.1.58 · Cisco Secure Firewall - Malware File Downloaded [high] - UC-10.1.59 · Cisco Secure Firewall - Oracle E-Business Suite Correlation [high] - UC-10.1.60 · Cisco Secure Firewall - Oracle E-Business Suite Exploitation [high] - UC-10.1.61 · Cisco Secure Firewall - Possibly Compromised Host [high] - UC-10.1.62 · Cisco Secure Firewall - Potential Data Exfiltration [high] - UC-10.1.63 · Cisco Secure Firewall - Privileged Command Execution via HTTP [high] - UC-10.1.64 · Cisco Secure Firewall - Rare Snort Rule Triggered [high] - UC-10.1.65 · Cisco Secure Firewall - React Server Components RCE Attempt [high] - UC-10.1.66 · Cisco Secure Firewall - Remote Access Software Usage Traffic [high] - UC-10.1.67 · Cisco Secure Firewall - Repeated Blocked Connections [high] - UC-10.1.68 · Cisco Secure Firewall - Repeated Malware Downloads [high] - UC-10.1.69 · Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts [high] - UC-10.1.70 · Cisco Secure Firewall - SSH Connection to Non-Standard Port [high] - UC-10.1.71 · Cisco Secure Firewall - SSH Connection to sshd_operns [high] - UC-10.1.72 · Cisco Secure Firewall - Static Tundra Smart Install Abuse [high] - UC-10.1.73 · Cisco Secure Firewall - Wget or Curl Download [high] - UC-10.1.74 · Detect Remote Access Software Usage Traffic [high] - UC-10.1.75 · Detect Traffic Mirroring [high] - UC-10.1.76 · Protocol or Port Mismatch [high] - UC-10.1.77 · TOR Traffic [high] ### 10.2 Intrusion Detection/Prevention (IDS/IPS) - UC-10.2.1 · Alert Severity Trending [high] - UC-10.2.2 · Top Targeted Hosts [high] - UC-10.2.3 · Signature Coverage Gaps [medium] - UC-10.2.4 · False Positive Tracking [medium] - UC-10.2.5 · Lateral Movement Detection [critical] - UC-10.2.6 · Detect New Login Attempts to Routers [high] - UC-10.2.7 · ESXi Lockdown Mode Disabled [high] - UC-10.2.8 · ESXi Malicious VIB Forced Install [high] - UC-10.2.9 · ESXi Sensitive Files Accessed [high] - UC-10.2.10 · ESXi Shared or Stolen Root Account [high] - UC-10.2.11 · Okta Authentication Failed During MFA Challenge [high] - UC-10.2.12 · ASL AWS Concurrent Sessions From Different Ips [high] - UC-10.2.13 · ASL AWS Credential Access GetPasswordData [high] - UC-10.2.14 · ASL AWS IAM Successful Group Deletion [high] - UC-10.2.15 · AWS Concurrent Sessions From Different Ips [high] - UC-10.2.16 · AWS Credential Access GetPasswordData [high] - UC-10.2.17 · AWS S3 Exfiltration Behavior Identified [high] - UC-10.2.18 · Azure AD Concurrent Sessions From Different Ips [high] - UC-10.2.19 · Azure AD Multi-Source Failed Authentications Spike [high] - UC-10.2.20 · Azure AD Multiple AppIDs and UserAgents Authentication Spike [high] - UC-10.2.21 · Azure AD Service Principal Authentication [high] - UC-10.2.22 · Azure AD Unusual Number of Failed Authentications From Ip [high] - UC-10.2.23 · Circle CI Disable Security Job [high] - UC-10.2.24 · Cloud Compute Instance Created With Previously Unseen Image [high] - UC-10.2.25 · Detect AWS Console Login by User from New Region [high] - UC-10.2.26 · Detect Spike in AWS Security Hub Alerts for User [high] - UC-10.2.27 · Detect Spike in blocked Outbound Traffic from your AWS [high] - UC-10.2.28 · GCP Detect gcploit framework [high] - UC-10.2.29 · GCP Unusual Number of Failed Authentications From Ip [high] - UC-10.2.30 · Active Directory Lateral Movement Identified [high] - UC-10.2.31 · Cisco Isovalent - Access To Cloud Metadata Service [high] - UC-10.2.32 · Detect Excessive User Account Lockouts [high] - UC-10.2.33 · Detect Mimikatz With PowerShell Script Block Logging [high] - UC-10.2.34 · Detect Regsvcs with No Command Line Arguments [high] - UC-10.2.35 · Detect Renamed PSExec [high] - UC-10.2.36 · Detect SharpHound Command-Line Arguments [high] - UC-10.2.37 · Domain Account Discovery with Wmic [high] - UC-10.2.38 · DSQuery Domain Discovery [high] - UC-10.2.39 · Dump LSASS via comsvcs DLL [high] - UC-10.2.40 · Enable RDP In Other Port Number [high] - UC-10.2.41 · Esentutl SAM Copy [high] - UC-10.2.42 · Excessive number of service control start as disabled [high] - UC-10.2.43 · Excessive number of taskhost processes [high] - UC-10.2.44 · Executable File Written in Administrative SMB Share [high] - UC-10.2.45 · Get-DomainTrust with PowerShell [high] - UC-10.2.46 · Get-DomainTrust with PowerShell Script Block [high] - UC-10.2.47 · Get-ForestTrust with PowerShell Script Block [high] - UC-10.2.48 · Get WMIObject Group Discovery [high] - UC-10.2.49 · GetAdGroup with PowerShell Script Block [high] - UC-10.2.50 · Impacket Lateral Movement Commandline Parameters [high] - UC-10.2.51 · Impacket Lateral Movement smbexec CommandLine Parameters [high] - UC-10.2.52 · Impacket Lateral Movement WMIExec Commandline Parameters [high] - UC-10.2.53 · Interactive Session on Remote Endpoint with PowerShell [high] - UC-10.2.54 · Linux Auditd Database File And Directory Discovery [high] - UC-10.2.55 · Linux Auditd Find Credentials From Password Managers [high] - UC-10.2.56 · Linux Auditd System Network Configuration Discovery [high] - UC-10.2.57 · Linux SSH Remote Services Script Execute [high] - UC-10.2.58 · LOLBAS With Network Traffic [high] - UC-10.2.59 · Microsoft Defender ATP Alerts [high] - UC-10.2.60 · Mmc LOLBAS Execution Process Spawn [high] - UC-10.2.61 · Network Discovery Using Route Windows App [high] - UC-10.2.62 · Network Share Discovery Via Dir Command [high] - UC-10.2.63 · NLTest Domain Trust Discovery [high] - UC-10.2.64 · Possible Lateral Movement PowerShell Spawn [high] - UC-10.2.65 · Potential System Network Configuration Discovery Activity [high] - UC-10.2.66 · Powershell Enable SMB1Protocol Feature [high] - UC-10.2.67 · PowerShell Get LocalGroup Discovery [high] - UC-10.2.68 · Powershell Get LocalGroup Discovery with Script Block Logging [high] - UC-10.2.69 · PowerShell Invoke WmiExec Usage [high] - UC-10.2.70 · Process Execution via WMI [high] - UC-10.2.71 · Processes launching netsh [high] - UC-10.2.72 · Randomly Generated Scheduled Task Name [high] - UC-10.2.73 · Randomly Generated Windows Service Name [high] - UC-10.2.74 · Remote Desktop Process Running On System [high] - UC-10.2.75 · Remote Process Instantiation via DCOM and PowerShell [high] - UC-10.2.76 · Remote Process Instantiation via DCOM and PowerShell Script Block [high] - UC-10.2.77 · Remote Process Instantiation via WinRM and PowerShell [high] - UC-10.2.78 · Remote Process Instantiation via WinRM and PowerShell Script Block [high] - UC-10.2.79 · Remote Process Instantiation via WinRM and Winrs [high] - UC-10.2.80 · Remote Process Instantiation via WMI [high] - UC-10.2.81 · Remote Process Instantiation via WMI and PowerShell [high] - UC-10.2.82 · Remote Process Instantiation via WMI and PowerShell Script Block [high] - UC-10.2.83 · Remote WMI Command Attempt [high] - UC-10.2.84 · Revil Registry Entry [high] - UC-10.2.85 · Rubeus Command Line Parameters [high] - UC-10.2.86 · Runas Execution in CommandLine [high] - UC-10.2.87 · Scheduled Task Creation on Remote Endpoint using At [high] - UC-10.2.88 · Scheduled Task Initiation on Remote Endpoint [high] - UC-10.2.89 · Schtasks Run Task On Demand [high] - UC-10.2.90 · Schtasks scheduling job on remote system [high] - UC-10.2.91 · Services LOLBAS Execution Process Spawn [high] - UC-10.2.92 · Set Default PowerShell Execution Policy To Unrestricted or Bypass [high] - UC-10.2.93 · Short Lived Scheduled Task [high] - UC-10.2.94 · Short Lived Windows Accounts [high] - UC-10.2.95 · Suspicious MSBuild Spawn [high] - UC-10.2.96 · Svchost LOLBAS Execution Process Spawn [high] - UC-10.2.97 · Unusual Number of Computer Service Tickets Requested [high] - UC-10.2.98 · Unusual Number of Remote Endpoint Authentication Events [high] - UC-10.2.99 · Verclsid CLSID Execution [high] - UC-10.2.100 · Wermgr Process Spawned CMD Or Powershell Process [high] - UC-10.2.101 · Windows Account Discovery for Sam Account Name [high] - UC-10.2.102 · Windows AD Privileged Object Access Activity [high] - UC-10.2.103 · Windows Administrative Shares Accessed On Multiple Hosts [high] - UC-10.2.104 · Windows Archive Collected Data via Rar [high] - UC-10.2.105 · Windows Computer Account Created by Computer Account [high] - UC-10.2.106 · Windows Computer Account With SPN [high] - UC-10.2.107 · Windows ComputerDefaults Spawning a Process [high] - UC-10.2.108 · Windows Create Local Account [high] - UC-10.2.109 · Windows Credential Dumping LSASS Memory Createdump [high] - UC-10.2.110 · Windows Debugger Tool Execution [high] - UC-10.2.111 · Windows Default Group Policy Object Modified with GPME [high] - UC-10.2.112 · Windows Defender ASR Rules Stacking [high] - UC-10.2.113 · Windows Developer-Signed MSIX Package Installation [high] - UC-10.2.114 · Windows Drivers Loaded by Signature [high] - UC-10.2.115 · Windows File and Directory Permissions Remove Inheritance [high] - UC-10.2.116 · Windows Find Domain Organizational Units with GetDomainOU [high] - UC-10.2.117 · Windows Get Local Admin with FindLocalAdminAccess [high] - UC-10.2.118 · Windows Group Policy Object Created [high] - UC-10.2.119 · Windows High File Deletion Frequency [high] - UC-10.2.120 · Windows Impair Defense Disable Realtime Signature Delivery [high] - UC-10.2.121 · Windows Impair Defense Disable Win Defender Signature Retirement [high] - UC-10.2.122 · Windows Large Number of Computer Service Tickets Requested [high] - UC-10.2.123 · Windows Masquerading Explorer As Child Process [high] - UC-10.2.124 · Windows Modify Registry MaxConnectionPerServer [high] - UC-10.2.125 · Windows Modify Registry Utilize ProgIDs [high] - UC-10.2.126 · Windows Modify Show Compress Color And Info Tip Registry [high] - UC-10.2.127 · Windows MOF Event Triggered Execution via WMI [high] - UC-10.2.128 · Windows MSIExec DLLRegisterServer [high] - UC-10.2.129 · Windows MSTSC RDP Commandline [high] - UC-10.2.130 · Windows Net System Service Discovery [high] - UC-10.2.131 · Windows Office Product Spawned Rundll32 With No DLL [high] - UC-10.2.132 · Windows PowerShell Process With Malicious String [high] - UC-10.2.133 · Windows PowerShell Script Block With Malicious String [high] - UC-10.2.134 · Windows Process Injection Wermgr Child Process [high] - UC-10.2.135 · Windows Protocol Tunneling with Plink [high] - UC-10.2.136 · Windows Rapid Authentication On Multiple Hosts [high] - UC-10.2.137 · Windows RDP Bitmap Cache File Creation [high] - UC-10.2.138 · Windows RDP Connection Successful [high] - UC-10.2.139 · Windows Remote Create Service [high] - UC-10.2.140 · Windows Replication Through Removable Media [high] - UC-10.2.141 · Windows Scheduled Task Service Spawned Shell [high] - UC-10.2.142 · Windows Service Create RemComSvc [high] - UC-10.2.143 · Windows Service Create SliverC2 [high] - UC-10.2.144 · Windows Service Created with Suspicious Service Name [high] - UC-10.2.145 · Windows Service Created with Suspicious Service Path [high] - UC-10.2.146 · Windows Service Creation on Remote Endpoint [high] - UC-10.2.147 · Windows Service Execution RemCom [high] - UC-10.2.148 · Windows Service Initiation on Remote Endpoint [high] - UC-10.2.149 · Windows Set Account Password Policy To Unlimited Via Net [high] - UC-10.2.150 · Windows SIP WinVerifyTrust Failed Trust Validation [high] - UC-10.2.151 · Windows Snake Malware Registry Modification wav OpenWithProgIds [high] - UC-10.2.152 · Windows Special Privileged Logon On Multiple Hosts [high] - UC-10.2.153 · Windows SQL Server xp_cmdshell Config Change [high] - UC-10.2.154 · Windows Steal or Forge Kerberos Tickets Klist [high] - UC-10.2.155 · Windows UAC Bypass Suspicious Child Process [high] - UC-10.2.156 · Windows Unsigned DLL Side-Loading [high] - UC-10.2.157 · Windows Unsigned DLL Side-Loading In Same Process Path [high] - UC-10.2.158 · Windows Unsigned MS DLL Side-Loading [high] - UC-10.2.159 · Windows User Deletion Via Net [high] - UC-10.2.160 · Windows WinLogon with Public Network Connection [high] - UC-10.2.161 · Wmic Group Discovery [high] - UC-10.2.162 · Wmiprvse LOLBAS Execution Process Spawn [high] - UC-10.2.163 · Wsmprovhost LOLBAS Execution Process Spawn [high] - UC-10.2.164 · XMRIG Driver Loaded [high] - UC-10.2.165 · Cisco Network Interface Modifications [high] - UC-10.2.166 · Detect Outbound SMB Traffic [high] - UC-10.2.167 · SMB Traffic Spike - MLTK [high] - UC-10.2.168 · Windows Remote Desktop Network Bruteforce Attempt [high] ### 10.3 Endpoint Detection & Response (EDR) - UC-10.3.1 · Malware Detection Trending [critical] - UC-10.3.2 · Quarantine Action Monitoring [high] - UC-10.3.3 · Agent Health Monitoring [high] - UC-10.3.4 · Behavioral Detection Alerts [critical] - UC-10.3.5 · Endpoint Isolation Events [critical] - UC-10.3.6 · Threat Hunting Indicators [high] - UC-10.3.7 · EDR Coverage Gaps [high] - UC-10.3.8 · Ransomware Canary Detection [critical] - UC-10.3.9 · Cisco AI Defense Security Alerts by Application Name [high] - UC-10.3.10 · Detect HTML Help Spawn Child Process [high] - UC-10.3.11 · ESXi Bulk VM Termination [high] - UC-10.3.12 · Ollama Excessive API Requests [high] - UC-10.3.13 · Ollama Possible Model Exfiltration Data Leakage [high] - UC-10.3.14 · Ollama Suspicious Prompt Injection Jailbreak [high] - UC-10.3.15 · ASL AWS Disable Bucket Versioning [high] - UC-10.3.16 · AWS Bedrock Delete GuardRails [high] - UC-10.3.17 · AWS Bedrock Delete Knowledge Base [high] - UC-10.3.18 · AWS Bedrock Delete Model Invocation Logging Configuration [high] - UC-10.3.19 · AWS Bedrock High Number List Foundation Model Failures [high] - UC-10.3.20 · AWS Bedrock Invoke Model Access Denied [high] - UC-10.3.21 · AWS Disable Bucket Versioning [high] - UC-10.3.22 · Cloud API Calls From Previously Unseen User Roles [high] - UC-10.3.23 · Detect Spike in AWS Security Hub Alerts for EC2 Instance [high] - UC-10.3.24 · 7zip CommandLine To SMB Share Path [high] - UC-10.3.25 · Active Setup Registry Autostart [high] - UC-10.3.26 · Add DefaultUser And Password In Registry [high] - UC-10.3.27 · Allow Operation with Consent Admin [high] - UC-10.3.28 · Anomalous usage of 7zip [high] - UC-10.3.29 · Auto Admin Logon Registry Entry [high] - UC-10.3.30 · Batch File Write to System32 [high] - UC-10.3.31 · Bcdedit Command Back To Normal Mode Boot [high] - UC-10.3.32 · BCDEdit Failure Recovery Modification [high] - UC-10.3.33 · BITS Job Persistence [high] - UC-10.3.34 · BITSAdmin Download File [high] - UC-10.3.35 · CertUtil With Decode Argument [high] - UC-10.3.36 · Change To Safe Mode With Network Config [high] - UC-10.3.37 · CHCP Command Execution [high] - UC-10.3.38 · Check Elevated CMD using whoami [high] - UC-10.3.39 · Clear Unallocated Sector Using Cipher App [high] - UC-10.3.40 · Clop Common Exec Parameter [high] - UC-10.3.41 · Clop Ransomware Known Service Name [high] - UC-10.3.42 · CMD Carry Out String Command Parameter [high] - UC-10.3.43 · CMD Echo Pipe - Escalation [high] - UC-10.3.44 · CMLUA Or CMSTPLUA UAC Bypass [high] - UC-10.3.45 · Common Ransomware Extensions [high] - UC-10.3.46 · Common Ransomware Notes [high] - UC-10.3.47 · Conti Common Exec parameter [high] - UC-10.3.48 · Create or delete windows shares using net exe [high] - UC-10.3.49 · Create Remote Thread In Shell Application [high] - UC-10.3.50 · Creation of Shadow Copy [high] - UC-10.3.51 · Creation of Shadow Copy with wmic and powershell [high] - UC-10.3.52 · Credential Dumping via Copy Command from Shadow Copy [high] - UC-10.3.53 · Credential Dumping via Symlink to Shadow Copy [high] - UC-10.3.54 · CSC Net On The Fly Compilation [high] - UC-10.3.55 · Delete ShadowCopy With PowerShell [high] - UC-10.3.56 · Deleting Shadow Copies [high] - UC-10.3.57 · Detect AzureHound Command-Line Arguments [high] - UC-10.3.58 · Detect AzureHound File Modifications [high] - UC-10.3.59 · Detect Excessive Account Lockouts From Endpoint [high] - UC-10.3.60 · Detect HTML Help Renamed [high] - UC-10.3.61 · Detect HTML Help URL in Command Line [high] - UC-10.3.62 · Detect HTML Help Using InfoTech Storage Handlers [high] - UC-10.3.63 · Detect mshta inline hta execution [high] - UC-10.3.64 · Detect mshta renamed [high] - UC-10.3.65 · Detect MSHTA Url in Command Line [high] - UC-10.3.66 · Detect Path Interception By Creation Of program exe [high] - UC-10.3.67 · Detect Prohibited Applications Spawning cmd exe [high] - UC-10.3.68 · Detect PsExec With accepteula Flag [high] - UC-10.3.69 · Detect RClone Command-Line Usage [high] - UC-10.3.70 · Detect Regasm Spawning a Process [high] - UC-10.3.71 · Detect Regasm with no Command Line Arguments [high] - UC-10.3.72 · Detect Regsvcs Spawning a Process [high] - UC-10.3.73 · Detect Regsvr32 Application Control Bypass [high] - UC-10.3.74 · Detect Remote Access Software Usage Process [high] - UC-10.3.75 · Detect Renamed RClone [high] - UC-10.3.76 · Detect Renamed WinRAR [high] - UC-10.3.77 · Detect RTLO In Process [high] - UC-10.3.78 · Detect Rundll32 Inline HTA Execution [high] - UC-10.3.79 · Detect SharpHound File Modifications [high] - UC-10.3.80 · Detect SharpHound Usage [high] - UC-10.3.81 · Detect suspicious processnames using pretrained model in DSDL [high] - UC-10.3.82 · Detect Use of cmd exe to Launch Script Interpreters [high] - UC-10.3.83 · Detection of tools built by NirSoft [high] - UC-10.3.84 · Disable Defender AntiVirus Registry [high] - UC-10.3.85 · Disable Defender BlockAtFirstSeen Feature [high] - UC-10.3.86 · Disable Defender Enhanced Notification [high] - UC-10.3.87 · Disable Defender MpEngine Registry [high] - UC-10.3.88 · Disable Defender Spynet Reporting [high] - UC-10.3.89 · Disable Defender Submit Samples Consent Feature [high] [GDPR] - UC-10.3.90 · Disable ETW Through Registry [high] - UC-10.3.91 · Disable Logs Using WevtUtil [high] - UC-10.3.92 · Disable Registry Tool [high] - UC-10.3.93 · Disable Schedule Task [high] - UC-10.3.94 · Disable Security Logs Using MiniNt Registry [high] - UC-10.3.95 · Disable Show Hidden Files [high] - UC-10.3.96 · Disable UAC Remote Restriction [high] - UC-10.3.97 · Disable Windows App Hotkeys [high] - UC-10.3.98 · Disable Windows Behavior Monitoring [high] - UC-10.3.99 · Disabling CMD Application [high] - UC-10.3.100 · Disabling ControlPanel [high] - UC-10.3.101 · Disabling Defender Services [high] - UC-10.3.102 · Disabling FolderOptions Windows Feature [high] - UC-10.3.103 · Disabling NoRun Windows App [high] - UC-10.3.104 · Disabling SystemRestore In Registry [high] - UC-10.3.105 · Disabling Task Manager [high] - UC-10.3.106 · DNS Exfiltration Using Nslookup App [high] - UC-10.3.107 · Domain Account Discovery with Dsquery [high] - UC-10.3.108 · Domain Controller Discovery with Nltest [high] - UC-10.3.109 · Domain Controller Discovery with Wmic [high] - UC-10.3.110 · Domain Group Discovery With Dsquery [high] - UC-10.3.111 · Domain Group Discovery With Wmic [high] - UC-10.3.112 · Drop IcedID License dat [high] - UC-10.3.113 · Elevated Group Discovery With Wmic [high] - UC-10.3.114 · Enable WDigest UseLogonCredential Registry [high] - UC-10.3.115 · ETW Registry Disabled [high] - UC-10.3.116 · Eventvwr UAC Bypass [high] - UC-10.3.117 · Excessive Attempt To Disable Services [high] - UC-10.3.118 · Excessive distinct processes from Windows Temp [high] - UC-10.3.119 · Excessive File Deletion In WinDefender Folder [high] - UC-10.3.120 · Excessive Usage of NSLOOKUP App [high] - UC-10.3.121 · Excessive Usage Of SC Service Utility [high] - UC-10.3.122 · Excessive Usage Of Taskkill [high] - UC-10.3.123 · Execution of File with Multiple Extensions [high] - UC-10.3.124 · File with Samsam Extension [high] - UC-10.3.125 · First Time Seen Child Process of Zoom [high] - UC-10.3.126 · FodHelper UAC Bypass [high] - UC-10.3.127 · Fsutil Zeroing File [high] - UC-10.3.128 · Get ADDefaultDomainPasswordPolicy with Powershell [high] - UC-10.3.129 · Get ADUser with PowerShell [high] - UC-10.3.130 · Get ADUserResultantPasswordPolicy with Powershell [high] - UC-10.3.131 · Get DomainPolicy with Powershell [high] - UC-10.3.132 · Get DomainUser with PowerShell [high] - UC-10.3.133 · Get-ForestTrust with PowerShell [high] - UC-10.3.134 · Get WMIObject Group Discovery with Script Block Logging [high] - UC-10.3.135 · GetAdComputer with PowerShell [high] - UC-10.3.136 · GetAdGroup with PowerShell [high] - UC-10.3.137 · GetCurrent User with PowerShell [high] - UC-10.3.138 · GetCurrent User with PowerShell Script Block [high] - UC-10.3.139 · GetDomainComputer with PowerShell [high] - UC-10.3.140 · GetDomainController with PowerShell [high] - UC-10.3.141 · GetDomainGroup with PowerShell [high] - UC-10.3.142 · GetLocalUser with PowerShell [high] - UC-10.3.143 · GetNetTcpconnection with PowerShell [high] - UC-10.3.144 · GetWmiObject Ds Computer with PowerShell [high] - UC-10.3.145 · GetWmiObject Ds Group with PowerShell [high] - UC-10.3.146 · GetWmiObject DS User with PowerShell [high] - UC-10.3.147 · GetWmiObject User Account with PowerShell [high] - UC-10.3.148 · GPUpdate with no Command Line Arguments with Network [high] - UC-10.3.149 · Headless Browser Usage [high] - UC-10.3.150 · Hide User Account From Sign-In Screen [high] - UC-10.3.151 · Hiding Files And Directories With Attrib exe [high] - UC-10.3.152 · High Process Termination Frequency [high] - UC-10.3.153 · Java Writing JSP File [high] - UC-10.3.154 · Jscript Execution Using Cscript App [high] - UC-10.3.155 · Kerberos User Enumeration [high] - UC-10.3.156 · Linux Account Manipulation Of SSH Config and Keys [high] - UC-10.3.157 · Linux Add Files In Known Crontab Directories [high] - UC-10.3.158 · Linux Add User Account [high] - UC-10.3.159 · Linux Adding Crontab Using List Parameter [high] - UC-10.3.160 · Linux APT Privilege Escalation [high] - UC-10.3.161 · Linux At Allow Config File Creation [high] - UC-10.3.162 · Linux At Application Execution [high] - UC-10.3.163 · Linux Auditd Add User Account [high] - UC-10.3.164 · Linux Auditd At Application Execution [high] - UC-10.3.165 · Linux Auditd Change File Owner To Root [high] - UC-10.3.166 · Linux Auditd Data Destruction Command [high] - UC-10.3.167 · Linux Auditd Hardware Addition Swapoff [high] - UC-10.3.168 · Linux Auditd Hidden Files And Directories Creation [high] - UC-10.3.169 · Linux Auditd Preload Hijack Library Calls [high] - UC-10.3.170 · Linux Auditd Shred Overwrite Command [high] - UC-10.3.171 · Linux Auditd Stop Services [high] - UC-10.3.172 · Linux AWK Privilege Escalation [high] - UC-10.3.173 · Linux Busybox Privilege Escalation [high] - UC-10.3.174 · Linux c89 Privilege Escalation [high] - UC-10.3.175 · Linux c99 Privilege Escalation [high] - UC-10.3.176 · Linux Change File Owner To Root [high] - UC-10.3.177 · Linux Clipboard Data Copy [high] - UC-10.3.178 · Linux Common Process For Elevation Control [high] - UC-10.3.179 · Linux Composer Privilege Escalation [high] - UC-10.3.180 · Linux Cpulimit Privilege Escalation [high] - UC-10.3.181 · Linux Csvtool Privilege Escalation [high] - UC-10.3.182 · Linux Curl Upload File [high] - UC-10.3.183 · Linux Data Destruction Command [high] - UC-10.3.184 · Linux DD File Overwrite [high] - UC-10.3.185 · Linux Decode Base64 to Shell [high] - UC-10.3.186 · Linux Deleting Critical Directory Using RM Command [high] - UC-10.3.187 · Linux Deletion Of Cron Jobs [high] - UC-10.3.188 · Linux Disable Services [high] - UC-10.3.189 · Linux Doas Conf File Creation [high] - UC-10.3.190 · Linux Doas Tool Execution [high] - UC-10.3.191 · Linux Docker Privilege Escalation [high] - UC-10.3.192 · Linux Emacs Privilege Escalation [high] - UC-10.3.193 · Linux File Creation In Init Boot Directory [high] - UC-10.3.194 · Linux Find Privilege Escalation [high] - UC-10.3.195 · Linux GDB Privilege Escalation [high] - UC-10.3.196 · Linux Gdrive Binary Activity [high] - UC-10.3.197 · Linux Gem Privilege Escalation [high] - UC-10.3.198 · Linux GNU Awk Privilege Escalation [high] - UC-10.3.199 · Linux Hardware Addition SwapOff [high] - UC-10.3.200 · Linux High Frequency Of File Deletion In Boot Folder [high] - UC-10.3.201 · Linux High Frequency Of File Deletion In Etc Folder [high] - UC-10.3.202 · Linux Indicator Removal Clear Cache [high] - UC-10.3.203 · Linux Indicator Removal Service File Deletion [high] - UC-10.3.204 · Linux Ingress Tool Transfer Hunting [high] - UC-10.3.205 · Linux Ingress Tool Transfer with Curl [high] - UC-10.3.206 · Linux Insert Kernel Module Using Insmod Utility [high] - UC-10.3.207 · Linux Install Kernel Module Using Modprobe Utility [high] - UC-10.3.208 · Linux Kernel Module Enumeration [high] - UC-10.3.209 · Linux Kworker Process In Writable Process Path [high] - UC-10.3.210 · Linux Make Privilege Escalation [high] - UC-10.3.211 · Linux MySQL Privilege Escalation [high] - UC-10.3.212 · Linux Ngrok Reverse Proxy Usage [high] - UC-10.3.213 · Linux Node Privilege Escalation [high] - UC-10.3.214 · Linux NOPASSWD Entry In Sudoers File [high] - UC-10.3.215 · Linux Obfuscated Files or Information Base64 Decode [high] - UC-10.3.216 · Linux Octave Privilege Escalation [high] - UC-10.3.217 · Linux OpenVPN Privilege Escalation [high] - UC-10.3.218 · Linux PHP Privilege Escalation [high] - UC-10.3.219 · Linux Possible Access Or Modification Of sshd Config File [high] - UC-10.3.220 · Linux Possible Access To Credential Files [high] - UC-10.3.221 · Linux Possible Access To Sudoers File [high] - UC-10.3.222 · Linux Possible Append Command To At Allow Config File [high] - UC-10.3.223 · Linux Possible Append Command To Profile Config File [high] - UC-10.3.224 · Linux Possible Append Cronjob Entry on Existing Cronjob File [high] - UC-10.3.225 · Linux Preload Hijack Library Calls [high] - UC-10.3.226 · Linux Proxy Socks Curl [high] - UC-10.3.227 · Linux Puppet Privilege Escalation [high] - UC-10.3.228 · Linux RPM Privilege Escalation [high] - UC-10.3.229 · Linux Ruby Privilege Escalation [high] - UC-10.3.230 · Linux Service File Created In Systemd Directory [high] - UC-10.3.231 · Linux Service Restarted [high] - UC-10.3.232 · Linux Service Started Or Enabled [high] - UC-10.3.233 · Linux Setuid Using Chmod Utility [high] - UC-10.3.234 · Linux Setuid Using Setcap Utility [high] - UC-10.3.235 · Linux Shred Overwrite Command [high] - UC-10.3.236 · Linux Sqlite3 Privilege Escalation [high] - UC-10.3.237 · Linux SSH Authorized Keys Modification [high] - UC-10.3.238 · Linux Stop Services [high] - UC-10.3.239 · Linux Sudo OR Su Execution [high] - UC-10.3.240 · Linux System Reboot Via System Request Key [high] - UC-10.3.241 · Linux Unix Shell Enable All SysRq Functions [high] - UC-10.3.242 · Linux Visudo Utility Execution [high] - UC-10.3.243 · Local Account Discovery With Wmic [high] - UC-10.3.244 · Logon Script Event Trigger Execution [high] - UC-10.3.245 · MacOS - Re-opened Applications [high] - UC-10.3.246 · Malicious InProcServer32 Modification [high] - UC-10.3.247 · Malicious PowerShell Process - Encoded Command [high] - UC-10.3.248 · Malicious PowerShell Process - Execution Policy Bypass [high] - UC-10.3.249 · Malicious PowerShell Process With Obfuscation Techniques [high] - UC-10.3.250 · Mimikatz PassTheTicket CommandLine Parameters [high] - UC-10.3.251 · Modification Of Wallpaper [high] - UC-10.3.252 · Modify ACL permission To Files Or Folder [high] - UC-10.3.253 · Monitor Registry Keys for Print Monitors [high] - UC-10.3.254 · MS Scripting Process Loading WMI Module [high] - UC-10.3.255 · MSBuild Suspicious Spawned By Script Process [high] - UC-10.3.256 · Mshta spawning Rundll32 OR Regsvr32 Process [high] - UC-10.3.257 · Msmpeng Application DLL Side Loading [high] - UC-10.3.258 · NET Profiler UAC bypass [high] - UC-10.3.259 · Network Connection Discovery With Arp [high] - UC-10.3.260 · Network Connection Discovery With Netstat [high] - UC-10.3.261 · Nishang PowershellTCPOneLine [high] - UC-10.3.262 · Non Firefox Process Access Firefox Profile Dir [high] - UC-10.3.263 · Notepad with no Command Line Arguments [high] - UC-10.3.264 · Ntdsutil Export NTDS [high] - UC-10.3.265 · Overwriting Accessibility Binaries [high] - UC-10.3.266 · Permission Modification using Takeown App [high] - UC-10.3.267 · Possible Browser Pass View Parameter [high] - UC-10.3.268 · Potential Telegram API Request Via CommandLine [high] - UC-10.3.269 · Potentially malicious code on commandline [high] - UC-10.3.270 · PowerShell - Connect To Internet With Hidden Window [high] - UC-10.3.271 · Powershell Creating Thread Mutex [high] - UC-10.3.272 · Powershell Execute COM Object [high] - UC-10.3.273 · Powershell Remote Thread To Known Windows Process [high] - UC-10.3.274 · Powershell Remove Windows Defender Directory [high] - UC-10.3.275 · PowerShell Script Block With URL Chain [high] - UC-10.3.276 · PowerShell Start-BitsTransfer [high] - UC-10.3.277 · PowerShell Start or Stop Service [high] - UC-10.3.278 · PowerShell WebRequest Using Memory Stream [high] - UC-10.3.279 · Prevent Automatic Repair Mode using Bcdedit [high] - UC-10.3.280 · Print Processor Registry Autostart [high] - UC-10.3.281 · Process Deleting Its Process File Path [high] - UC-10.3.282 · Process Kill Base On File Path [high] - UC-10.3.283 · Process Writing DynamicWrapperX [high] - UC-10.3.284 · Ransomware Notes bulk creation [high] - UC-10.3.285 · Recon AVProduct Through Pwh or WMI [high] - UC-10.3.286 · Recursive Delete of Directory In Batch CMD [high] - UC-10.3.287 · Reg exe Manipulating Windows Services Registry Keys [high] - UC-10.3.288 · Registry Keys for Creating SHIM Databases [high] - UC-10.3.289 · Registry Keys Used For Persistence [high] - UC-10.3.290 · Registry Keys Used For Privilege Escalation [high] - UC-10.3.291 · Regsvr32 Silent and Install Param Dll Loading [high] - UC-10.3.292 · Regsvr32 with Known Silent Switch Cmdline [high] - UC-10.3.293 · Remcos client registry install entry [high] - UC-10.3.294 · Remcos RAT File Creation in Remcos Folder [high] - UC-10.3.295 · Remote System Discovery with Dsquery [high] - UC-10.3.296 · Remote System Discovery with Wmic [high] - UC-10.3.297 · Resize ShadowStorage volume [high] - UC-10.3.298 · Revil Common Exec Parameter [high] - UC-10.3.299 · Rundll32 Create Remote Thread To A Process [high] - UC-10.3.300 · Rundll32 CreateRemoteThread In Browser [high] - UC-10.3.301 · Rundll32 LockWorkStation [high] - UC-10.3.302 · Rundll32 Process Creating Exe Dll Files [high] - UC-10.3.303 · Rundll32 Shimcache Flush [high] - UC-10.3.304 · Rundll32 with no Command Line Arguments with Network [high] - UC-10.3.305 · RunDLL Loading DLL By Ordinal [high] - UC-10.3.306 · Ryuk Test Files Detected [high] - UC-10.3.307 · Ryuk Wake on LAN Command [high] - UC-10.3.308 · Samsam Test File Write [high] - UC-10.3.309 · Sc exe Manipulating Windows Services [high] - UC-10.3.310 · SchCache Change By App Connect And Create ADSI Object [high] - UC-10.3.311 · Schedule Task with HTTP Command Arguments [high] - UC-10.3.312 · Schedule Task with Rundll32 Command Trigger [high] - UC-10.3.313 · Scheduled Task Deleted Or Created via CMD [high] - UC-10.3.314 · Schtasks used for forcing a reboot [high] - UC-10.3.315 · Screensaver Event Trigger Execution [high] - UC-10.3.316 · Script Execution via WMI [high] - UC-10.3.317 · Sdclt UAC Bypass [high] - UC-10.3.318 · Sdelete Application Execution [high] - UC-10.3.319 · SearchProtocolHost with no Command Line with Network [high] - UC-10.3.320 · SecretDumps Offline NTDS Dumping Tool [high] - UC-10.3.321 · ServicePrincipalNames Discovery with SetSPN [high] - UC-10.3.322 · Services Escalate Exe [high] - UC-10.3.323 · Shim Database Installation With Suspicious Parameters [high] - UC-10.3.324 · SilentCleanup UAC Bypass [high] - UC-10.3.325 · Single Letter Process On Endpoint [high] - UC-10.3.326 · SLUI RunAs Elevated [high] - UC-10.3.327 · SLUI Spawning a Process [high] - UC-10.3.328 · Spike in File Writes [high] - UC-10.3.329 · Sqlite Module In Temp Folder [high] - UC-10.3.330 · Sunburst Correlation DLL and Network Event [high] - UC-10.3.331 · Suspicious Curl Network Connection [high] - UC-10.3.332 · Suspicious DLLHost no Command Line Arguments [high] - UC-10.3.333 · Suspicious GPUpdate no Command Line Arguments [high] - UC-10.3.334 · Suspicious IcedID Rundll32 Cmdline [high] - UC-10.3.335 · Suspicious Image Creation In Appdata Folder [high] - UC-10.3.336 · Suspicious Linux Discovery Commands [high] - UC-10.3.337 · Suspicious microsoft workflow compiler rename [high] - UC-10.3.338 · Suspicious microsoft workflow compiler usage [high] - UC-10.3.339 · Suspicious msbuild path [high] - UC-10.3.340 · Suspicious MSBuild Rename [high] - UC-10.3.341 · Suspicious mshta child process [high] - UC-10.3.342 · Suspicious mshta spawn [high] - UC-10.3.343 · Suspicious PlistBuddy Usage [high] - UC-10.3.344 · Suspicious PlistBuddy Usage via OSquery [high] - UC-10.3.345 · Suspicious Process Executed From Container File [high] - UC-10.3.346 · Suspicious Reg exe Process [high] - UC-10.3.347 · Suspicious Regsvr32 Register Suspicious Path [high] - UC-10.3.348 · Suspicious Rundll32 dllregisterserver [high] - UC-10.3.349 · Suspicious Rundll32 no Command Line Arguments [high] - UC-10.3.350 · Suspicious Rundll32 PluginInit [high] - UC-10.3.351 · Suspicious Rundll32 StartW [high] - UC-10.3.352 · Suspicious Scheduled Task from Public Directory [high] - UC-10.3.353 · Suspicious SearchProtocolHost no Command Line Arguments [high] - UC-10.3.354 · Suspicious SQLite3 LSQuarantine Behavior [high] - UC-10.3.355 · Suspicious WAV file in Appdata Folder [high] - UC-10.3.356 · Suspicious wevtutil Usage [high] - UC-10.3.357 · Suspicious writes to windows Recycle Bin [high] - UC-10.3.358 · System Info Gathering Using Dxdiag Application [high] - UC-10.3.359 · System Information Discovery Detection [high] - UC-10.3.360 · System Processes Run From Unexpected Locations [high] - UC-10.3.361 · System User Discovery With Query [high] - UC-10.3.362 · System User Discovery With Whoami [high] - UC-10.3.363 · Time Provider Persistence Registry [high] - UC-10.3.364 · Trickbot Named Pipe [high] - UC-10.3.365 · UAC Bypass With Colorui COM Object [high] - UC-10.3.366 · Uninstall App Using MsiExec [high] - UC-10.3.367 · Unknown Process Using The Kerberos Protocol [high] - UC-10.3.368 · Unload Sysmon Filter Driver [high] - UC-10.3.369 · Unusually Long Command Line [high] - UC-10.3.370 · Unusually Long Command Line - MLTK [high] - UC-10.3.371 · User Discovery With Env Vars PowerShell [high] - UC-10.3.372 · User Discovery With Env Vars PowerShell Script Block [high] - UC-10.3.373 · USN Journal Deletion [high] - UC-10.3.374 · Vbscript Execution Using Wscript App [high] - UC-10.3.375 · WBAdmin Delete System Backups [high] - UC-10.3.376 · Web Servers Executing Suspicious Processes [high] - UC-10.3.377 · Wermgr Process Create Executable File [high] - UC-10.3.378 · Windows AdFind Exe [high] - UC-10.3.379 · Windows Admin Permission Discovery [high] - UC-10.3.380 · Windows Admon Default Group Policy Object Modified [high] - UC-10.3.381 · Windows Admon Group Policy Object Created [high] - UC-10.3.382 · Windows Advanced Installer MSIX with AI_STUBS Execution [high] - UC-10.3.383 · Windows Alternate DataStream - Base64 Content [high] - UC-10.3.384 · Windows Apache Benchmark Binary [high] - UC-10.3.385 · Windows App Layer Protocol Qakbot NamedPipe [high] - UC-10.3.386 · Windows App Layer Protocol Wermgr Connect To NamedPipe [high] - UC-10.3.387 · Windows Application Layer Protocol RMS Radmin Tool Namedpipe [high] - UC-10.3.388 · Windows AppLocker Execution from Uncommon Locations [high] - UC-10.3.389 · Windows Attempt To Stop Security Service [high] - UC-10.3.390 · Windows Audit Policy Auditing Option Disabled via Auditpol [high] - UC-10.3.391 · Windows Audit Policy Auditing Option Modified - Registry [high] - UC-10.3.392 · Windows Audit Policy Cleared via Auditpol [high] - UC-10.3.393 · Windows Audit Policy Disabled via Auditpol [high] - UC-10.3.394 · Windows Audit Policy Disabled via Legacy Auditpol [high] - UC-10.3.395 · Windows Audit Policy Excluded Category via Auditpol [high] - UC-10.3.396 · Windows Audit Policy Restored via Auditpol [high] - UC-10.3.397 · Windows Audit Policy Security Descriptor Tampering via Auditpol [high] - UC-10.3.398 · Windows Autostart Execution LSASS Driver Registry Modification [high] - UC-10.3.399 · Windows Binary Proxy Execution Mavinject DLL Injection [high] - UC-10.3.400 · Windows BitLocker Suspicious Command Usage [high] - UC-10.3.401 · Windows BitLockerToGo Process Execution [high] - UC-10.3.402 · Windows BitLockerToGo with Network Activity [high] - UC-10.3.403 · Windows Boot or Logon Autostart Execution In Startup Folder [high] - UC-10.3.404 · Windows BootLoader Inventory [high] - UC-10.3.405 · Windows Bypass UAC via Pkgmgr Tool [high] - UC-10.3.406 · Windows CAB File on Disk [high] - UC-10.3.407 · Windows Cached Domain Credentials Reg Query [high] - UC-10.3.408 · Windows Chromium Browser Launched with Small Window Size [high] - UC-10.3.409 · Windows Chromium process Launched with Disable Popup Blocking [high] - UC-10.3.410 · Windows Chromium Process with Disabled Extensions [high] - UC-10.3.411 · Windows Cisco Secure Endpoint Related Service Stopped [high] - UC-10.3.412 · Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc [high] - UC-10.3.413 · Windows Cisco Secure Endpoint Unblock File Via Sfc [high] - UC-10.3.414 · Windows Cmdline Tool Execution From Non-Shell Process [high] - UC-10.3.415 · Windows COM Hijacking InprocServer32 Modification [high] - UC-10.3.416 · Windows Command and Scripting Interpreter Path Traversal Exec [high] - UC-10.3.417 · Windows Command Shell DCRat ForkBomb Payload [high] - UC-10.3.418 · Windows Compatibility Telemetry Suspicious Child Process [high] - UC-10.3.419 · Windows Compatibility Telemetry Tampering Through Registry [high] - UC-10.3.420 · Windows ConHost with Headless Argument [high] - UC-10.3.421 · Windows Create Local Administrator Account Via Net [high] - UC-10.3.422 · Windows Credentials from Password Stores Chrome Copied in TEMP Dir [high] - UC-10.3.423 · Windows Credentials from Password Stores Creation [high] - UC-10.3.424 · Windows Credentials from Password Stores Deletion [high] - UC-10.3.425 · Windows Credentials from Password Stores Query [high] - UC-10.3.426 · Windows Credentials from Web Browsers Saved in TEMP Folder [high] - UC-10.3.427 · Windows Credentials in Registry Reg Query [high] - UC-10.3.428 · Windows Data Destruction Recursive Exec Files Deletion [high] - UC-10.3.429 · Windows Defacement Modify Transcodedwallpaper File [high] - UC-10.3.430 · Windows Default Group Policy Object Modified [high] - UC-10.3.431 · Windows Defender ASR Audit Events [high] - UC-10.3.432 · Windows Defender ASR Block Events [high] - UC-10.3.433 · Windows Defender ASR Registry Modification [high] - UC-10.3.434 · Windows Defender ASR Rule Disabled [high] - UC-10.3.435 · Windows Defender Exclusion Registry Entry [high] - UC-10.3.436 · Windows Deleted Registry By A Non Critical Process File Path [high] - UC-10.3.437 · Windows Disable Change Password Through Registry [high] - UC-10.3.438 · Windows Disable Lock Workstation Feature Through Registry [high] - UC-10.3.439 · Windows Disable Memory Crash Dump [high] - UC-10.3.440 · Windows Disable Notification Center [high] - UC-10.3.441 · Windows Disable or Modify Tools Via Taskkill [high] - UC-10.3.442 · Windows Disable or Stop Browser Process [high] - UC-10.3.443 · Windows Disable Shutdown Button Through Registry [high] - UC-10.3.444 · Windows Disable Windows Event Logging Disable HTTP Logging [high] - UC-10.3.445 · Windows Disable Windows Group Policy Features Through Registry [high] - UC-10.3.446 · Windows DisableAntiSpyware Registry [high] - UC-10.3.447 · Windows DiskCryptor Usage [high] - UC-10.3.448 · Windows Diskshadow Proxy Execution [high] - UC-10.3.449 · Windows DISM Remove Defender [high] - UC-10.3.450 · Windows DLL Search Order Hijacking with iscsicpl [high] - UC-10.3.451 · Windows DNS Gather Network Info [high] - UC-10.3.452 · Windows Enable Win32 ScheduledJob via Registry [high] - UC-10.3.453 · Windows Excessive Service Stop Attempt [high] - UC-10.3.454 · Windows Excessive Usage Of Net App [high] - UC-10.3.455 · Windows Executable in Loaded Modules [high] - UC-10.3.456 · Windows Execute Arbitrary Commands with MSDT [high] - UC-10.3.457 · Windows Exfiltration Over C2 Via Powershell UploadString [high] - UC-10.3.458 · Windows File Download Via CertUtil [high] - UC-10.3.459 · Windows File Transfer Protocol In Non-Common Process Path [high] - UC-10.3.460 · Windows File Without Extension In Critical Folder [high] - UC-10.3.461 · Windows Findstr GPP Discovery [high] - UC-10.3.462 · Windows Gather Victim Host Information Camera [high] - UC-10.3.463 · Windows Gdrive Binary Activity [high] - UC-10.3.464 · Windows Get-AdComputer Unconstrained Delegation Discovery [high] - UC-10.3.465 · Windows Global Object Access Audit List Cleared Via Auditpol [high] - UC-10.3.466 · Windows Group Discovery Via Net [high] - UC-10.3.467 · Windows Hidden Schedule Task Settings [high] - UC-10.3.468 · Windows Hide Notification Features Through Registry [high] - UC-10.3.469 · Windows Hijack Execution Flow Version Dll Side Load [high] - UC-10.3.470 · Windows HTTP Network Communication From MSIExec [high] - UC-10.3.471 · Windows Identify Protocol Handlers [high] - UC-10.3.472 · Windows IIS Components Add New Module [high] - UC-10.3.473 · Windows Impair Defense Add Xml Applocker Rules [high] - UC-10.3.474 · Windows Impair Defense Change Win Defender Throttle Rate [high] - UC-10.3.475 · Windows Impair Defense Change Win Defender Tracing Level [high] - UC-10.3.476 · Windows Impair Defense Define Win Defender Threat Action [high] - UC-10.3.477 · Windows Impair Defense Delete Win Defender Context Menu [high] - UC-10.3.478 · Windows Impair Defense Delete Win Defender Profile Registry [high] - UC-10.3.479 · Windows Impair Defense Deny Security Software With Applocker [high] - UC-10.3.480 · Windows Impair Defense Disable Controlled Folder Access [high] - UC-10.3.481 · Windows Impair Defense Disable Defender Protocol Recognition [high] - UC-10.3.482 · Windows Impair Defense Disable PUA Protection [high] - UC-10.3.483 · Windows Impair Defense Disable Web Evaluation [high] - UC-10.3.484 · Windows Impair Defense Disable Win Defender App Guard [high] - UC-10.3.485 · Windows Impair Defense Disable Win Defender Gen reports [high] - UC-10.3.486 · Windows Impair Defense Disable Win Defender Report Infection [high] - UC-10.3.487 · Windows Impair Defense Override SmartScreen Prompt [high] - UC-10.3.488 · Windows Impair Defense Set Win Defender Smart Screen Level To Warn [high] - UC-10.3.489 · Windows Impair Defenses Disable Auto Logger Session [high] - UC-10.3.490 · Windows Impair Defenses Disable AV AutoStart via Registry [high] - UC-10.3.491 · Windows Impair Defenses Disable HVCI [high] - UC-10.3.492 · Windows Impair Defenses Disable Win Defender Auto Logging [high] - UC-10.3.493 · Windows Indicator Removal Via Rmdir [high] - UC-10.3.494 · Windows Indirect Command Execution Via forfiles [high] - UC-10.3.495 · Windows Indirect Command Execution Via pcalua [high] - UC-10.3.496 · Windows Indirect Command Execution Via Series Of Forfiles [high] - UC-10.3.497 · Windows Ingress Tool Transfer Using Explorer [high] - UC-10.3.498 · Windows InstallUtil in Non Standard Path [high] - UC-10.3.499 · Windows InstallUtil Remote Network Connection [high] - UC-10.3.500 · Windows InstallUtil Uninstall Option [high] - UC-10.3.501 · Windows InstallUtil URL in Command Line [high] - UC-10.3.502 · Windows ISO LNK File Creation [high] - UC-10.3.503 · Windows Kerberos Local Successful Logon [high] - UC-10.3.504 · Windows Known Abused DLL Created [high] - UC-10.3.505 · Windows Ldifde Directory Object Behavior [high] - UC-10.3.506 · Windows List ENV Variables Via SET Command From Uncommon Parent [high] - UC-10.3.507 · Windows Local Administrator Credential Stuffing [high] - UC-10.3.508 · Windows LSA Secrets NoLMhash Registry [high] - UC-10.3.509 · Windows Mark Of The Web Bypass [high] - UC-10.3.510 · Windows Masquerading Msdtc Process [high] - UC-10.3.511 · Windows Mimikatz Binary Execution [high] - UC-10.3.512 · Windows MMC Loaded Script Engine DLL [high] - UC-10.3.513 · Windows Modify Registry AuthenticationLevelOverride [high] - UC-10.3.514 · Windows Modify Registry Auto Minor Updates [high] - UC-10.3.515 · Windows Modify Registry Auto Update Notif [high] - UC-10.3.516 · Windows Modify Registry Configure BitLocker [high] - UC-10.3.517 · Windows Modify Registry Default Icon Setting [high] - UC-10.3.518 · Windows Modify Registry Disable RDP [high] - UC-10.3.519 · Windows Modify Registry Disable Restricted Admin [high] - UC-10.3.520 · Windows Modify Registry Disable Toast Notifications [high] - UC-10.3.521 · Windows Modify Registry Disable Win Defender Raw Write Notif [high] - UC-10.3.522 · Windows Modify Registry Disable WinDefender Notifications [high] - UC-10.3.523 · Windows Modify Registry Disable Windows Security Center Notif [high] - UC-10.3.524 · Windows Modify Registry DisableRemoteDesktopAntiAlias [high] - UC-10.3.525 · Windows Modify Registry DisableSecuritySettings [high] - UC-10.3.526 · Windows Modify Registry Disabling WER Settings [high] - UC-10.3.527 · Windows Modify Registry DisAllow Windows App [high] - UC-10.3.528 · Windows Modify Registry Do Not Connect To Win Update [high] - UC-10.3.529 · Windows Modify Registry DontShowUI [high] - UC-10.3.530 · Windows Modify Registry EnableLinkedConnections [high] - UC-10.3.531 · Windows Modify Registry LongPathsEnabled [high] - UC-10.3.532 · Windows Modify Registry No Auto Reboot With Logon User [high] - UC-10.3.533 · Windows Modify Registry No Auto Update [high] - UC-10.3.534 · Windows Modify Registry NoChangingWallPaper [high] - UC-10.3.535 · Windows Modify Registry ProxyEnable [high] - UC-10.3.536 · Windows Modify Registry ProxyServer [high] - UC-10.3.537 · Windows Modify Registry Qakbot Binary Data Registry [high] - UC-10.3.538 · Windows Modify Registry Regedit Silent Reg Import [high] - UC-10.3.539 · Windows Modify Registry Suppress Win Defender Notif [high] - UC-10.3.540 · Windows Modify Registry Tamper Protection [high] - UC-10.3.541 · Windows Modify Registry UpdateServiceUrlAlternate [high] - UC-10.3.542 · Windows Modify Registry ValleyRat PWN Reg Entry [high] - UC-10.3.543 · Windows Modify Registry With MD5 Reg Key Name [high] - UC-10.3.544 · Windows Modify Registry WuServer [high] - UC-10.3.545 · Windows Modify Registry wuStatusServer [high] - UC-10.3.546 · Windows Mshta Execution In Registry [high] - UC-10.3.547 · Windows MsiExec HideWindow Rundll32 Execution [high] - UC-10.3.548 · Windows MSIExec Spawn Discovery Command [high] - UC-10.3.549 · Windows MSIExec Spawn WinDBG [high] - UC-10.3.550 · Windows MSIExec Unregister DLLRegisterServer [high] - UC-10.3.551 · True Positive Test [high] - UC-10.3.552 · True Positive Test [high] - UC-10.3.553 · True Positive Test [high] - UC-10.3.554 · True Positive Test [high] - UC-10.3.555 · True Positive Test [high] - UC-10.3.556 · Windows Network Connection Discovery Via Net [high] - UC-10.3.557 · Windows New Custom Security Descriptor Set On EventLog Channel [high] - UC-10.3.558 · Windows New Default File Association Value Set [high] - UC-10.3.559 · Windows New Deny Permission Set On Service SD Via Sc.EXE [high] - UC-10.3.560 · Windows New EventLog ChannelAccess Registry Value Set [high] - UC-10.3.561 · Windows New InProcServer32 Added [high] - UC-10.3.562 · Windows New Service Security Descriptor Set Via Sc.EXE [high] - UC-10.3.563 · Windows Ngrok Reverse Proxy Usage [high] - UC-10.3.564 · Windows NirSoft AdvancedRun [high] - UC-10.3.565 · Windows Njrat Fileless Storage via Registry [high] - UC-10.3.566 · Windows Obfuscated Files or Information via RAR SFX [high] - UC-10.3.567 · Windows Odbcconf Hunting [high] - UC-10.3.568 · Windows Odbcconf Load DLL [high] - UC-10.3.569 · Windows Odbcconf Load Response File [high] - UC-10.3.570 · Windows Office Product Loading Taskschd DLL [high] - UC-10.3.571 · Windows Office Product Loading VBE7 DLL [high] - UC-10.3.572 · Windows Office Product Spawned Child Process For Download [high] - UC-10.3.573 · Windows Office Product Spawned MSDT [high] - UC-10.3.574 · Windows PaperCut NG Spawn Shell [high] - UC-10.3.575 · Windows Parent PID Spoofing with Explorer [high] - UC-10.3.576 · Windows Password Managers Discovery [high] - UC-10.3.577 · Windows Password Policy Discovery with Net [high] - UC-10.3.578 · Windows Powershell Cryptography Namespace [high] - UC-10.3.579 · Windows Powershell Import Applocker Policy [high] - UC-10.3.580 · Windows Powershell RemoteSigned File [high] - UC-10.3.581 · Windows PowerShell Script From WindowsApps Directory [high] - UC-10.3.582 · Windows PowerView Constrained Delegation Discovery [high] - UC-10.3.583 · Windows PowerView Unconstrained Delegation Discovery [high] - UC-10.3.584 · Windows Process Commandline Discovery [high] - UC-10.3.585 · Windows Process Execution in Temp Dir [high] - UC-10.3.586 · Windows Process Injection In Non-Service SearchIndexer [high] - UC-10.3.587 · Windows Process Injection Of Wermgr to Known Browser [high] - UC-10.3.588 · Windows Process With NamedPipe CommandLine [high] - UC-10.3.589 · Windows Process With NetExec Command Line Parameters [high] - UC-10.3.590 · Windows Process Writing File to World Writable Path [high] - UC-10.3.591 · Windows Processes Killed By Industroyer2 Malware [high] - UC-10.3.592 · Windows Proxy Via Netsh [high] - UC-10.3.593 · Windows Proxy Via Registry [high] - UC-10.3.594 · Windows Raccine Scheduled Task Deletion [high] - UC-10.3.595 · Windows Raw Access To Disk Volume Partition [high] - UC-10.3.596 · Windows Registry BootExecute Modification [high] - UC-10.3.597 · Windows Registry Dotnet ETW Disabled Via ENV Variable [high] - UC-10.3.598 · Windows Registry Entries Exported Via Reg [high] - UC-10.3.599 · Windows Registry Entries Restored Via Reg [high] - UC-10.3.600 · Windows Registry Modification for Safe Mode Persistence [high] - UC-10.3.601 · Windows Registry Payload Injection [high] - UC-10.3.602 · Windows Regsvr32 Renamed Binary [high] - UC-10.3.603 · Windows Remote Access Software RMS Registry [high] - UC-10.3.604 · Windows Remote Assistance Spawning Process [high] - UC-10.3.605 · Windows Remote Service Rdpwinst Tool Execution [high] - UC-10.3.606 · Windows Remote Services Allow Remote Assistance [high] - UC-10.3.607 · Windows Remote Services Rdp Enable [high] - UC-10.3.608 · Windows Renamed Powershell Execution [high] - UC-10.3.609 · Windows Rundll32 Load DLL in Temp Dir [high] - UC-10.3.610 · Windows RunMRU Command Execution [high] - UC-10.3.611 · Windows Scheduled Task DLL Module Loaded [high] - UC-10.3.612 · Windows Scheduled Task with Highest Privileges [high] - UC-10.3.613 · Windows Schtasks Create Run As System [high] - UC-10.3.614 · Windows ScManager Security Descriptor Tampering Via Sc.EXE [high] - UC-10.3.615 · Windows Screen Capture in TEMP folder [high] - UC-10.3.616 · Windows Security Account Manager Stopped [high] - UC-10.3.617 · Windows Security And Backup Services Stop [high] - UC-10.3.618 · Windows Security Support Provider Reg Query [high] - UC-10.3.619 · Windows Sensitive Group Discovery With Net [high] - UC-10.3.620 · Windows Sensitive Registry Hive Dump Via CommandLine [high] - UC-10.3.621 · Windows Server Software Component GACUtil Install to GAC [high] - UC-10.3.622 · Windows Service Create Kernel Mode Driver [high] - UC-10.3.623 · Windows Service Create with Tscon [high] - UC-10.3.624 · Windows Service Deletion In Registry [high] - UC-10.3.625 · Windows Service Stop Attempt [high] - UC-10.3.626 · Windows Service Stop By Deletion [high] - UC-10.3.627 · Windows Snake Malware File Modification Crmlog [high] - UC-10.3.628 · Windows Snake Malware Kernel Driver Comadmin [high] - UC-10.3.629 · Windows Snake Malware Service Create [high] - UC-10.3.630 · Windows SOAPHound Binary Execution [high] - UC-10.3.631 · Windows SQL Spawning CertUtil [high] - UC-10.3.632 · Windows SubInAcl Execution [high] - UC-10.3.633 · Windows Suspicious Process File Path [high] - UC-10.3.634 · Windows System Binary Proxy Execution Compiled HTML File Decompile [high] - UC-10.3.635 · Windows System Discovery Using ldap Nslookup [high] - UC-10.3.636 · Windows System Discovery Using Qwinsta [high] - UC-10.3.637 · Windows System File on Disk [high] - UC-10.3.638 · Windows System LogOff Commandline [high] - UC-10.3.639 · Windows System Network Config Discovery Display DNS [high] - UC-10.3.640 · Windows System Reboot CommandLine [high] - UC-10.3.641 · Windows System Remote Discovery With Query [high] - UC-10.3.642 · Windows System Script Proxy Execution Syncappvpublishingserver [high] - UC-10.3.643 · Windows System Shutdown CommandLine [high] - UC-10.3.644 · Windows System Time Discovery W32tm Delay [high] - UC-10.3.645 · Windows System User Discovery Via Quser [high] - UC-10.3.646 · Windows System User Privilege Discovery [high] - UC-10.3.647 · Windows Time Based Evasion [high] - UC-10.3.648 · Windows Time Based Evasion via Choice Exec [high] - UC-10.3.649 · True Positive Test [high] - UC-10.3.650 · True Positive Test [high] - UC-10.3.651 · True Positive Test [high] - UC-10.3.652 · True Positive Test [high] - UC-10.3.653 · True Positive Test [high] - UC-10.3.654 · Windows USBSTOR Registry Key Modification [high] - UC-10.3.655 · Windows User Disabled Via Net [high] - UC-10.3.656 · Windows User Discovery Via Net [high] - UC-10.3.657 · Windows User Execution Malicious URL Shortcut File [high] - UC-10.3.658 · Windows WinDBG Spawning AutoIt3 [high] - UC-10.3.659 · Windows WMI Impersonate Token [high] - UC-10.3.660 · Windows WMI Process And Service List [high] - UC-10.3.661 · Windows WMI Process Call Create [high] - UC-10.3.662 · Windows WMIC Shadowcopy Delete [high] - UC-10.3.663 · Windows WPDBusEnum Registry Key Modification [high] - UC-10.3.664 · WMI Recon Running Process Or Services [high] - UC-10.3.665 · Wmic NonInteractive App Uninstallation [high] - UC-10.3.666 · Wscript Or Cscript Suspicious Child Process [high] - UC-10.3.667 · WSReset UAC Bypass [high] - UC-10.3.668 · XSL Script Execution With WMIC [high] - UC-10.3.669 · Detect Remote Access Software Usage DNS [high] - UC-10.3.670 · Excessive DNS Failures [high] - UC-10.3.671 · HTTP Malware User Agent [high] - UC-10.3.672 · Remote Desktop Network Traffic [high] - UC-10.3.673 · Rundll32 DNSQuery [high] - UC-10.3.674 · Suspicious Process With Discord DNS Query [high] - UC-10.3.675 · Wermgr Process Connecting To IP Check Web Services [high] - UC-10.3.676 · Windows DNS Query Request by Telegram Bot API [high] - UC-10.3.677 · Windows Gather Victim Network Info Through Ip Check Web Services [high] - UC-10.3.678 · Windows Multi hop Proxy TOR Website Query [high] - UC-10.3.679 · High Volume of Bytes Out to Url [high] - UC-10.3.680 · HTTP Scripting Tool User Agent [high] - UC-10.3.681 · Plain HTTP POST Exfiltrated Data [high] ### 10.4 Email Security - UC-10.4.1 · Phishing Detection Rate [critical] - UC-10.4.2 · Malicious Attachment Tracking [critical] - UC-10.4.3 · URL Click Tracking [critical] - UC-10.4.4 · DLP Policy Violations [high] - UC-10.4.5 · Spoofed Email Detection [high] - UC-10.4.6 · Email Volume Anomalies [high] - UC-10.4.7 · Quarantine Management [medium] - UC-10.4.8 · Email Attachments With Lots Of Spaces [high] - UC-10.4.9 · Email files written outside of the Outlook directory [high] - UC-10.4.10 · Email servers sending high volume traffic to hosts [high] - UC-10.4.11 · M365 Copilot Agentic Jailbreak Attack [high] - UC-10.4.12 · M365 Copilot Application Usage Pattern Anomalies [high] - UC-10.4.13 · M365 Copilot Failed Authentication Patterns [high] - UC-10.4.14 · M365 Copilot Impersonation Jailbreak Attack [high] - UC-10.4.15 · M365 Copilot Information Extraction Jailbreak Attack [high] - UC-10.4.16 · M365 Copilot Jailbreak Attempts [high] - UC-10.4.17 · M365 Copilot Non Compliant Devices Accessing M365 Copilot [high] - UC-10.4.18 · M365 Copilot Session Origin Anomalies [high] - UC-10.4.19 · Monitor Email For Brand Abuse [high] - UC-10.4.20 · Okta Phishing Detection with FastPass Origin Check [high] - UC-10.4.21 · Okta Suspicious Activity Reported [high] - UC-10.4.22 · Suspicious Email Attachment Extensions [high] - UC-10.4.23 · AWS Successful Console Authentication From Multiple IPs [high] - UC-10.4.24 · Azure AD Block User Consent For Risky Apps Disabled [high] [GDPR] - UC-10.4.25 · Azure AD Device Code Authentication [high] - UC-10.4.26 · Azure AD FullAccessAsApp Permission Assigned [high] - UC-10.4.27 · Azure AD Successful Authentication From Different Ips [high] - UC-10.4.28 · Gdrive suspicious file sharing [high] - UC-10.4.29 · Gsuite Drive Share In External Email [high] - UC-10.4.30 · GSuite Email Suspicious Attachment [high] - UC-10.4.31 · Gsuite Email Suspicious Subject With Attachment [high] - UC-10.4.32 · Gsuite Email With Known Abuse Web Service Link [high] - UC-10.4.33 · Gsuite Outbound Email With Attachment To External Domain [high] - UC-10.4.34 · Gsuite suspicious calendar invite [high] - UC-10.4.35 · Gsuite Suspicious Shared File Name [high] - UC-10.4.36 · Kubernetes Pod With Host Network Attachment [high] - UC-10.4.37 · O365 Add App Role Assignment Grant User [high] - UC-10.4.38 · O365 Added Service Principal [high] - UC-10.4.39 · O365 Admin Consent Bypassed by Service Principal [high] [GDPR] - UC-10.4.40 · O365 Advanced Audit Disabled [high] - UC-10.4.41 · O365 Application Available To Other Tenants [high] - UC-10.4.42 · O365 Application Registration Owner Added [high] - UC-10.4.43 · O365 ApplicationImpersonation Role Assigned [high] - UC-10.4.44 · O365 BEC Email Hiding Rule Created [high] - UC-10.4.45 · O365 Block User Consent For Risky Apps Disabled [high] [GDPR] - UC-10.4.46 · O365 Bypass MFA via Trusted IP [high] - UC-10.4.47 · O365 Compliance Content Search Exported [high] - UC-10.4.48 · O365 Compliance Content Search Started [high] - UC-10.4.49 · O365 Concurrent Sessions From Different Ips [high] - UC-10.4.50 · O365 Cross-Tenant Access Change [high] - UC-10.4.51 · O365 Disable MFA [high] - UC-10.4.52 · O365 DLP Rule Triggered [high] - UC-10.4.53 · O365 Elevated Mailbox Permission Assigned [high] - UC-10.4.54 · O365 Email Access By Security Administrator [high] - UC-10.4.55 · O365 Email Hard Delete Excessive Volume [high] - UC-10.4.56 · O365 Email New Inbox Rule Created [high] - UC-10.4.57 · O365 Email Password and Payroll Compromise Behavior [high] - UC-10.4.58 · O365 Email Receive and Hard Delete Takeover Behavior [high] - UC-10.4.59 · O365 Email Reported By Admin Found Malicious [high] - UC-10.4.60 · O365 Email Reported By User Found Malicious [high] - UC-10.4.61 · O365 Email Security Feature Changed [high] - UC-10.4.62 · O365 Email Send and Hard Delete Exfiltration Behavior [high] - UC-10.4.63 · O365 Email Send and Hard Delete Suspicious Behavior [high] - UC-10.4.64 · O365 Email Send Attachments Excessive Volume [high] - UC-10.4.65 · O365 Email Suspicious Behavior Alert [high] - UC-10.4.66 · O365 Email Suspicious Search Behavior [high] - UC-10.4.67 · O365 Email Transport Rule Changed [high] - UC-10.4.68 · O365 Excessive Authentication Failures Alert [high] - UC-10.4.69 · O365 Excessive SSO logon errors [high] - UC-10.4.70 · O365 Exfiltration via File Access [high] - UC-10.4.71 · O365 Exfiltration via File Download [high] - UC-10.4.72 · O365 Exfiltration via File Sync Download [high] - UC-10.4.73 · O365 External Guest User Invited [high] - UC-10.4.74 · O365 External Identity Policy Changed [high] - UC-10.4.75 · O365 File Permissioned Application Consent Granted by User [high] [GDPR] - UC-10.4.76 · O365 FullAccessAsApp Permission Assigned [high] - UC-10.4.77 · O365 High Number Of Failed Authentications for User [high] - UC-10.4.78 · O365 High Privilege Role Granted [high] - UC-10.4.79 · O365 Mail Permissioned Application Consent Granted by User [high] [GDPR] - UC-10.4.80 · O365 Mailbox Email Forwarding Enabled [high] - UC-10.4.81 · O365 Mailbox Folder Read Permission Assigned [high] - UC-10.4.82 · O365 Mailbox Folder Read Permission Granted [high] - UC-10.4.83 · O365 Mailbox Inbox Folder Shared with All Users [high] - UC-10.4.84 · O365 Mailbox Read Access Granted to Application [high] - UC-10.4.85 · O365 Multi-Source Failed Authentications Spike [high] - UC-10.4.86 · O365 Multiple AppIDs and UserAgents Authentication Spike [high] - UC-10.4.87 · O365 Multiple Failed MFA Requests For User [high] - UC-10.4.88 · O365 Multiple Mailboxes Accessed via API [high] - UC-10.4.89 · O365 Multiple OS Vendors Authenticating From User [high] - UC-10.4.90 · O365 Multiple Service Principals Created by SP [high] - UC-10.4.91 · O365 Multiple Service Principals Created by User [high] - UC-10.4.92 · O365 Multiple Users Failing To Authenticate From Ip [high] - UC-10.4.93 · O365 New Email Forwarding Rule Created [high] - UC-10.4.94 · O365 New Email Forwarding Rule Enabled [high] - UC-10.4.95 · O365 New Federated Domain Added [high] - UC-10.4.96 · O365 New Forwarding Mailflow Rule Created [high] - UC-10.4.97 · O365 New MFA Method Registered [high] - UC-10.4.98 · O365 OAuth App Mailbox Access via EWS [high] - UC-10.4.99 · O365 OAuth App Mailbox Access via Graph API [high] - UC-10.4.100 · O365 Privileged Graph API Permission Assigned [high] - UC-10.4.101 · O365 Privileged Role Assigned [high] - UC-10.4.102 · O365 Privileged Role Assigned To Service Principal [high] - UC-10.4.103 · O365 PST export alert [high] - UC-10.4.104 · O365 Safe Links Detection [high] - UC-10.4.105 · O365 Security And Compliance Alert Triggered [high] - UC-10.4.106 · O365 Service Principal New Client Credentials [high] - UC-10.4.107 · O365 Service Principal Privilege Escalation [high] - UC-10.4.108 · O365 SharePoint Allowed Domains Policy Changed [high] - UC-10.4.109 · O365 SharePoint Malware Detection [high] - UC-10.4.110 · O365 SharePoint Suspicious Search Behavior [high] - UC-10.4.111 · O365 Tenant Wide Admin Consent Granted [high] [GDPR] - UC-10.4.112 · O365 Threat Intelligence Suspicious Email Delivered [high] - UC-10.4.113 · O365 Threat Intelligence Suspicious File Detected [high] - UC-10.4.114 · O365 User Consent Blocked for Risky Application [high] [GDPR] - UC-10.4.115 · O365 User Consent Denied for OAuth Application [high] [GDPR] - UC-10.4.116 · O365 ZAP Activity Detection [high] - UC-10.4.117 · Detect Exchange Web Shell [high] - UC-10.4.118 · Detect Outlook exe writing a zip file [high] - UC-10.4.119 · Disable Windows SmartScreen Protection [high] - UC-10.4.120 · Exchange PowerShell Abuse via SSRF [high] - UC-10.4.121 · Exchange PowerShell Module Usage [high] - UC-10.4.122 · Mailsniper Invoke functions [high] - UC-10.4.123 · Microsoft Defender Incident Alerts [high] - UC-10.4.124 · MS Exchange Mailbox Replication service writing Active Server Pages [high] - UC-10.4.125 · Windows Impair Defense Overide Win Defender Phishing Filter [high] - UC-10.4.126 · Windows InProcServer32 New Outlook Form [high] - UC-10.4.127 · Windows Mail Protocol In Non-Common Process Path [high] - UC-10.4.128 · Windows MSExchange Management Mailbox Cmdlet Usage [high] - UC-10.4.129 · Windows Office Product Dropped Uncommon File [high] - UC-10.4.130 · Windows Outlook Dialogs Disabled from Unusual Process [high] - UC-10.4.131 · Windows Outlook LoadMacroProviderOnBoot Persistence [high] - UC-10.4.132 · Windows Outlook Macro Created by Suspicious Process [high] - UC-10.4.133 · Windows Outlook Macro Security Modified [high] - UC-10.4.134 · Windows Outlook WebView Registry Modification [high] - UC-10.4.135 · Windows Phishing Outlook Drop Dll In FORM Dir [high] - UC-10.4.136 · Windows Phishing PDF File Executes URL Link [high] - UC-10.4.137 · Windows Phishing Recent ISO Exec Registry [high] - UC-10.4.138 · Windows RDP File Execution [high] - UC-10.4.139 · Windows RDPClient Connection Sequence Events [high] - UC-10.4.140 · Windows Spearphishing Attachment Onenote Spawn Mshta [high] - UC-10.4.141 · Windows Unsecured Outlook Credentials Access In Registry [high] - UC-10.4.142 · Detect Large ICMP Traffic [high] - UC-10.4.143 · Hosts receiving high volume of network traffic from email server [high] - UC-10.4.144 · SSL Certificates with Punycode [high] - UC-10.4.145 · Windows Spearphishing Attachment Connect To None MS Office Domain [high] - UC-10.4.146 · Zeek x509 Certificate with Punycode [high] - UC-10.4.147 · Monitor Web Traffic For Brand Abuse [high] - UC-10.4.148 · ProxyShell ProxyNotShell Behavior Detected [high] - UC-10.4.149 · Windows Exchange Autodiscover SSRF Abuse [high] - UC-10.4.150 · Zscaler Phishing Activity Threat Blocked [high] ### 10.5 Web Security / Secure Web Gateway - UC-10.5.1 · Blocked Category Trending [medium] - UC-10.5.2 · Shadow IT Detection [high] - UC-10.5.3 · Malware Download Blocks [critical] - UC-10.5.4 · DLP over Web Traffic [high] - UC-10.5.5 · DNS Security Events [critical] - UC-10.5.6 · Bandwidth Abuse Detection [medium] - UC-10.5.7 · Unencrypted Traffic Detection [medium] - UC-10.5.8 · Detect Web Access to Decommissioned S3 Bucket [high] - UC-10.5.9 · Zscaler Adware Activities Threat Blocked [high] - UC-10.5.10 · Zscaler Behavior Analysis Threat Blocked [high] - UC-10.5.11 · Zscaler CryptoMiner Downloaded Threat Blocked [high] - UC-10.5.12 · Zscaler Employment Search Web Activity [high] - UC-10.5.13 · Zscaler Exploit Threat Blocked [high] - UC-10.5.14 · Zscaler Legal Liability Threat Blocked [high] - UC-10.5.15 · Zscaler Malware Activity Threat Blocked [high] - UC-10.5.16 · Zscaler Potentially Abused File Download [high] - UC-10.5.17 · Zscaler Privacy Risk Destinations Threat Blocked [high] - UC-10.5.18 · Zscaler Scam Destinations Threat Blocked [high] - UC-10.5.19 · Zscaler Virus Download threat blocked [high] - UC-10.5.20 · Shadow IT Discovery [high] ### 10.6 Vulnerability Management - UC-10.6.1 · Critical Vulnerability Trending [critical] - UC-10.6.2 · Mean Time to Remediation [high] - UC-10.6.3 · Scan Coverage Monitoring [high] - UC-10.6.4 · Patch Compliance by Team/BU [high] - UC-10.6.5 · Exploitable Vulnerability Prioritization [critical] - UC-10.6.6 · Vulnerability SLA Compliance [high] - UC-10.6.7 · New Vulnerability Detection [critical] - UC-10.6.8 · Cisco Duo Policy Allow Old Flash [high] - UC-10.6.9 · CrushFTP Server Side Template Injection [high] - UC-10.6.10 · ESXi SSH Enabled [high] - UC-10.6.11 · Ivanti VTM New Account Creation [high] - UC-10.6.12 · MCP Github Suspicious Operation [high] - UC-10.6.13 · MCP Prompt Injection [high] - UC-10.6.14 · No Windows Updates in a time frame [high] - UC-10.6.15 · Ollama Possible API Endpoint Scan Reconnaissance [high] - UC-10.6.16 · Ollama Possible RCE via Model Loading [high] - UC-10.6.17 · Suspicious Java Classes [high] - UC-10.6.18 · Amazon EKS Kubernetes cluster scan detection [high] - UC-10.6.19 · Amazon EKS Kubernetes Pod scan detection [high] - UC-10.6.20 · AWS ECR Container Scanning Findings High [high] - UC-10.6.21 · AWS ECR Container Scanning Findings Low Informational Unknown [high] - UC-10.6.22 · AWS ECR Container Scanning Findings Medium [high] - UC-10.6.23 · AWS Excessive Security Scanning [high] - UC-10.6.24 · Azure AD AzureHound UserAgent Detected [high] - UC-10.6.25 · Azure AD Privileged Graph API Permission Assigned [high] - UC-10.6.26 · Circle CI Disable Security Step [high] - UC-10.6.27 · GCP Kubernetes cluster pod scan detection [high] - UC-10.6.28 · GitHub Enterprise Disable Dependabot [high] - UC-10.6.29 · GitHub Organizations Disable Dependabot [high] - UC-10.6.30 · Kubernetes Access Scanning [high] - UC-10.6.31 · Kubernetes Previously Unseen Container Image Name [high] - UC-10.6.32 · Kubernetes Scanner Image Pulling [high] - UC-10.6.33 · Kubernetes Scanning by Unauthenticated IP Address [high] - UC-10.6.34 · Advanced IP or Port Scanner Execution [high] - UC-10.6.35 · Attacker Tools On Endpoint [high] - UC-10.6.36 · Child Processes of Spoolsv exe [high] - UC-10.6.37 · Cisco Isovalent - Pods Running Offensive Tools [high] - UC-10.6.38 · ConnectWise ScreenConnect Path Traversal [high] - UC-10.6.39 · ConnectWise ScreenConnect Path Traversal Windows SACL [high] - UC-10.6.40 · Control Loading from World Writable Directory [high] - UC-10.6.41 · Crowdstrike Admin Weak Password Policy [high] - UC-10.6.42 · Crowdstrike High Identity Risk Severity [high] - UC-10.6.43 · Crowdstrike Medium Identity Risk Severity [high] - UC-10.6.44 · Crowdstrike User Weak Password Policy [high] - UC-10.6.45 · Detect Baron Samedit CVE-2021-3156 [high] - UC-10.6.46 · Detect Baron Samedit CVE-2021-3156 Segfault [high] - UC-10.6.47 · Detect Baron Samedit CVE-2021-3156 via OSQuery [high] - UC-10.6.48 · Disable AMSI Through Registry [high] - UC-10.6.49 · Disabling Windows Local Security Authority Defences via Registry [high] - UC-10.6.50 · Download Files Using Telegram [high] - UC-10.6.51 · Execute Javascript With Jscript COM CLSID [high] - UC-10.6.52 · Hunting 3CXDesktopApp Software [high] - UC-10.6.53 · Linux pkexec Privilege Escalation [high] - UC-10.6.54 · Linux Telnet Authentication Bypass [high] - UC-10.6.55 · Log4Shell CVE-2021-44228 Exploitation [high] - UC-10.6.56 · MOVEit Certificate Store Access Failure [high] - UC-10.6.57 · MOVEit Empty Key Fingerprint Authentication Attempt [high] - UC-10.6.58 · MSI Module Loaded by Non-System Binary [high] - UC-10.6.59 · Outbound Network Connection from Java Using Default Ports [high] - UC-10.6.60 · PetitPotam Network Share Access Request [high] - UC-10.6.61 · PetitPotam Suspicious Kerberos TGT Request [high] - UC-10.6.62 · Print Spooler Adding A Printer Driver [high] - UC-10.6.63 · Print Spooler Failed to Load a Plug-in [high] - UC-10.6.64 · Rundll32 Control RunDLL Hunt [high] - UC-10.6.65 · Rundll32 Control RunDLL World Writable Directory [high] - UC-10.6.66 · SAM Database File Access Attempt [high] - UC-10.6.67 · Shim Database File Creation [high] - UC-10.6.68 · Spoolsv Spawning Rundll32 [high] - UC-10.6.69 · Spoolsv Suspicious Loaded Modules [high] - UC-10.6.70 · Spoolsv Suspicious Process Access [high] - UC-10.6.71 · Spoolsv Writing a DLL [high] - UC-10.6.72 · Spoolsv Writing a DLL - Sysmon [high] - UC-10.6.73 · Suspicious Computer Account Name Change [high] - UC-10.6.74 · Suspicious Kerberos Service Ticket Request [high] - UC-10.6.75 · Suspicious Ticket Granting Ticket Request [high] - UC-10.6.76 · Unloading AMSI via Reflection [high] - UC-10.6.77 · Windows Account Discovery With NetUser PreauthNotRequire [high] - UC-10.6.78 · Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc [high] - UC-10.6.79 · Windows Credential Target Information Structure in Commandline [high] - UC-10.6.80 · Windows Detect Network Scanner Behavior [high] - UC-10.6.81 · Windows Disable LogOff Button Through Registry [high] - UC-10.6.82 · Windows DLL Search Order Hijacking Hunt with Sysmon [high] - UC-10.6.83 · Windows DLL Side-Loading In Calc [high] - UC-10.6.84 · Windows DLL Side-Loading Process Child Of Calc [high] - UC-10.6.85 · Windows Driver Load Non-Standard Path [high] - UC-10.6.86 · Windows ESX Admins Group Creation Security Event [high] - UC-10.6.87 · Windows ESX Admins Group Creation via Net [high] - UC-10.6.88 · Windows ESX Admins Group Creation via PowerShell [high] - UC-10.6.89 · Windows Explorer.exe Spawning PowerShell or Cmd [high] - UC-10.6.90 · Windows Explorer LNK Exploit Process Launch With Padding [high] - UC-10.6.91 · Windows IIS Components Get-WebGlobalModule Module Query [high] - UC-10.6.92 · Windows IIS Components Module Failed to Load [high] - UC-10.6.93 · Windows Impair Defense Change Win Defender Health Check Intervals [high] - UC-10.6.94 · Windows Impair Defense Change Win Defender Quick Scan Interval [high] - UC-10.6.95 · Windows Impair Defense Configure App Install Control [high] - UC-10.6.96 · Windows Impair Defense Disable Win Defender Compute File Hashes [high] - UC-10.6.97 · Windows Impair Defense Disable Win Defender Network Protection [high] - UC-10.6.98 · Windows Impair Defense Disable Win Defender Scan On Update [high] - UC-10.6.99 · Windows Kerberos Coercion via DNS [high] - UC-10.6.100 · Windows Modify Registry USeWuServer [high] - UC-10.6.101 · Windows MOVEit Transfer Writing ASPX [high] - UC-10.6.102 · Windows MSC EvilTwin Directory Path Manipulation [high] - UC-10.6.103 · Windows Office Product Dropped Cab or Inf File [high] - UC-10.6.104 · Windows Office Product Loaded MSHTML Module [high] - UC-10.6.105 · Windows Office Product Spawned Control [high] - UC-10.6.106 · Windows Office Product Spawned Uncommon Process [high] - UC-10.6.107 · Windows Privileged Group Modification [high] - UC-10.6.108 · Windows Query Registry UnInstall Program List [high] - UC-10.6.109 · Windows Rundll32 WebDAV Request [high] - UC-10.6.110 · Windows Rundll32 WebDav With Network Connection [high] - UC-10.6.111 · Windows Service Stop Win Updates [high] - UC-10.6.112 · Windows SharePoint Spinstall0 Webshell File Creation [high] - UC-10.6.113 · Windows Shell Process from CrushFTP [high] - UC-10.6.114 · Windows SpeechRuntime COM Hijacking DLL Load [high] - UC-10.6.115 · Windows SpeechRuntime Suspicious Child Process [high] - UC-10.6.116 · Windows Sqlservr Spawning Shell [high] - UC-10.6.117 · Windows Suspicious Child Process Spawned From WebServer [high] - UC-10.6.118 · Windows Suspicious VMWare Tools Child Process [high] - UC-10.6.119 · Windows Vulnerable 3CX Software [high] - UC-10.6.120 · Windows Vulnerable Driver Installed [high] - UC-10.6.121 · Windows Vulnerable Driver Loaded [high] - UC-10.6.122 · Windows WSUS Spawning Shell [high] - UC-10.6.123 · Winhlp32 Spawning a Process [high] - UC-10.6.124 · WinRAR Spawning Shell Application [high] - UC-10.6.125 · WinRM Spawning a Process [high] - UC-10.6.126 · Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity [high] - UC-10.6.127 · Cisco Smart Install Port Discovery and Status [high] - UC-10.6.128 · Detect Windows DNS SIGRed via Splunk Stream [high] - UC-10.6.129 · Detect Windows DNS SIGRed via Zeek [high] - UC-10.6.130 · Detect Zerologon via Zeek [high] - UC-10.6.131 · DNS Kerberos Coercion [high] - UC-10.6.132 · F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 [high] - UC-10.6.133 · Internal Horizontal Port Scan [high] - UC-10.6.134 · Internal Horizontal Port Scan NMAP Top 20 [high] - UC-10.6.135 · Internal Vertical Port Scan [high] - UC-10.6.136 · Internal Vulnerability Scan [high] - UC-10.6.137 · Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint [high] - UC-10.6.138 · Adobe ColdFusion Access Control Bypass [high] - UC-10.6.139 · Adobe ColdFusion Unauthenticated Arbitrary File Read [high] - UC-10.6.140 · Cisco IOS XE Implant Access [high] - UC-10.6.141 · Citrix ADC and Gateway Unauthorized Data Disclosure [high] - UC-10.6.142 · Citrix ADC Exploitation CVE-2023-3519 [high] - UC-10.6.143 · Citrix ShareFile Exploitation CVE-2023-24489 [high] - UC-10.6.144 · Confluence CVE-2023-22515 Trigger Vulnerability [high] - UC-10.6.145 · Confluence Data Center and Server Privilege Escalation [high] - UC-10.6.146 · Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 [high] - UC-10.6.147 · Confluence Unauthenticated Remote Code Execution CVE-2022-26134 [high] - UC-10.6.148 · ConnectWise ScreenConnect Authentication Bypass [high] - UC-10.6.149 · CrushFTP Authentication Bypass Exploitation [high] - UC-10.6.150 · CrushFTP Max Simultaneous Users From IP [high] - UC-10.6.151 · Detect attackers scanning for vulnerable JBoss servers [high] - UC-10.6.152 · Detect F5 TMUI RCE CVE-2020-5902 [high] - UC-10.6.153 · Detect malicious requests to exploit JBoss servers [high] - UC-10.6.154 · Exploit Public Facing Application via Apache Commons Text [high] - UC-10.6.155 · Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 [high] - UC-10.6.156 · F5 TMUI Authentication Bypass [high] - UC-10.6.157 · Fortinet Appliance Auth bypass [high] - UC-10.6.158 · HTTP Possible Request Smuggling [high] - UC-10.6.159 · HTTP Rapid POST with Mixed Status Codes [high] - UC-10.6.160 · Hunting for Log4Shell [high] - UC-10.6.161 · Ivanti Connect Secure Command Injection Attempts [high] - UC-10.6.162 · Ivanti Connect Secure SSRF in SAML Component [high] - UC-10.6.163 · Ivanti Connect Secure System Information Access via Auth Bypass [high] - UC-10.6.164 · Ivanti EPM SQL Injection Remote Code Execution [high] - UC-10.6.165 · Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 [high] - UC-10.6.166 · Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 [high] - UC-10.6.167 · Ivanti Sentry Authentication Bypass [high] - UC-10.6.168 · Java Class File download by Java User Agent [high] - UC-10.6.169 · Jenkins Arbitrary File Read CVE-2024-23897 [high] - UC-10.6.170 · JetBrains TeamCity Authentication Bypass CVE-2024-27198 [high] - UC-10.6.171 · JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 [high] - UC-10.6.172 · JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 [high] - UC-10.6.173 · JetBrains TeamCity RCE Attempt [high] - UC-10.6.174 · Juniper Networks Remote Code Execution Exploit Detection [high] - UC-10.6.175 · Log4Shell JNDI Payload Injection Attempt [high] - UC-10.6.176 · Log4Shell JNDI Payload Injection with Outbound Connection [high] - UC-10.6.177 · Microsoft SharePoint Server Elevation of Privilege [high] - UC-10.6.178 · Nginx ConnectWise ScreenConnect Authentication Bypass [high] - UC-10.6.179 · Spring4Shell Payload URL Request [high] - UC-10.6.180 · Tomcat Session Deserialization Attempt [high] - UC-10.6.181 · Tomcat Session File Upload Attempt [high] - UC-10.6.182 · Unusually Long Content-Type Length [high] - UC-10.6.183 · VMWare Aria Operations Exploit Attempt [high] - UC-10.6.184 · VMware Server Side Template Injection Hunt [high] - UC-10.6.185 · VMware Workspace ONE Freemarker Server-side Template Injection [high] - UC-10.6.186 · Web JSP Request via URL [high] - UC-10.6.187 · Web Remote ShellServlet Access [high] - UC-10.6.188 · Web Spring4Shell HTTP Request Class Module [high] - UC-10.6.189 · Web Spring Cloud Function FunctionRouter [high] - UC-10.6.190 · Windows SharePoint Spinstall0 GET Request [high] - UC-10.6.191 · Windows SharePoint ToolPane Endpoint Exploitation Attempt [high] - UC-10.6.192 · WordPress Bricks Builder plugin RCE [high] - UC-10.6.193 · WS FTP Remote Code Execution [high] ### 10.7 SIEM & SOAR - UC-10.7.1 · Alert Volume Trending [high] - UC-10.7.2 · Analyst Workload Distribution [medium] - UC-10.7.3 · MTTD and MTTR Tracking [critical] - UC-10.7.4 · Playbook Execution Monitoring [high] - UC-10.7.5 · Correlation Search Performance [medium] - UC-10.7.6 · False Positive Rate Tracking [high] - UC-10.7.7 · AWS Defense Evasion Delete CloudTrail [critical] - UC-10.7.8 · Detect Password Spray Attempts [critical] - UC-10.7.9 · Cisco Duo Admin Login Unusual Browser [high] - UC-10.7.10 · Cisco Duo Admin Login Unusual Country [high] - UC-10.7.11 · Cisco Duo Admin Login Unusual Os [high] - UC-10.7.12 · Cisco Duo Bulk Policy Deletion [high] - UC-10.7.13 · Cisco Duo Bypass Code Generation [high] - UC-10.7.14 · Cisco Duo Policy Allow Devices Without Screen Lock [high] - UC-10.7.15 · Cisco Duo Policy Allow Network Bypass 2FA [high] - UC-10.7.16 · Cisco Duo Policy Allow Old Java [high] - UC-10.7.17 · Cisco Duo Policy Allow Tampered Devices [high] - UC-10.7.18 · Cisco Duo Policy Bypass 2FA [high] - UC-10.7.19 · Cisco Duo Policy Deny Access [high] - UC-10.7.20 · Cisco Duo Policy Skip 2FA for Other Countries [high] - UC-10.7.21 · Cisco Duo Set User Status to Bypass 2FA [high] - UC-10.7.22 · Detect Distributed Password Spray Attempts [high] - UC-10.7.23 · ESXi Account Modified [high] - UC-10.7.24 · ESXi Audit Tampering [high] - UC-10.7.25 · ESXi Download Errors [high] - UC-10.7.26 · ESXi Encryption Settings Modified [high] - UC-10.7.27 · ESXi External Root Login Activity [high] - UC-10.7.28 · ESXi Loghost Config Tampering [high] - UC-10.7.29 · ESXi Reverse Shell Patterns [high] - UC-10.7.30 · ESXi Shell Access Enabled [high] - UC-10.7.31 · ESXi SSH Brute Force [high] - UC-10.7.32 · ESXi Syslog Config Change [high] - UC-10.7.33 · ESXi System Clock Manipulation [high] - UC-10.7.34 · ESXi System Information Discovery [high] - UC-10.7.35 · ESXi User Granted Admin Role [high] - UC-10.7.36 · ESXi VIB Acceptance Level Tampering [high] - UC-10.7.37 · ESXi VM Discovery [high] - UC-10.7.38 · ESXi VM Exported via Remote Tool [high] - UC-10.7.39 · MCP Filesystem Server Suspicious Extension Write [high] - UC-10.7.40 · MCP Postgres Suspicious Query [high] - UC-10.7.41 · MCP Sensitive System File Search [high] - UC-10.7.42 · Okta IDP Lifecycle Modifications [high] - UC-10.7.43 · Okta MFA Exhaustion Hunt [high] - UC-10.7.44 · Okta Mismatch Between Source and Response for Verify Push Request [high] - UC-10.7.45 · Okta Multi-Factor Authentication Disabled [high] - UC-10.7.46 · Okta Multiple Accounts Locked Out [high] - UC-10.7.47 · Okta Multiple Failed MFA Requests For User [high] - UC-10.7.48 · Okta Multiple Failed Requests to Access Applications [high] - UC-10.7.49 · Okta Multiple Users Failing To Authenticate From Ip [high] - UC-10.7.50 · Okta New API Token Created [high] - UC-10.7.51 · Okta New Device Enrolled on Account [high] - UC-10.7.52 · Okta Risk Threshold Exceeded [high] - UC-10.7.53 · Okta Successful Single Factor Authentication [high] - UC-10.7.54 · Okta Suspicious Use of a Session Cookie [high] - UC-10.7.55 · Okta ThreatInsight Threat Detected [high] - UC-10.7.56 · Okta Unauthorized Access to Application [high] - UC-10.7.57 · Okta User Logins from Multiple Cities [high] - UC-10.7.58 · Ollama Abnormal Network Connectivity [high] - UC-10.7.59 · Ollama Abnormal Service Crash Availability Attack [high] - UC-10.7.60 · Ollama Possible Memory Exhaustion Resource Abuse [high] - UC-10.7.61 · PingID Mismatch Auth Source and Verification Response [high] - UC-10.7.62 · PingID Multiple Failed MFA Requests For User [high] - UC-10.7.63 · PingID New MFA Method After Credential Reset [high] - UC-10.7.64 · PingID New MFA Method Registered For User [high] - UC-10.7.65 · Splunk AppDynamics Secure Application Alerts [high] - UC-10.7.66 · Zoom High Video Latency [high] - UC-10.7.67 · Zoom Rare Audio Devices [high] - UC-10.7.68 · Zoom Rare Input Devices [high] - UC-10.7.69 · Zoom Rare Video Devices [high] - UC-10.7.70 · Abnormally High Number Of Cloud Infrastructure API Calls [high] - UC-10.7.71 · Abnormally High Number Of Cloud Instances Destroyed [high] - UC-10.7.72 · Abnormally High Number Of Cloud Instances Launched [high] - UC-10.7.73 · ASL AWS Create Access Key [high] - UC-10.7.74 · ASL AWS Create Policy Version to allow all resources [high] - UC-10.7.75 · ASL AWS Credential Access RDS Password reset [high] - UC-10.7.76 · ASL AWS Defense Evasion Delete CloudWatch Log Group [high] - UC-10.7.77 · ASL AWS Defense Evasion PutBucketLifecycle [high] - UC-10.7.78 · ASL AWS Defense Evasion Stop Logging Cloudtrail [high] - UC-10.7.79 · ASL AWS Defense Evasion Update Cloudtrail [high] - UC-10.7.80 · ASL AWS Detect Users creating keys with encrypt policy without MFA [high] - UC-10.7.81 · ASL AWS EC2 Snapshot Shared Externally [high] - UC-10.7.82 · ASL AWS ECR Container Upload Outside Business Hours [high] - UC-10.7.83 · ASL AWS ECR Container Upload Unknown User [high] - UC-10.7.84 · ASL AWS IAM AccessDenied Discovery Events [high] - UC-10.7.85 · ASL AWS IAM Assume Role Policy Brute Force [high] - UC-10.7.86 · ASL AWS IAM Delete Policy [high] - UC-10.7.87 · ASL AWS IAM Failure Group Deletion [high] - UC-10.7.88 · ASL AWS Multi-Factor Authentication Disabled [high] - UC-10.7.89 · ASL AWS Network Access Control List Created with All Open Ports [high] - UC-10.7.90 · ASL AWS Network Access Control List Deleted [high] - UC-10.7.91 · ASL AWS New MFA Method Registered For User [high] - UC-10.7.92 · ASL AWS SAML Update identity provider [high] - UC-10.7.93 · ASL AWS UpdateLoginProfile [high] - UC-10.7.94 · AWS AMI Attribute Modification for Exfiltration [high] - UC-10.7.95 · AWS Console Login Failed During MFA Challenge [high] - UC-10.7.96 · AWS Create Policy Version to allow all resources [high] - UC-10.7.97 · AWS CreateAccessKey [high] - UC-10.7.98 · AWS CreateLoginProfile [high] - UC-10.7.99 · AWS Credential Access Failed Login [high] - UC-10.7.100 · AWS Credential Access RDS Password reset [high] - UC-10.7.101 · AWS Defense Evasion Delete CloudWatch Log Group [high] - UC-10.7.102 · AWS Defense Evasion Impair Security Services [high] - UC-10.7.103 · AWS Defense Evasion PutBucketLifecycle [high] - UC-10.7.104 · AWS Defense Evasion Stop Logging Cloudtrail [high] - UC-10.7.105 · AWS Defense Evasion Update Cloudtrail [high] - UC-10.7.106 · AWS Detect Users creating keys with encrypt policy without MFA [high] - UC-10.7.107 · AWS Detect Users with KMS keys performing encryption S3 [high] - UC-10.7.108 · AWS EC2 Snapshot Shared Externally [high] - UC-10.7.109 · AWS ECR Container Upload Outside Business Hours [high] - UC-10.7.110 · AWS ECR Container Upload Unknown User [high] - UC-10.7.111 · AWS Exfiltration via Anomalous GetObject API Activity [high] - UC-10.7.112 · AWS Exfiltration via Batch Service [high] - UC-10.7.113 · AWS Exfiltration via Bucket Replication [high] - UC-10.7.114 · AWS Exfiltration via DataSync Task [high] - UC-10.7.115 · AWS Exfiltration via EC2 Snapshot [high] - UC-10.7.116 · AWS High Number Of Failed Authentications For User [high] - UC-10.7.117 · AWS High Number Of Failed Authentications From Ip [high] - UC-10.7.118 · AWS IAM AccessDenied Discovery Events [high] - UC-10.7.119 · AWS IAM Assume Role Policy Brute Force [high] - UC-10.7.120 · AWS IAM Delete Policy [high] - UC-10.7.121 · AWS IAM Failure Group Deletion [high] - UC-10.7.122 · AWS IAM Successful Group Deletion [high] - UC-10.7.123 · AWS Lambda UpdateFunctionCode [high] - UC-10.7.124 · AWS Multi-Factor Authentication Disabled [high] - UC-10.7.125 · AWS Multiple Failed MFA Requests For User [high] - UC-10.7.126 · AWS Multiple Users Failing To Authenticate From Ip [high] - UC-10.7.127 · AWS Network Access Control List Created with All Open Ports [high] - UC-10.7.128 · AWS Network Access Control List Deleted [high] - UC-10.7.129 · AWS New MFA Method Registered For User [high] - UC-10.7.130 · AWS Password Policy Changes [high] - UC-10.7.131 · AWS SAML Update identity provider [high] - UC-10.7.132 · AWS SetDefaultPolicyVersion [high] - UC-10.7.133 · AWS Successful Single-Factor Authentication [high] - UC-10.7.134 · AWS Unusual Number of Failed Authentications From Ip [high] - UC-10.7.135 · AWS UpdateLoginProfile [high] - UC-10.7.136 · Azure Active Directory High Risk Sign-in [high] - UC-10.7.137 · Azure AD Admin Consent Bypassed by Service Principal [high] [GDPR] - UC-10.7.138 · Azure AD Application Administrator Role Assigned [high] - UC-10.7.139 · Azure AD Authentication Failed During MFA Challenge [high] - UC-10.7.140 · Azure AD External Guest User Invited [high] - UC-10.7.141 · Azure AD Global Administrator Role Assigned [high] - UC-10.7.142 · Azure AD High Number Of Failed Authentications For User [high] - UC-10.7.143 · Azure AD High Number Of Failed Authentications From Ip [high] - UC-10.7.144 · Azure AD Multi-Factor Authentication Disabled [high] - UC-10.7.145 · Azure AD Multiple Denied MFA Requests For User [high] - UC-10.7.146 · Azure AD Multiple Failed MFA Requests For User [high] - UC-10.7.147 · Azure AD Multiple Service Principals Created by SP [high] - UC-10.7.148 · Azure AD Multiple Service Principals Created by User [high] - UC-10.7.149 · Azure AD Multiple Users Failing To Authenticate From Ip [high] - UC-10.7.150 · Azure AD New Custom Domain Added [high] - UC-10.7.151 · Azure AD New Federated Domain Added [high] - UC-10.7.152 · Azure AD New MFA Method Registered [high] - UC-10.7.153 · Azure AD New MFA Method Registered For User [high] - UC-10.7.154 · Azure AD OAuth Application Consent Granted By User [high] [GDPR] - UC-10.7.155 · Azure AD PIM Role Assigned [high] - UC-10.7.156 · Azure AD PIM Role Assignment Activated [high] - UC-10.7.157 · Azure AD Privileged Authentication Administrator Role Assigned [high] - UC-10.7.158 · Azure AD Privileged Role Assigned [high] - UC-10.7.159 · Azure AD Privileged Role Assigned to Service Principal [high] - UC-10.7.160 · Azure AD Service Principal Created [high] - UC-10.7.161 · Azure AD Service Principal Enumeration [high] - UC-10.7.162 · Azure AD Service Principal Owner Added [high] - UC-10.7.163 · Azure AD Service Principal Privilege Escalation [high] - UC-10.7.164 · Azure AD Successful PowerShell Authentication [high] - UC-10.7.165 · Azure AD Successful Single-Factor Authentication [high] - UC-10.7.166 · Azure AD Tenant Wide Admin Consent Granted [high] [GDPR] - UC-10.7.167 · Azure AD User Consent Blocked for Risky Application [high] [GDPR] - UC-10.7.168 · Azure AD User Consent Denied for OAuth Application [high] [GDPR] - UC-10.7.169 · Azure AD User Enabled And Password Reset [high] - UC-10.7.170 · Azure AD User ImmutableId Attribute Updated [high] - UC-10.7.171 · Azure Automation Account Created [high] - UC-10.7.172 · Azure Automation Runbook Created [high] - UC-10.7.173 · Azure Runbook Webhook Created [high] - UC-10.7.174 · Cloud Compute Instance Created By Previously Unseen User [high] - UC-10.7.175 · Cloud Compute Instance Created In Previously Unused Region [high] - UC-10.7.176 · Cloud Compute Instance Created With Previously Unseen Instance Type [high] - UC-10.7.177 · Cloud Instance Modified By Previously Unseen User [high] - UC-10.7.178 · Cloud Provisioning Activity From Previously Unseen City [high] - UC-10.7.179 · Cloud Provisioning Activity From Previously Unseen Country [high] - UC-10.7.180 · Cloud Provisioning Activity From Previously Unseen IP Address [high] - UC-10.7.181 · Cloud Provisioning Activity From Previously Unseen Region [high] - UC-10.7.182 · Cloud Security Groups Modifications by User [high] - UC-10.7.183 · Detect AWS Console Login by New User [high] - UC-10.7.184 · Detect AWS Console Login by User from New City [high] - UC-10.7.185 · Detect AWS Console Login by User from New Country [high] - UC-10.7.186 · Detect GCP Storage access from a new IP [high] - UC-10.7.187 · Detect New Open GCP Storage Buckets [high] - UC-10.7.188 · Detect New Open S3 buckets [high] - UC-10.7.189 · Detect New Open S3 Buckets over AWS CLI [high] - UC-10.7.190 · Detect S3 access from a new IP [high] - UC-10.7.191 · Detect Spike in S3 Bucket deletion [high] - UC-10.7.192 · GCP Authentication Failed During MFA Challenge [high] - UC-10.7.193 · GCP Multi-Factor Authentication Disabled [high] - UC-10.7.194 · GCP Multiple Failed MFA Requests For User [high] - UC-10.7.195 · GCP Multiple Users Failing To Authenticate From Ip [high] - UC-10.7.196 · GCP Successful Single-Factor Authentication [high] - UC-10.7.197 · Geographic Improbable Location [high] - UC-10.7.198 · GitHub Enterprise Delete Branch Ruleset [high] - UC-10.7.199 · GitHub Enterprise Disable 2FA Requirement [high] - UC-10.7.200 · GitHub Enterprise Disable Audit Log Event Stream [high] - UC-10.7.201 · GitHub Enterprise Disable Classic Branch Protection Rule [high] - UC-10.7.202 · GitHub Enterprise Disable IP Allow List [high] - UC-10.7.203 · GitHub Enterprise Modify Audit Log Event Stream [high] - UC-10.7.204 · GitHub Enterprise Pause Audit Log Event Stream [high] - UC-10.7.205 · GitHub Enterprise Register Self Hosted Runner [high] - UC-10.7.206 · GitHub Enterprise Remove Organization [high] - UC-10.7.207 · GitHub Enterprise Repository Archived [high] - UC-10.7.208 · GitHub Enterprise Repository Deleted [high] - UC-10.7.209 · GitHub Organizations Delete Branch Ruleset [high] - UC-10.7.210 · GitHub Organizations Disable 2FA Requirement [high] - UC-10.7.211 · GitHub Organizations Disable Classic Branch Protection Rule [high] - UC-10.7.212 · GitHub Organizations Repository Archived [high] - UC-10.7.213 · GitHub Organizations Repository Deleted [high] - UC-10.7.214 · High Number of Login Failures from a single source [high] - UC-10.7.215 · Kubernetes Abuse of Secret by Unusual Location [high] - UC-10.7.216 · Kubernetes Abuse of Secret by Unusual User Agent [high] - UC-10.7.217 · Kubernetes Abuse of Secret by Unusual User Group [high] - UC-10.7.218 · Kubernetes Abuse of Secret by Unusual User Name [high] - UC-10.7.219 · Kubernetes Anomalous Inbound Network Activity from Process [high] - UC-10.7.220 · Kubernetes Anomalous Inbound Outbound Network IO [high] - UC-10.7.221 · Kubernetes Anomalous Inbound to Outbound Network IO Ratio [high] - UC-10.7.222 · Kubernetes Anomalous Outbound Network Activity from Process [high] - UC-10.7.223 · Kubernetes Anomalous Traffic on Network Edge [high] - UC-10.7.224 · Kubernetes AWS detect suspicious kubectl calls [high] - UC-10.7.225 · Kubernetes Create or Update Privileged Pod [high] - UC-10.7.226 · Kubernetes Cron Job Creation [high] - UC-10.7.227 · Kubernetes DaemonSet Deployed [high] - UC-10.7.228 · Kubernetes Falco Shell Spawned [high] - UC-10.7.229 · Kubernetes newly seen TCP edge [high] - UC-10.7.230 · Kubernetes newly seen UDP edge [high] - UC-10.7.231 · Kubernetes Nginx Ingress LFI [high] - UC-10.7.232 · Kubernetes Nginx Ingress RFI [high] - UC-10.7.233 · Kubernetes Node Port Creation [high] - UC-10.7.234 · Kubernetes Pod Created in Default Namespace [high] - UC-10.7.235 · Kubernetes Previously Unseen Process [high] - UC-10.7.236 · Kubernetes Process Running From New Path [high] - UC-10.7.237 · Kubernetes Process with Anomalous Resource Utilisation [high] - UC-10.7.238 · Kubernetes Process with Resource Ratio Anomalies [high] - UC-10.7.239 · Kubernetes Shell Running on Worker Node [high] - UC-10.7.240 · Kubernetes Shell Running on Worker Node with CPU Activity [high] - UC-10.7.241 · Kubernetes Suspicious Image Pulling [high] - UC-10.7.242 · Kubernetes Unauthorized Access [high] - UC-10.7.243 · Microsoft Intune Device Health Scripts [high] - UC-10.7.244 · Microsoft Intune DeviceManagementConfigurationPolicies [high] - UC-10.7.245 · Microsoft Intune Manual Device Management [high] - UC-10.7.246 · Microsoft Intune Mobile Apps [high] - UC-10.7.247 · Okta Non-Standard VPN Usage [high] - UC-10.7.248 · Risk Rule for Dev Sec Ops by Repository [high] - UC-10.7.249 · Access LSASS Memory for Dump Creation [high] - UC-10.7.250 · Active Directory Privilege Escalation Identified [high] - UC-10.7.251 · Add or Set Windows Defender Exclusion [high] - UC-10.7.252 · AdsiSearcher Account Discovery [high] - UC-10.7.253 · Cisco Isovalent - Cron Job Creation [high] - UC-10.7.254 · Cisco Isovalent - Kprobe Spike [high] - UC-10.7.255 · Cisco Isovalent - Late Process Execution [high] - UC-10.7.256 · Cisco Isovalent - Non Allowlisted Image Use [high] - UC-10.7.257 · Cisco Isovalent - Nsenter Usage in Kubernetes Pod [high] - UC-10.7.258 · Cisco Isovalent - Potential Escape to Host [high] - UC-10.7.259 · Cisco Isovalent - Shell Execution [high] - UC-10.7.260 · Cisco NVM - Curl Execution With Insecure Flags [high] - UC-10.7.261 · Cisco NVM - Installation of Typosquatted Python Package [high] - UC-10.7.262 · Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI [high] - UC-10.7.263 · Cisco NVM - Non-Network Binary Making Network Connection [high] - UC-10.7.264 · Cisco NVM - Outbound Connection to Suspicious Port [high] - UC-10.7.265 · Cisco NVM - Rclone Execution With Network Activity [high] - UC-10.7.266 · Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download [high] - UC-10.7.267 · Cisco NVM - Susp Script From Archive Triggering Network Activity [high] - UC-10.7.268 · Cisco NVM - Suspicious Download From File Sharing Website [high] - UC-10.7.269 · Cisco NVM - Suspicious File Download via Headless Browser [high] - UC-10.7.270 · Cisco NVM - Suspicious Network Connection From Process With No Args [high] - UC-10.7.271 · Cisco NVM - Suspicious Network Connection Initiated via MsXsl [high] - UC-10.7.272 · Cisco NVM - Suspicious Network Connection to IP Lookup Service API [high] - UC-10.7.273 · Cisco NVM - Webserver Download From File Sharing Website [high] - UC-10.7.274 · Create Remote Thread into LSASS [high] - UC-10.7.275 · Creation of lsass Dump with Taskmgr [high] - UC-10.7.276 · Crowdstrike Admin With Duplicate Password [high] - UC-10.7.277 · CrowdStrike Falcon Stream Alerts [high] - UC-10.7.278 · Crowdstrike Medium Severity Alert [high] - UC-10.7.279 · Crowdstrike Multiple LOW Severity Alerts [high] - UC-10.7.280 · Crowdstrike Privilege Escalation For Non-Admin User [high] - UC-10.7.281 · Crowdstrike User with Duplicate Password [high] - UC-10.7.282 · Curl Execution with Percent Encoded URL [high] - UC-10.7.283 · Detect Computer Changed with Anonymous Account [high] - UC-10.7.284 · Detect Copy of ShadowCopy with Script Block Logging [high] - UC-10.7.285 · Detect Credential Dumping through LSASS access [high] - UC-10.7.286 · Detect Empire with PowerShell Script Block Logging [high] - UC-10.7.287 · Detect New Local Admin account [high] - UC-10.7.288 · Detect Password Spray Attack Behavior From Source [high] - UC-10.7.289 · Detect Password Spray Attack Behavior On User [high] - UC-10.7.290 · Detect Rare Executables [high] - UC-10.7.291 · Detect Regasm with Network Connection [high] - UC-10.7.292 · Detect Regsvcs with Network Connection [high] - UC-10.7.293 · Detect Remote Access Software Usage File [high] - UC-10.7.294 · Detect Remote Access Software Usage FileInfo [high] - UC-10.7.295 · Detect Remote Access Software Usage Registry [high] - UC-10.7.296 · Detect Renamed 7-Zip [high] - UC-10.7.297 · Detect RTLO In File Name [high] - UC-10.7.298 · Detect WMI Event Subscription Persistence [high] - UC-10.7.299 · Disabled Kerberos Pre-Authentication Discovery With Get-ADUser [high] - UC-10.7.300 · Disabled Kerberos Pre-Authentication Discovery With PowerView [high] - UC-10.7.301 · Disabling Remote User Account Control [high] - UC-10.7.302 · DLLHost with no Command Line Arguments with Network [high] - UC-10.7.303 · Domain Group Discovery with Adsisearcher [high] - UC-10.7.304 · Dump LSASS via procdump [high] - UC-10.7.305 · Elevated Group Discovery with PowerView [high] - UC-10.7.306 · Enumerate Users Local Group Using Telegram [high] - UC-10.7.307 · Excessive Usage Of Cacls App [high] - UC-10.7.308 · Executables Or Script Creation In Suspicious Path [high] - UC-10.7.309 · Executables Or Script Creation In Temp Path [high] - UC-10.7.310 · File Download or Read to Pipe Execution [high] - UC-10.7.311 · First Time Seen Running Windows Service [high] - UC-10.7.312 · Get ADDefaultDomainPasswordPolicy with Powershell Script Block [high] - UC-10.7.313 · Get ADUser with PowerShell Script Block [high] - UC-10.7.314 · Get ADUserResultantPasswordPolicy with Powershell Script Block [high] - UC-10.7.315 · Get DomainPolicy with Powershell Script Block [high] - UC-10.7.316 · Get DomainUser with PowerShell Script Block [high] - UC-10.7.317 · GetAdComputer with PowerShell Script Block [high] - UC-10.7.318 · GetDomainComputer with PowerShell Script Block [high] - UC-10.7.319 · GetDomainController with PowerShell Script Block [high] - UC-10.7.320 · GetDomainGroup with PowerShell Script Block [high] - UC-10.7.321 · GetLocalUser with PowerShell Script Block [high] - UC-10.7.322 · GetNetTcpconnection with PowerShell Script Block [high] - UC-10.7.323 · GetWmiObject Ds Computer with PowerShell Script Block [high] - UC-10.7.324 · GetWmiObject Ds Group with PowerShell Script Block [high] - UC-10.7.325 · GetWmiObject DS User with PowerShell Script Block [high] - UC-10.7.326 · GetWmiObject User Account with PowerShell Script Block [high] - UC-10.7.327 · GitHub Workflow File Creation or Modification [high] - UC-10.7.328 · Headless Browser Mockbin or Mocky Request [high] - UC-10.7.329 · High Frequency Copy Of Files In Network Share [high] - UC-10.7.330 · Icacls Deny Command [high] - UC-10.7.331 · ICACLS Grant Command [high] - UC-10.7.332 · IcedID Exfiltrated Archived File Creation [high] - UC-10.7.333 · Kerberoasting spn request with RC4 encryption [high] - UC-10.7.334 · Kerberos Pre-Authentication Flag Disabled in UserAccountControl [high] - UC-10.7.335 · Kerberos Pre-Authentication Flag Disabled with PowerShell [high] - UC-10.7.336 · Kerberos Service Ticket Request Using RC4 Encryption [high] - UC-10.7.337 · Kerberos TGT Request Using RC4 Encryption [high] - UC-10.7.338 · Linux Auditd Add User Account Type [high] - UC-10.7.339 · Linux Auditd Auditd Daemon Abort [high] - UC-10.7.340 · Linux Auditd Auditd Daemon Shutdown [high] - UC-10.7.341 · Linux Auditd Auditd Daemon Start [high] - UC-10.7.342 · Linux Auditd Auditd Service Stop [high] - UC-10.7.343 · Linux Auditd Base64 Decode Files [high] - UC-10.7.344 · Linux Auditd Clipboard Data Copy [high] - UC-10.7.345 · Linux Auditd Data Transfer Size Limits Via Split [high] - UC-10.7.346 · Linux Auditd Data Transfer Size Limits Via Split Syscall [high] - UC-10.7.347 · Linux Auditd Dd File Overwrite [high] - UC-10.7.348 · Linux Auditd Doas Conf File Creation [high] - UC-10.7.349 · Linux Auditd Doas Tool Execution [high] - UC-10.7.350 · Linux Auditd Edit Cron Table Parameter [high] - UC-10.7.351 · Linux Auditd File And Directory Discovery [high] - UC-10.7.352 · Linux Auditd File Permission Modification Via Chmod [high] - UC-10.7.353 · Linux Auditd File Permissions Modification Via Chattr [high] - UC-10.7.354 · Linux Auditd Find Credentials From Password Stores [high] - UC-10.7.355 · Linux Auditd Find Ssh Private Keys [high] - UC-10.7.356 · Linux Auditd Insert Kernel Module Using Insmod Utility [high] - UC-10.7.357 · Linux Auditd Install Kernel Module Using Modprobe Utility [high] - UC-10.7.358 · Linux Auditd Kernel Module Enumeration [high] - UC-10.7.359 · Linux Auditd Kernel Module Using Rmmod Utility [high] - UC-10.7.360 · Linux Auditd Nopasswd Entry In Sudoers File [high] - UC-10.7.361 · Linux Auditd Osquery Service Stop [high] - UC-10.7.362 · Linux Auditd Possible Access Or Modification Of Sshd Config File [high] - UC-10.7.363 · Linux Auditd Possible Access To Credential Files [high] - UC-10.7.364 · Linux Auditd Possible Access To Sudoers File [high] - UC-10.7.365 · Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File [high] - UC-10.7.366 · Linux Auditd Preload Hijack Via Preload File [high] - UC-10.7.367 · Linux Auditd Service Restarted [high] - UC-10.7.368 · Linux Auditd Service Started [high] - UC-10.7.369 · Linux Auditd Setuid Using Chmod Utility [high] - UC-10.7.370 · Linux Auditd Setuid Using Setcap Utility [high] - UC-10.7.371 · Linux Auditd Sudo Or Su Execution [high] - UC-10.7.372 · Linux Auditd Sysmon Service Stop [high] - UC-10.7.373 · Linux Auditd Unix Shell Configuration Modification [high] - UC-10.7.374 · Linux Auditd Unload Module Via Modprobe [high] - UC-10.7.375 · Linux Auditd Virtual Disk File And Directory Discovery [high] - UC-10.7.376 · Linux Auditd Whoami User Discovery [high] - UC-10.7.377 · Linux Deletion Of Init Daemon Script [high] - UC-10.7.378 · Linux Deletion Of Services [high] - UC-10.7.379 · Linux Edit Cron Table Parameter [high] - UC-10.7.380 · Linux File Created In Kernel Driver Directory [high] - UC-10.7.381 · Linux File Creation In Profile Directory [high] - UC-10.7.382 · Linux Magic SysRq Key Abuse [high] - UC-10.7.383 · Linux Medusa Rootkit [high] - UC-10.7.384 · Linux Persistence and Privilege Escalation Risk Behavior [high] - UC-10.7.385 · Linux Possible Cronjob Modification With Editor [high] - UC-10.7.386 · Linux Possible Ssh Key File Creation [high] - UC-10.7.387 · Linux Sudoers Tmp File Creation [high] - UC-10.7.388 · Linux Suspicious React or Next.js Child Process [high] - UC-10.7.389 · Living Off The Land Detection [high] - UC-10.7.390 · LLM Model File Creation [high] - UC-10.7.391 · Loading Of Dynwrapx Module [high] - UC-10.7.392 · Local LLM Framework DNS Query [high] - UC-10.7.393 · MacOS AMOS Stealer - Virtual Machine Check Activity [high] - UC-10.7.394 · MacOS LOLbin [high] - UC-10.7.395 · MacOS plutil [high] - UC-10.7.396 · Malicious Powershell Executed As A Service [high] - UC-10.7.397 · MS Scripting Process Loading Ldap Module [high] - UC-10.7.398 · Network Traffic to Active Directory Web Services Protocol [high] - UC-10.7.399 · Non Chrome Process Accessing Chrome Default Dir [high] - UC-10.7.400 · PaperCut NG Suspicious Behavior Debug Log [high] - UC-10.7.401 · Ping Sleep Batch Command [high] - UC-10.7.402 · Potential password in username [high] - UC-10.7.403 · PowerShell 4104 Hunting [high] - UC-10.7.404 · Powershell COM Hijacking InprocServer32 Modification [high] - UC-10.7.405 · Powershell Disable Security Monitoring [high] - UC-10.7.406 · PowerShell Domain Enumeration [high] - UC-10.7.407 · PowerShell Enable PowerShell Remoting [high] - UC-10.7.408 · Powershell Fileless Process Injection via GetProcAddress [high] - UC-10.7.409 · Powershell Fileless Script Contains Base64 Encoded Content [high] - UC-10.7.410 · PowerShell Invoke CIMMethod CIMSession [high] - UC-10.7.411 · Powershell Load Module in Meterpreter [high] - UC-10.7.412 · PowerShell Loading DotNET into Memory via Reflection [high] - UC-10.7.413 · Powershell Processing Stream Of Data [high] - UC-10.7.414 · Powershell Remote Services Add TrustedHost [high] - UC-10.7.415 · Powershell Using memory As Backing Store [high] - UC-10.7.416 · Powershell Windows Defender Exclusion Commands [high] - UC-10.7.417 · Process Creating LNK file in Suspicious Location [high] - UC-10.7.418 · Processes Tapping Keyboard Events [high] - UC-10.7.419 · Recon Using WMI Class [high] - UC-10.7.420 · Remote System Discovery with Adsisearcher [high] - UC-10.7.421 · Rubeus Kerberos Ticket Exports Through Winlogon Access [high] - UC-10.7.422 · ServicePrincipalNames Discovery with PowerShell [high] - UC-10.7.423 · Shai-Hulud 2 Exfiltration Artifact Files [high] - UC-10.7.424 · Shai-Hulud Workflow File Creation or Modification [high] - UC-10.7.425 · Suspicious Copy on System32 [high] - UC-10.7.426 · UAC Bypass MMC Load Unsigned Dll [high] - UC-10.7.427 · Unusual Number of Kerberos Service Tickets Requested [high] - UC-10.7.428 · Wbemprox COM Object Execution [high] - UC-10.7.429 · Web or Application Server Spawning a Shell [high] - UC-10.7.430 · Windows Access Token Manipulation SeDebugPrivilege [high] - UC-10.7.431 · Windows Access Token Manipulation Winlogon Duplicate Token Handle [high] - UC-10.7.432 · Windows Access Token Winlogon Duplicate Handle In Uncommon Path [high] - UC-10.7.433 · Windows Account Access Removal via Logoff Exec [high] - UC-10.7.434 · Windows Account Discovery for None Disable User Account [high] - UC-10.7.435 · Windows AD Abnormal Object Access Activity [high] - UC-10.7.436 · Windows AD add Self to Group [high] - UC-10.7.437 · Windows AD AdminSDHolder ACL Modified [high] - UC-10.7.438 · Windows AD Cross Domain SID History Addition [high] - UC-10.7.439 · Windows AD Dangerous Deny ACL Modification [high] - UC-10.7.440 · Windows AD Dangerous Group ACL Modification [high] - UC-10.7.441 · Windows AD Dangerous User ACL Modification [high] - UC-10.7.442 · Windows AD DCShadow Privileges ACL Addition [high] - UC-10.7.443 · Windows AD Domain Controller Audit Policy Disabled [high] - UC-10.7.444 · Windows AD Domain Controller Promotion [high] - UC-10.7.445 · Windows AD Domain Replication ACL Addition [high] - UC-10.7.446 · Windows AD Domain Root ACL Deletion [high] - UC-10.7.447 · Windows AD Domain Root ACL Modification [high] - UC-10.7.448 · Windows AD DSRM Account Changes [high] - UC-10.7.449 · Windows AD DSRM Password Reset [high] - UC-10.7.450 · Windows AD GPO Deleted [high] - UC-10.7.451 · Windows AD GPO Disabled [high] - UC-10.7.452 · Windows AD GPO New CSE Addition [high] - UC-10.7.453 · Windows AD Hidden OU Creation [high] - UC-10.7.454 · Windows AD Object Owner Updated [high] - UC-10.7.455 · Windows AD Privileged Account SID History Addition [high] - UC-10.7.456 · Windows AD Privileged Group Modification [high] - UC-10.7.457 · Windows AD Replication Request Initiated by User Account [high] - UC-10.7.458 · Windows AD Replication Request Initiated from Unsanctioned Location [high] - UC-10.7.459 · Windows AD Same Domain SID History Addition [high] - UC-10.7.460 · Windows AD Self DACL Assignment [high] - UC-10.7.461 · Windows AD ServicePrincipalName Added To Domain Account [high] - UC-10.7.462 · Windows AD Short Lived Domain Account ServicePrincipalName [high] - UC-10.7.463 · Windows AD Short Lived Domain Controller SPN Attribute [high] - UC-10.7.464 · Windows AD Short Lived Server Object [high] - UC-10.7.465 · Windows AD SID History Attribute Modified [high] - UC-10.7.466 · Windows AD Suspicious Attribute Modification [high] - UC-10.7.467 · Windows AI Platform DNS Query [high] - UC-10.7.468 · Windows Alternate DataStream - Executable Content [high] - UC-10.7.469 · Windows Alternate DataStream - Process Execution [high] - UC-10.7.470 · Windows Anonymous Pipe Activity [high] - UC-10.7.471 · Windows Application Whitelisting Bypass Attempt via Rundll32 [high] - UC-10.7.472 · Windows AppLocker Block Events [high] - UC-10.7.473 · Windows AppLocker Privilege Escalation via Unauthorized Bypass [high] - UC-10.7.474 · Windows AppLocker Rare Application Launch Detection [high] - UC-10.7.475 · Windows AppX Deployment Full Trust Package Installation [high] - UC-10.7.476 · Windows AppX Deployment Package Installation Success [high] - UC-10.7.477 · Windows AppX Deployment Unsigned Package Installation [high] - UC-10.7.478 · Windows Archive Collected Data via Powershell [high] - UC-10.7.479 · Windows Archived Collected Data In TEMP Folder [high] - UC-10.7.480 · Windows AutoIt3 Execution [high] - UC-10.7.481 · Windows Browser Process Launched with Unusual Flags [high] - UC-10.7.482 · Windows Cabinet File Extraction Via Expand [high] - UC-10.7.483 · Windows Change File Association Command To Notepad [high] - UC-10.7.484 · Windows Chrome Auto-Update Disabled via Registry [high] - UC-10.7.485 · Windows Chrome Enable Extension Loading via Command-Line [high] - UC-10.7.486 · Windows Chrome Extension Allowed Registry Modification [high] - UC-10.7.487 · Windows Chromium Browser No Security Sandbox Process [high] - UC-10.7.488 · Windows Chromium Browser with Custom User Data Directory [high] - UC-10.7.489 · Windows Chromium Process Launched with Logging Disabled [high] - UC-10.7.490 · Windows Chromium Process Loaded Extension via Command-Line [high] - UC-10.7.491 · Windows ClipBoard Data via Get-ClipBoard [high] - UC-10.7.492 · Windows Command and Scripting Interpreter Hunting Path Traversal [high] - UC-10.7.493 · Windows Common Abused Cmd Shell Risk Behavior [high] - UC-10.7.494 · Windows Computer Account Requesting Kerberos Ticket [high] - UC-10.7.495 · Windows ConsoleHost History File Deletion [high] - UC-10.7.496 · Windows Credential Access From Browser Password Store [high] - UC-10.7.497 · Windows Credentials Access via VaultCli Module [high] - UC-10.7.498 · Windows Credentials from Password Stores Chrome Extension Access [high] - UC-10.7.499 · Windows Credentials from Password Stores Chrome LocalState Access [high] - UC-10.7.500 · Windows Credentials from Password Stores Chrome Login Data Access [high] - UC-10.7.501 · Windows Curl Download to Suspicious Path [high] - UC-10.7.502 · Windows Curl Upload to Remote Destination [high] - UC-10.7.503 · Windows Default RDP File Creation By Non MSTSC Process [high] - UC-10.7.504 · Windows Default Rdp File Deletion [high] - UC-10.7.505 · Windows Default Rdp File Unhidden [high] - UC-10.7.506 · Windows Defender ASR or Threat Configuration Tamper [high] - UC-10.7.507 · Windows Disable Internet Explorer Addons [high] - UC-10.7.508 · Windows DISM Install PowerShell Web Access [high] - UC-10.7.509 · Windows DLL Module Loaded in Temp Dir [high] - UC-10.7.510 · Windows DNS Query Request To TinyUrl [high] - UC-10.7.511 · Windows DnsAdmins New Member Added [high] - UC-10.7.512 · Windows Domain Account Discovery Via Get-NetComputer [high] - UC-10.7.513 · Windows Domain Admin Impersonation Indicator [high] - UC-10.7.514 · Windows DotNet Binary in Non Standard Path [high] - UC-10.7.515 · Windows Driver Inventory [high] - UC-10.7.516 · Windows Enable PowerShell Web Access [high] - UC-10.7.517 · Windows Event For Service Disabled [high] - UC-10.7.518 · Windows Event Log Cleared [high] - UC-10.7.519 · Windows Event Logging Service Has Shutdown [high] - UC-10.7.520 · Windows Event Triggered Image File Execution Options Injection [high] - UC-10.7.521 · Windows Eventlog Cleared Via Wevtutil [high] - UC-10.7.522 · Windows EventLog Recon Activity Using Log Query Utilities [high] - UC-10.7.523 · Windows Excel ActiveMicrosoftApp Child Process [high] - UC-10.7.524 · Windows Excessive Disabled Services Event [high] - UC-10.7.525 · Windows Executable Masquerading as Benign File Types [high] - UC-10.7.526 · Windows Execution of Microsoft MSC File In Suspicious Path [high] - UC-10.7.527 · Windows Exfiltration Over C2 Via Invoke RestMethod [high] - UC-10.7.528 · Windows File and Directory Enable ReadOnly Permissions [high] - UC-10.7.529 · Windows File and Directory Permissions Enable Inheritance [high] - UC-10.7.530 · Windows File Collection Via Copy Utilities [high] - UC-10.7.531 · Windows File Download Via PowerShell [high] - UC-10.7.532 · Windows File Share Discovery With Powerview [high] - UC-10.7.533 · Windows Files and Dirs Access Rights Modification Via Icacls [high] - UC-10.7.534 · Windows Find Interesting ACL with FindInterestingDomainAcl [high] - UC-10.7.535 · Windows Forest Discovery with GetForestDomain [high] - UC-10.7.536 · Windows Gather Victim Identity SAM Info [high] - UC-10.7.537 · Windows Handle Duplication in Known UAC-Bypass Binaries [high] - UC-10.7.538 · Windows Hunting System Account Targeting Lsass [high] - UC-10.7.539 · Windows Identify PowerShell Web Access IIS Pool [high] - UC-10.7.540 · Windows IIS Components New Module Added [high] - UC-10.7.541 · Windows Important Audit Policy Disabled [high] - UC-10.7.542 · Windows Increase in Group or Object Modification Activity [high] - UC-10.7.543 · Windows Increase in User Modification Activity [high] - UC-10.7.544 · Windows Information Discovery Fsutil [high] - UC-10.7.545 · Windows Input Capture Using Credential UI Dll [high] - UC-10.7.546 · Windows InstallUtil Credential Theft [high] - UC-10.7.547 · Windows Known Abused DLL Loaded Suspiciously [high] - UC-10.7.548 · Windows Known GraphicalProton Loaded Modules [high] - UC-10.7.549 · Windows KrbRelayUp Service Creation [high] - UC-10.7.550 · Windows Linked Policies In ADSI Discovery [high] - UC-10.7.551 · Windows Local LLM Framework Execution [high] - UC-10.7.552 · Windows LOLBAS Executed As Renamed File [high] - UC-10.7.553 · Windows LOLBAS Executed Outside Expected Path [high] - UC-10.7.554 · Windows Modify Registry on Smart Card Group Policy [high] - UC-10.7.555 · Windows Modify Registry Risk Behavior [high] - UC-10.7.556 · Windows Modify Registry ValleyRAT C2 Config [high] - UC-10.7.557 · Windows MSHTA Writing to World Writable Path [high] - UC-10.7.558 · Windows MSIExec Remote Download [high] - UC-10.7.559 · Windows MSIX Package Interaction [high] - UC-10.7.560 · Windows Multiple Account Passwords Changed [high] - UC-10.7.561 · Windows Multiple Accounts Deleted [high] - UC-10.7.562 · Windows Multiple Accounts Disabled [high] - UC-10.7.563 · Windows Multiple NTLM Null Domain Authentications [high] - UC-10.7.564 · True Positive Test [high] - UC-10.7.565 · True Positive Test [high] - UC-10.7.566 · True Positive Test [high] - UC-10.7.567 · Windows NetSupport RMM DLL Loaded By Uncommon Process [high] - UC-10.7.568 · Windows Network Share Interaction Via Net [high] - UC-10.7.569 · Windows NirSoft Tool Bundle File Created [high] - UC-10.7.570 · Windows NirSoft Utilities [high] - UC-10.7.571 · Windows Non Discord App Access Discord LevelDB [high] - UC-10.7.572 · Windows Non-System Account Targeting Lsass [high] - UC-10.7.573 · Windows Possible Credential Dumping [high] - UC-10.7.574 · Windows Post Exploitation Risk Behavior [high] - UC-10.7.575 · Windows Potential AppDomainManager Hijack Artifacts Creation [high] - UC-10.7.576 · Windows PowerShell Add Module to Global Assembly Cache [high] - UC-10.7.577 · Windows PowerShell Disable HTTP Logging [high] - UC-10.7.578 · Windows PowerShell FakeCAPTCHA Clipboard Execution [high] - UC-10.7.579 · Windows PowerShell Get CIMInstance Remote Computer [high] - UC-10.7.580 · Windows Powershell History File Deletion [high] - UC-10.7.581 · Windows PowerShell IIS Components WebGlobalModule Usage [high] - UC-10.7.582 · Windows PowerShell Invoke-RestMethod IP Information Collection [high] - UC-10.7.583 · Windows PowerShell Invoke-Sqlcmd Execution [high] - UC-10.7.584 · Windows Powershell Logoff User via Quser [high] - UC-10.7.585 · Windows PowerShell MSIX Package Installation [high] - UC-10.7.586 · Windows PowerShell Process Implementing Manual Base64 Decoder [high] - UC-10.7.587 · Windows PowerShell ScheduleTask [high] - UC-10.7.588 · Windows PowerShell WMI Win32 ScheduledJob [high] - UC-10.7.589 · Windows PowerSploit GPP Discovery [high] - UC-10.7.590 · Windows PowerView AD Access Control List Enumeration [high] - UC-10.7.591 · Windows PowerView Kerberos Service Ticket Request [high] - UC-10.7.592 · Windows PowerView SPN Discovery [high] - UC-10.7.593 · True Positive Test [high] - UC-10.7.594 · True Positive Test [high] - UC-10.7.595 · True Positive Test [high] - UC-10.7.596 · Windows Process Executed From Removable Media [high] - UC-10.7.597 · Windows Process Execution From ProgramData [high] - UC-10.7.598 · Windows Process Execution From RDP Share [high] - UC-10.7.599 · Windows Process Injection into Commonly Abused Processes [high] - UC-10.7.600 · Windows Process Injection into Notepad [high] - UC-10.7.601 · Windows Process Injection Remote Thread [high] - UC-10.7.602 · Windows Process Injection With Public Source Path [high] - UC-10.7.603 · Windows PsTools Recon Usage [high] - UC-10.7.604 · Windows PUA Named Pipe [high] - UC-10.7.605 · Windows Query Registry Browser List Application [high] - UC-10.7.606 · Windows Rasautou DLL Execution [high] - UC-10.7.607 · Windows Raw Access To Master Boot Record Drive [high] - UC-10.7.608 · Windows Rdp AutomaticDestinations Deletion [high] - UC-10.7.609 · Windows RDP Cache File Deletion [high] - UC-10.7.610 · Windows RDP Client Launched with Admin Session [high] - UC-10.7.611 · Windows RDP Login Session Was Established [high] - UC-10.7.612 · Windows RDP Server Registry Deletion [high] - UC-10.7.613 · Windows RDP Server Registry Entry Created [high] - UC-10.7.614 · Windows Registry Delete Task SD [high] - UC-10.7.615 · Windows Registry SIP Provider Modification [high] - UC-10.7.616 · Windows Remote Access Software BRC4 Loaded Dll [high] - UC-10.7.617 · Windows Remote Host Computer Management Access [high] - UC-10.7.618 · Windows Remote Management Execute Shell [high] - UC-10.7.619 · Windows RMM Named Pipe [high] - UC-10.7.620 · Windows Root Domain linked policies Discovery [high] - UC-10.7.621 · Windows Rundll32 Apply User Settings Changes [high] - UC-10.7.622 · Windows RunMRU Registry Key or Value Deleted [high] - UC-10.7.623 · Windows Scheduled Task Created Via XML [high] - UC-10.7.624 · Windows Scheduled Task with Suspicious Command [high] - UC-10.7.625 · Windows Scheduled Task with Suspicious Name [high] - UC-10.7.626 · Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr [high] - UC-10.7.627 · Windows Screen Capture Via Powershell [high] - UC-10.7.628 · Windows Service Creation Using Registry Entry [high] - UC-10.7.629 · Windows Short Lived DNS Record [high] - UC-10.7.630 · Windows SIP Provider Inventory [high] - UC-10.7.631 · Windows SnappyBee Create Test Registry [high] - UC-10.7.632 · Windows SQL Server Configuration Option Hunt [high] - UC-10.7.633 · Windows SQL Server Critical Procedures Enabled [high] - UC-10.7.634 · Windows SQL Server Extended Procedure DLL Loading Hunt [high] - UC-10.7.635 · Windows SQL Server Startup Procedure [high] - UC-10.7.636 · Windows SQLCMD Execution [high] - UC-10.7.637 · Windows SqlWriter SQLDumper DLL Sideload [high] - UC-10.7.638 · Windows SSH Proxy Command [high] - UC-10.7.639 · Windows Suspect Process With Authentication Traffic [high] - UC-10.7.640 · Windows Suspicious C2 Named Pipe [high] - UC-10.7.641 · Windows Suspicious Driver Loaded Path [high] - UC-10.7.642 · Windows Suspicious Named Pipe [high] - UC-10.7.643 · Windows Suspicious React or Next.js Child Process [high] - UC-10.7.644 · Windows Svchost.exe Parent Process Anomaly [high] - UC-10.7.645 · Windows Symlink Evaluation Change via Fsutil [high] - UC-10.7.646 · Windows Terminating Lsass Process [high] - UC-10.7.647 · Windows TOR Client Execution [high] - UC-10.7.648 · Windows UAC Bypass Suspicious Escalation Behavior [high] - UC-10.7.649 · True Positive Test [high] - UC-10.7.650 · True Positive Test [high] - UC-10.7.651 · True Positive Test [high] - UC-10.7.652 · Windows Unusual FileZilla XML Config Access [high] - UC-10.7.653 · Windows Unusual Intelliform Storage Registry Access [high] - UC-10.7.654 · Windows Unusual NTLM Authentication Destinations By Source [high] - UC-10.7.655 · Windows Unusual NTLM Authentication Destinations By User [high] - UC-10.7.656 · Windows Unusual NTLM Authentication Users By Destination [high] - UC-10.7.657 · Windows Unusual NTLM Authentication Users By Source [high] - UC-10.7.658 · Windows Unusual Process Load Mozilla NSS-Mozglue Module [high] - UC-10.7.659 · Windows Unusual SysWOW64 Process Run System32 Executable [high] - UC-10.7.660 · Windows Visual Basic Commandline Compiler DNSQuery [high] - UC-10.7.661 · Windows WBAdmin File Recovery From Backup [high] - UC-10.7.662 · Windows Wmic CPU Discovery [high] - UC-10.7.663 · Windows Wmic DiskDrive Discovery [high] - UC-10.7.664 · Windows Wmic Memory Chip Discovery [high] - UC-10.7.665 · Windows Wmic Network Discovery [high] - UC-10.7.666 · Windows Wmic Systeminfo Discovery [high] - UC-10.7.667 · WinEvent Scheduled Task Created to Spawn Shell [high] - UC-10.7.668 · WinEvent Scheduled Task Created Within Public Path [high] - UC-10.7.669 · WinEvent Windows Task Scheduler Event Action Started [high] - UC-10.7.670 · WMI Permanent Event Subscription [high] - UC-10.7.671 · WMI Permanent Event Subscription - Sysmon [high] - UC-10.7.672 · WMI Temporary Event Subscription [high] - UC-10.7.673 · WMIC XSL Execution via URL [high] - UC-10.7.674 · 3CX Supply Chain Attack Network Indicators [high] - UC-10.7.675 · Cisco Configuration Archive Logging Analysis [high] - UC-10.7.676 · Cisco IOS Suspicious Privileged Account Creation [high] - UC-10.7.677 · Cisco Privileged Account Creation with HTTP Command Execution [high] - UC-10.7.678 · Cisco Privileged Account Creation with Suspicious SSH Activity [high] - UC-10.7.679 · Cisco SD-WAN - Low Frequency Rogue Peer [high] - UC-10.7.680 · Cisco SD-WAN - Peering Activity [high] - UC-10.7.681 · Cisco Smart Install Oversized Packet Detection [high] - UC-10.7.682 · Cisco SNMP Community String Configuration Changes [high] - UC-10.7.683 · Cisco TFTP Server Configuration for Data Exfiltration [high] - UC-10.7.684 · Detect ARP Poisoning [high] - UC-10.7.685 · Detect DGA domains using pretrained model in DSDL [high] - UC-10.7.686 · Detect DNS Data Exfiltration using pretrained model in DSDL [high] - UC-10.7.687 · Detect DNS Query to Decommissioned S3 Bucket [high] - UC-10.7.688 · Detect hosts connecting to dynamic domain providers [high] - UC-10.7.689 · Detect IPv6 Network Infrastructure Threats [high] - UC-10.7.690 · Detect Outbound LDAP Traffic [high] - UC-10.7.691 · Detect Port Security Violation [high] - UC-10.7.692 · Detect Rogue DHCP Server [high] - UC-10.7.693 · Detect Software Download To Network Device [high] - UC-10.7.694 · Detect suspicious DNS TXT records using pretrained model in DSDL [high] - UC-10.7.695 · Detect Unauthorized Assets by MAC address [high] - UC-10.7.696 · DNS Query Length Outliers - MLTK [high] - UC-10.7.697 · DNS Query Length With High Standard Deviation [high] - UC-10.7.698 · HTTP C2 Framework User Agent [high] - UC-10.7.699 · HTTP PUA User Agent [high] - UC-10.7.700 · HTTP RMM User Agent [high] - UC-10.7.701 · Large Volume of DNS ANY Queries [high] - UC-10.7.702 · Ngrok Reverse Proxy on Network [high] - UC-10.7.703 · Prohibited Network Traffic Allowed [high] - UC-10.7.704 · Protocols passing authentication in cleartext [high] - UC-10.7.705 · SMB Traffic Spike [high] - UC-10.7.706 · Suspicious Process DNS Query Known Abuse Web Services [high] - UC-10.7.707 · Windows Abused Web Services [high] - UC-10.7.708 · Windows AD Replication Service Traffic [high] - UC-10.7.709 · Windows AD Rogue Domain Controller Network Activity [high] - UC-10.7.710 · Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure [high] - UC-10.7.711 · Detect Remote Access Software Usage URL [high] - UC-10.7.712 · HTTP Duplicated Header [high] - UC-10.7.713 · HTTP Request to Reserved Name on IIS Server [high] - UC-10.7.714 · Multiple Archive Files Http Post Traffic [high] - UC-10.7.715 · PaperCut NG Remote Web Access Attempt [high] - UC-10.7.716 · SAP NetWeaver Visual Composer Exploitation Attempt [high] - UC-10.7.717 · SQL Injection with Long URLs [high] - UC-10.7.718 · Supernova Webshell [high] - UC-10.7.719 · Windows IIS Server PSWA Console Access [high] ### 10.8 Certificate & PKI Management - UC-10.8.1 · Certificate Expiry Monitoring [critical] - UC-10.8.2 · Certificate Issuance Audit [high] - UC-10.8.3 · Weak Cipher / Key Detection [high] - UC-10.8.4 · Certificate Revocation Tracking [medium] - UC-10.8.5 · CT Log Monitoring [high] - UC-10.8.6 · Azure AD Service Principal New Client Credentials [high] - UC-10.8.7 · Attempt To Add Certificate To Untrusted Store [high] - UC-10.8.8 · Certutil exe certificate extraction [high] - UC-10.8.9 · Cisco Isovalent - Curl Execution With Insecure Flags [high] - UC-10.8.10 · Detect Certify Command Line Arguments [high] - UC-10.8.11 · Detect Certify With PowerShell Script Block Logging [high] - UC-10.8.12 · Detect Certipy File Modifications [high] - UC-10.8.13 · Linux Auditd Private Keys and Certificate Enumeration [high] - UC-10.8.14 · Linux Deletion of SSL Certificate [high] - UC-10.8.15 · Linux Impair Defenses Process Kill [high] - UC-10.8.16 · Steal or Forge Authentication Certificates Behavior Identified [high] - UC-10.8.17 · Windows Certutil Root Certificate Addition [high] - UC-10.8.18 · Windows Export Certificate [high] - UC-10.8.19 · Windows Mimikatz Crypto Export File Extensions [high] - UC-10.8.20 · Windows PowerShell Export Certificate [high] - UC-10.8.21 · Windows PowerShell Export PfxCertificate [high] - UC-10.8.22 · Windows Private Keys Discovery [high] - UC-10.8.23 · Windows Registry Certificate Added [high] - UC-10.8.24 · Windows Steal Authentication Certificates - ESC1 Abuse [high] - UC-10.8.25 · Windows Steal Authentication Certificates - ESC1 Authentication [high] - UC-10.8.26 · Windows Steal Authentication Certificates Certificate Issued [high] - UC-10.8.27 · Windows Steal Authentication Certificates Certificate Request [high] - UC-10.8.28 · Windows Steal Authentication Certificates CertUtil Backup [high] - UC-10.8.29 · Windows Steal Authentication Certificates CryptoAPI [high] - UC-10.8.30 · Windows Steal Authentication Certificates CS Backup [high] - UC-10.8.31 · Windows Steal Authentication Certificates Export Certificate [high] - UC-10.8.32 · Windows Steal Authentication Certificates Export PfxCertificate [high] - UC-10.8.33 · Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint [high] - UC-10.8.34 · Detect SNICat SNI Exfiltration [high] - UC-10.8.35 · Container Runtime Security Event Correlation [high] - UC-10.8.36 · Certificate Transparency Log Monitoring [medium] - UC-10.8.37 · EDR Tampering and Exclusion Detection [critical] - UC-10.8.38 · Data Loss Prevention Policy Violation Trending [high] - UC-10.8.39 · Security Tool Availability and Heartbeat [critical] ### 10.9 ESCU 2025-2026 Analytic Stories - UC-10.9.1 · Suspicious Ollama process execution [high] - UC-10.9.2 · Ollama API abuse detection [high] - UC-10.9.3 · LLM framework unauthorized model download [high] - UC-10.9.4 · Prompt injection attempt via API [high] - UC-10.9.5 · Prompt extraction defense evasion [high] - UC-10.9.6 · MCP server unauthorized tool invocation [high] - UC-10.9.7 · MCP session hijacking indicators [high] - UC-10.9.8 · Microsoft 365 Copilot sensitive data access [high] - UC-10.9.9 · Copilot plugin abuse [high] - UC-10.9.10 · AI model exfiltration attempt [high] - UC-10.9.11 · LLM API key exposure [high] - UC-10.9.12 · AI training data poisoning indicators [high] - UC-10.9.13 · AI service account privilege escalation [high] - UC-10.9.14 · Generative AI data leakage [high] - UC-10.9.15 · Chatbot session manipulation [high] - UC-10.9.16 · LLM output content policy violation [high] - UC-10.9.17 · AI model API unauthorized endpoint access [high] - UC-10.9.18 · AI pipeline integrity monitoring [high] - UC-10.9.19 · Shadow AI service detection [high] - UC-10.9.20 · AI compute resource abuse [high] - UC-10.9.21 · Hellcat ransomware encryption behavior [high] - UC-10.9.22 · Storm-0501 lateral movement [high] - UC-10.9.23 · Interlock ransomware deployment [high] - UC-10.9.24 · Termite ransomware file staging [high] - UC-10.9.25 · NailaoLocker ransom note creation [high] - UC-10.9.26 · DynoWiper disk wipe activity [high] - UC-10.9.27 · ZOVWiper partition manipulation [high] - UC-10.9.28 · PathWiper MBR corruption [high] - UC-10.9.29 · BlackBasta new variant indicators [high] - UC-10.9.30 · RansomHub affiliate tooling [high] - UC-10.9.31 · Play ransomware VMware targeting [high] - UC-10.9.32 · Akira ransomware Linux variant [high] - UC-10.9.33 · LockBit successor indicators [high] - UC-10.9.34 · Medusa ransomware extortion [high] - UC-10.9.35 · Qilin ransomware data staging [high] - UC-10.9.36 · Ransomware via RMM tool abuse [high] - UC-10.9.37 · Fileless ransomware execution [high] - UC-10.9.38 · Ransomware backup deletion [high] - UC-10.9.39 · Ransomware print bomb [high] - UC-10.9.40 · Ransomware network share encryption [high] - UC-10.9.41 · Ransomware shadow copy deletion [high] - UC-10.9.42 · Ransomware safe mode boot [high] - UC-10.9.43 · Ransomware ESXi targeting [high] - UC-10.9.44 · Ransomware vCenter exploitation [high] - UC-10.9.45 · Double extortion data staging [high] - UC-10.9.46 · MuddyWater PowerShell dropper [high] - UC-10.9.47 · Scattered Spider social engineering TTPs [high] - UC-10.9.48 · China-Nexus supply chain compromise [high] - UC-10.9.49 · Secret Blizzard credential harvesting [high] - UC-10.9.50 · Earth Alux zero-day exploitation [high] - UC-10.9.51 · Lotus Blossom watering hole [high] - UC-10.9.52 · APT37 Rustonotto loader [high] - UC-10.9.53 · Salt Typhoon telecom targeting [high] - UC-10.9.54 · Volt Typhoon living-off-the-land [high] - UC-10.9.55 · Sandworm ICS targeting [high] - UC-10.9.56 · Midnight Blizzard OAuth abuse [high] - UC-10.9.57 · APT29 cloud infrastructure abuse [high] - UC-10.9.58 · Kimsuky credential phishing [high] - UC-10.9.59 · Lazarus cryptocurrency targeting [high] - UC-10.9.60 · APT28 router exploitation [high] - UC-10.9.61 · SAP NetWeaver CVE exploitation [high] - UC-10.9.62 · Oracle E-Business Suite RCE [high] - UC-10.9.63 · SharePoint deserialization exploit [high] - UC-10.9.64 · Apache Tomcat CVE detection [high] - UC-10.9.65 · CLFS zero-day privilege escalation [high] - UC-10.9.66 · Apache Struts RCE [high] - UC-10.9.67 · Cisco IOS XE implant detection [high] - UC-10.9.68 · Ivanti Connect Secure exploitation [high] - UC-10.9.69 · Citrix Bleed exploitation [high] - UC-10.9.70 · MOVEit Transfer CVE [high] - UC-10.9.71 · ScreenConnect exploitation [high] - UC-10.9.72 · ConnectWise vulnerability abuse [high] - UC-10.9.73 · Fortinet FortiOS CVE [high] - UC-10.9.74 · PaperCut exploitation [high] - UC-10.9.75 · Atlassian Confluence RCE [high] - UC-10.9.76 · Log4Shell persistent exploitation [high] - UC-10.9.77 · Spring4Shell detection [high] - UC-10.9.78 · ProxyShell/ProxyNotShell [high] - UC-10.9.79 · Exchange Server CVE chain [high] - UC-10.9.80 · JetBrains TeamCity exploitation [high] ### 10.10 Detection Efficacy & YARA Monitoring - UC-10.10.1 · Detection rule false positive rate tracking [medium] - UC-10.10.2 · Detection rule true positive attribution [medium] - UC-10.10.3 · Stale detection identification (rules never firing 90+ days) [medium] - UC-10.10.4 · Detection rule runtime performance [medium] - UC-10.10.5 · MITRE ATT&CK technique coverage gap analysis [medium] - UC-10.10.6 · Custom detection vs ESCU baseline comparison [medium] - UC-10.10.7 · Detection rule severity distribution balance [medium] - UC-10.10.8 · Notable event triage time by detection rule [medium] - UC-10.10.9 · YARA scan result ingestion and match alerting [high] - UC-10.10.10 · YARA rule match trending by rule name [high] - UC-10.10.11 · YARA scan coverage tracking [high] - UC-10.10.12 · YARA rule source update compliance [high] - UC-10.10.13 · YARA false positive analysis [high] - UC-10.10.14 · YARA scan performance monitoring [high] - UC-10.10.15 · YARA rule version tracking and change audit [high] ### 10.11 Vendor-Specific Security Detections - UC-10.11.1 · FortiGate Firewall Policy Violations [high] - UC-10.11.2 · FortiGate IPS Event Trending [high] - UC-10.11.3 · FortiGate Anti-Virus Detection Rate [high] - UC-10.11.4 · FortiGate Web Filter Category Blocks [high] - UC-10.11.5 · FortiGate Application Control Violations [high] - UC-10.11.6 · FortiSandbox Analysis Results [high] - UC-10.11.7 · FortiGate SD-WAN Tunnel Health [high] - UC-10.11.8 · FortiGate HA Failover Events [high] - UC-10.11.9 · FortiGate SSL Inspection Bypass [high] - UC-10.11.10 · FortiManager Configuration Compliance [high] - UC-10.11.11 · FortiGate UTM Threat Correlation [high] - UC-10.11.12 · FortiGate Admin Authentication Audit [high] - UC-10.11.13 · FortiGate Resource Utilization Alerts [high] - UC-10.11.14 · FortiGate VPN Tunnel Status [high] - UC-10.11.15 · FortiGate Firmware Compliance [high] - UC-10.11.16 · Palo Alto WildFire Malware Verdict Trending [high] - UC-10.11.17 · Palo Alto URL Filtering Policy Blocks [high] - UC-10.11.18 · Palo Alto GlobalProtect VPN Health [high] - UC-10.11.19 · Palo Alto Threat Log Severity Analysis [high] - UC-10.11.20 · Palo Alto Decryption Policy Compliance [high] - UC-10.11.21 · Palo Alto Zone-Based Firewall Violations [high] - UC-10.11.22 · Palo Alto Cortex XDR Incident Trending [high] - UC-10.11.23 · Palo Alto Data Filtering Policy Violations [high] - UC-10.11.24 · Palo Alto DNS Sinkhole Hits [high] - UC-10.11.25 · Palo Alto App-ID Unknown Application Detection [high] - UC-10.11.26 · Palo Alto User-ID Mapping Failures [high] - UC-10.11.27 · Palo Alto GlobalProtect HIP Compliance [high] - UC-10.11.28 · Palo Alto Panorama Push Failures [high] - UC-10.11.29 · Palo Alto Anti-Spyware Detection Trending [high] - UC-10.11.30 · Palo Alto Credential Phishing Detections [high] - UC-10.11.31 · Check Point SandBlast Threat Emulation Results [high] - UC-10.11.32 · Check Point Anti-Bot Detection Events [high] - UC-10.11.33 · Check Point SmartEvent Correlation Quality [high] - UC-10.11.34 · Check Point Compliance Blade Violations [high] - UC-10.11.35 · Check Point Gateway CPU and Memory Health [high] - UC-10.11.36 · Check Point VPN Tunnel Status [high] - UC-10.11.37 · Check Point URL Filtering Blocks [high] - UC-10.11.38 · Check Point Identity Awareness Events [high] - UC-10.11.39 · Check Point IPS Signature Coverage [high] - UC-10.11.40 · Check Point Threat Extraction Results [high] - UC-10.11.41 · CrowdStrike Detection Classification Analysis [high] - UC-10.11.42 · CrowdStrike IOA Rule Trigger Trending [high] - UC-10.11.43 · CrowdStrike Falcon Discover Asset Inventory Drift [high] - UC-10.11.44 · CrowdStrike Real-Time Response Audit Trail [high] - UC-10.11.45 · CrowdStrike Sensor Health and Connectivity [high] - UC-10.11.46 · CrowdStrike Incident Severity Distribution [high] - UC-10.11.47 · CrowdStrike Quarantine Action Audit [high] - UC-10.11.48 · CrowdStrike Prevention Policy Compliance [high] - UC-10.11.49 · CrowdStrike Behavioral IOC Trending [high] - UC-10.11.50 · CrowdStrike Spotlight Vulnerability Assessment [high] - UC-10.11.51 · ZIA Web Policy Violation Trending [high] - UC-10.11.52 · ZIA DLP Incident Analysis [high] - UC-10.11.53 · Zscaler Cloud Application Discovery [high] - UC-10.11.54 · ZPA Application Segment Health [high] - UC-10.11.55 · ZDX User Experience Scores [high] - UC-10.11.56 · ZIA SSL Inspection Coverage [high] - UC-10.11.57 · ZIA Sandbox Analysis Results [high] - UC-10.11.58 · Zscaler Cloud Firewall Rule Hit Analysis [high] - UC-10.11.59 · ZPA Connector Health [high] - UC-10.11.60 · Zscaler Advanced Threat Protection Blocks [high] - UC-10.11.61 · Zscaler Browser Isolation Usage [high] - UC-10.11.62 · Zscaler Data Protection Policy Effectiveness [high] [CCPA, GDPR] - UC-10.11.63 · VMware Carbon Black Binary Reputation Analysis [high] - UC-10.11.64 · Carbon Black Live Response Session Audit [high] - UC-10.11.65 · Carbon Black Watchlist Hit Trending [high] - UC-10.11.66 · Carbon Black Alert Severity Distribution [high] - UC-10.11.67 · Carbon Black Sensor Communication Health [high] - UC-10.11.68 · Carbon Black Device Control Policy Violations [high] - UC-10.11.69 · Carbon Black Network Isolation Events [high] - UC-10.11.70 · Carbon Black Audit Log Analysis [high] - UC-10.11.71 · Tenable Nessus Vulnerability Scan Coverage Tracking [high] - UC-10.11.72 · Tenable Compliance Scan Results [high] - UC-10.11.73 · Tenable Web Application Scan Findings [high] - UC-10.11.74 · Tenable Remediation SLA Monitoring [high] - UC-10.11.75 · Tenable CVSS Score Distribution Trending [high] - UC-10.11.76 · Tenable Scan Schedule Compliance [high] - UC-10.11.77 · Tenable Plugin Update Compliance [high] - UC-10.11.78 · Tenable Asset Discovery Reconciliation [high] - UC-10.11.79 · Tanium Endpoint Compliance Assessment Trending [high] - UC-10.11.80 · Tanium Patch Deployment Tracking [high] - UC-10.11.81 · Tanium Asset Discovery Reconciliation [high] - UC-10.11.82 · Tanium Software Usage Audit [high] - UC-10.11.83 · Tanium Real-Time Question Response Times [high] - UC-10.11.84 · Tanium Module Deployment Health [high] - UC-10.11.85 · Tanium Network Quarantine Audit [high] - UC-10.11.86 · Tanium Threat Response Action Audit [high] - UC-10.11.87 · FortiGate DNS Filter Security Profile Blocks [high] - UC-10.11.88 · FortiGate Botnet C2 Command Detection [high] - UC-10.11.89 · FortiAuthenticator RADIUS and MFA Audit [high] - UC-10.11.90 · FortiClient EMS Compliance Posture [high] - UC-10.11.91 · FortiAnalyzer Log Forwarding Gap Detection [high] - UC-10.11.92 · Palo Alto Prisma Access Tunnel and Portal Health [high] - UC-10.11.93 · Palo Alto Certificate Inspection and Untrusted Issuer Alerts [high] - UC-10.11.94 · Palo Alto Log Forwarding and SIEM Connectivity [high] - UC-10.11.95 · Palo Alto Threat Intelligence Feed Freshness [high] - UC-10.11.96 · Check Point Access Policy Rule Hit Analysis [high] - UC-10.11.97 · Check Point Anti-Spam and Email Security Events [high] - UC-10.11.98 · Check Point Identity Awareness Captive Portal Abuse [high] - UC-10.11.99 · Check Point Threat Prevention Extraction Blocks [high] - UC-10.11.100 · Check Point Mobile Access VPN Session Anomalies [high] - UC-10.11.101 · CrowdStrike Identity Protection Risk Scores [high] - UC-10.11.102 · CrowdStrike File Integrity Monitoring Alerts [high] - UC-10.11.103 · CrowdStrike Cloud Workload Protection Detections [high] - UC-10.11.104 · CrowdStrike Host Containment Events [high] - UC-10.11.105 · CrowdStrike Custom IOA Tuning Metrics [high] - UC-10.11.106 · Zscaler ZTNA Application Access Denials [high] - UC-10.11.107 · Zscaler CASB Shadow IT Upload Volume [high] - UC-10.11.108 · Zscaler DNS Security Filtering [high] - UC-10.11.109 · Zscaler Bandwidth Control and QoS Events [high] - UC-10.11.110 · VMware Carbon Black Enterprise EDR Search Audit [high] - UC-10.11.111 · VMware Carbon Black Vulnerability Assessment Integration [high] - UC-10.11.112 · Carbon Black Prevention Exclusion Review [high] - UC-10.11.113 · Carbon Black Network Connection Anomaly Baseline [high] - UC-10.11.114 · Tenable SC Scan Zone and Scanner Assignment Audit [high] - UC-10.11.115 · Tenable.io Agent and Linked Scanner Health [high] - UC-10.11.116 · Tenable WAS Remediation Verification Scans [high] - UC-10.11.117 · Tanium Interact Saved Question Drift [high] - UC-10.11.118 · Tanium Connect SOAR Forwarding Audit [high] - UC-10.11.119 · Tanium Threat Intel Feed Application [high] - UC-10.11.120 · Tanium Benchmark and CIS Report Pack Compliance [high] - UC-10.11.121 · Check Point Zero-Day Phishing Detection via Zero Phishing [critical] - UC-10.11.122 · Check Point ThreatCloud IOC Match Rate [high] - UC-10.11.123 · Check Point Quantum IoT Protect Device Discovery [medium] - UC-10.11.124 · Check Point Quantum Maestro Orchestrator Health [critical] - UC-10.11.125 · Check Point CloudGuard Network Security Events [high] - UC-10.11.126 · Check Point Threat Prevention Policy Layer Effectiveness [high] - UC-10.11.127 · Check Point Admin Session and Login Audit [high] - UC-10.11.128 · Check Point DDoS Protector Integration Events [critical] - UC-10.11.129 · Check Point Infinity ThreatCloud Managed Security Service Events [high] - UC-10.11.130 · Check Point HTTPS Inspection Certificate Errors [high] ### 10.12 Industry-Specific Compliance & Fraud Detection - UC-10.12.1 · ATM Fraud Pattern Detection [critical] - UC-10.12.2 · Wire Transfer Anomaly Detection [critical] - UC-10.12.3 · Credit Card Velocity Checks [high] - UC-10.12.4 · Account Takeover Indicators [critical] - UC-10.12.5 · ACH Origination Anomalies [critical] - UC-10.12.6 · Card-Not-Present Transaction Spikes [high] - UC-10.12.7 · PCI DSS Log Review Compliance [high] [PCI DSS] - UC-10.12.8 · SOX Access Control Audit [high] [SOX] - UC-10.12.9 · KYC Continuous Monitoring [high] - UC-10.12.10 · Trade Settlement Failure Monitoring [critical] - UC-10.12.11 · Market Data Feed Latency [critical] - UC-10.12.12 · Order Execution Anomaly Detection [high] - UC-10.12.13 · Algorithmic Trading Circuit Breaker [critical] - UC-10.12.14 · FIX Protocol Session Health [critical] - UC-10.12.15 · PCI Scope Validation [high] [PCI DSS] - UC-10.12.16 · ePHI Access Audit [critical] [HIPAA] - UC-10.12.17 · HIPAA Transmission Security [high] [HIPAA] - UC-10.12.18 · Audit Log Retention Compliance [medium] - UC-10.12.19 · Minimum Necessary Access Validation [high] - UC-10.12.20 · Breach Notification Readiness Assessment [critical] - UC-10.12.21 · BAA Compliance Monitoring [high] - UC-10.12.22 · Infusion Pump Connectivity Monitoring [critical] - UC-10.12.23 · Medical Device Network Segmentation [critical] - UC-10.12.24 · HL7 Message Delivery Monitoring [high] - UC-10.12.25 · FHIR API Error Rate [high] - UC-10.12.26 · EHR Login Anomaly Detection [critical] - UC-10.12.27 · PACS Image Transfer Failures [high] - UC-10.12.28 · Pharmacy Dispensing Audit [high] - UC-10.12.29 · Clinical Alert Fatigue Analysis [medium] - UC-10.12.30 · ADT Message Routing Failures [high] - UC-10.12.31 · POS Transaction Anomaly Detection [high] - UC-10.12.32 · Gift Card Fraud Patterns [high] - UC-10.12.33 · E-Commerce Bot Detection [high] - UC-10.12.34 · Payment Gateway Health [critical] - UC-10.12.35 · Promotional Pricing Compliance [medium] - UC-10.12.36 · Inventory System Sync Failures [high] - UC-10.12.37 · Omnichannel Order Routing Failures [high] - UC-10.12.38 · Cart Abandonment Correlation [medium] - UC-10.12.39 · FedRAMP Continuous Monitoring [critical] [FedRAMP] - UC-10.12.40 · CMMC Compliance Assessment [critical] [CMMC] - UC-10.12.41 · NIST 800-53 Control Validation [high] [NIST 800-53] - UC-10.12.42 · CAC Authentication Monitoring [high] - UC-10.12.43 · FISMA Reporting Automation [high] [FISMA] - UC-10.12.44 · CJIS Audit Log Compliance [critical] [CJIS] - UC-10.12.45 · Government Cloud Authorization Boundary [critical] ### 10.13 CIM Data Model Standard Monitoring Patterns - UC-10.13.1 · Failed Authentication Ratio Trending [high] - UC-10.13.2 · Authentication Type Distribution [medium] - UC-10.13.3 · Impossible Travel Detection (CIM) [critical] - UC-10.13.4 · Service Account Interactive Login (CIM) [critical] - UC-10.13.5 · Authentication Source Diversity [medium] - UC-10.13.6 · MFA Failure Rate Trending (CIM) [high] - UC-10.13.7 · Off-Hours Authentication (CIM) [high] - UC-10.13.8 · Password Spray Detection via CIM [critical] - UC-10.13.9 · Top Talkers Analysis (CIM) [medium] - UC-10.13.10 · Protocol Anomaly Detection (CIM) [high] - UC-10.13.11 · Connection Duration Outliers (CIM) [medium] - UC-10.13.12 · Internal-to-External Traffic Ratio (CIM) [high] - UC-10.13.13 · DNS Query Volume (CIM) [high] - UC-10.13.14 · Network Session Anomaly (CIM) [high] - UC-10.13.15 · Malware Detection Rate Trending [critical] - UC-10.13.16 · Quarantine Success Rate [high] - UC-10.13.17 · Recurring Infection (Same Host) [critical] - UC-10.13.18 · Malware Family Distribution [medium] - UC-10.13.19 · Endpoint Malware Coverage [high] - UC-10.13.20 · IDS Alert Severity Trending [high] - UC-10.13.21 · Signature Hit Analysis [medium] - UC-10.13.22 · False Positive Ratio (IDS CIM) [medium] - UC-10.13.23 · Attack Vector Distribution [high] - UC-10.13.24 · IDS Signature Update Compliance [high] - UC-10.13.25 · Vulnerability Age Tracking [high] - UC-10.13.26 · Remediation Velocity [high] - UC-10.13.27 · CVSS Distribution [medium] - UC-10.13.28 · Asset Risk Scoring (CIM) [high] - UC-10.13.29 · Vulnerability Scan Gap Detection [high] - UC-10.13.30 · Email Volume Anomaly [high] - UC-10.13.31 · Attachment Type Analysis [medium] - UC-10.13.32 · Internal-External Mail Ratio [medium] - UC-10.13.33 · Delivery Failure Trending [high] - UC-10.13.34 · HTTP Method Distribution [medium] - UC-10.13.35 · HTTP Response Code Trending [high] - UC-10.13.36 · User Agent Analysis [medium] - UC-10.13.37 · Bandwidth by Category [medium] - UC-10.13.38 · Web Application Error Rate [high] - UC-10.13.39 · Change Velocity Tracking [medium] - UC-10.13.40 · Unauthorized Change Detection [critical] - UC-10.13.41 · Change-to-Incident Correlation [high] - UC-10.13.42 · Configuration Drift Analysis [high] - UC-10.13.43 · Change Window Violations [high] - UC-10.13.44 · Process Execution Anomaly [critical] - UC-10.13.45 · Service State Changes [high] - UC-10.13.46 · Filesystem Integrity [high] - UC-10.13.47 · Registry Modification Tracking [high] - UC-10.13.48 · Installed Software Changes [medium] - UC-10.13.49 · Endpoint Resource Utilization (CIM) [medium] ### 10.14 OT Security and MITRE ATT&CK for ICS - UC-10.14.1 · OT Security Add-on Health and Configuration Status [medium] - UC-10.14.2 · ICS Protocol Allow-List Violation [critical] - UC-10.14.3 · Default or Shared Credentials on OT Devices [critical] - UC-10.14.4 · PLC Program Change Outside Maintenance Window [critical] - UC-10.14.5 · Data Historian Compromise Indicators [critical] - UC-10.14.6 · Internet-Accessible Device in OT Zone [critical] - UC-10.14.7 · Rogue Engineering Tool Execution [critical] - UC-10.14.8 · OT Network Reconnaissance and Scanning [high] - UC-10.14.9 · Unauthorized Firmware Upload to Field Device [critical] - UC-10.14.10 · SCADA HMI Tampering Indicators [critical] - UC-10.14.11 · Safety Instrumented System (SIS) Bypass [critical] - UC-10.14.12 · Unauthorized VPN Tunnel into OT Network [critical] - UC-10.14.13 · OT Asset Risk Score Threshold Breach [high] - UC-10.14.14 · OT User Risk Score Accumulation [high] - UC-10.14.15 · IT-to-OT Perimeter Firewall Rule Violation [critical] - UC-10.14.16 · NERC CIP Electronic Access Point Monitoring [critical] [NERC CIP] - UC-10.14.17 · NERC CIP Physical Security Perimeter Log Review [high] [NERC CIP] - UC-10.14.18 · NERC CIP System Security Management Patch Tracking [high] [NERC CIP] - UC-10.14.19 · NERC CIP Incident Reporting Timeline Compliance [critical] [NERC CIP] - UC-10.14.20 · OT Network Baseline Deviation Detection [high] ### 10.15 Machine Learning & Behavioral Analytics - UC-10.15.1 · User Peer-Group Logon Volume Anomaly (MLTK) [critical] - UC-10.15.2 · Lateral Movement via Rare Destination Hosts (MLTK) [critical] - UC-10.15.3 · C2 Beaconing Detection via Time-Series Regularity (MLTK) [critical] - UC-10.15.4 · Credential Stuffing Burst Detection vs Baseline (MLTK) [critical] - UC-10.15.5 · Risk Score Calibration with Supervised ML (MLTK) [high] - UC-10.15.6 · Phishing Email NLP Classification (DSDL) [critical] - UC-10.15.7 · Notable Event Prioritization Model (MLTK) [high] - UC-10.15.8 · User and Entity Behavior Analytics — Anomalous Process Execution (MLTK) [critical] ### 10.16 Security Operations Trending - UC-10.16.1 · Attack Surface Change Trending [high] - UC-10.16.2 · SIEM Alert-to-Incident Ratio Trending [high] - UC-10.16.3 · Mean Time to Detect (MTTD) Trending [critical] - UC-10.16.4 · Mean Time to Respond (MTTR) Trending [critical] - UC-10.16.5 · Phishing Attempt Volume Trending [high] - UC-10.16.6 · Firewall Rule Hit Rate Trending [medium] - UC-10.16.7 · Risk Score Distribution Trending [high] - UC-10.16.8 · Endpoint Protection Coverage Trending [high] - UC-10.6.194 · Citrix SmartAccess Policy Match Failures [high] - UC-10.6.195 · Citrix Clipboard and File Transfer Data Exfiltration [critical] - UC-10.6.196 · Citrix Session Hijack Detection (Impossible Travel) [critical] - UC-10.6.197 · Citrix Admin Console Privilege Escalation Detection [critical] - UC-10.6.198 · Citrix Session Watermarking Enforcement Errors [high] - UC-10.6.199 · Citrix Unauthorized Published Application Launch Attempts [high] - UC-10.6.200 · Citrix Anomalous Session Behavior (Off-Hours, Unusual Apps) [high] ## 11. Email & Collaboration Microsoft 365, Exchange, Teams, and collaboration platforms — mail flow, audit logging, and DLP events. **Quick tip:** Configure Splunk Add-on for Microsoft 365 with Management Activity API for audit events. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-11-email-collaboration.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-11-email-collaboration.md ### 11.1 Microsoft 365 / Exchange - UC-11.1.1 · Mail Flow Health Monitoring [critical] - UC-11.1.2 · Mailbox Audit Logging [high] - UC-11.1.3 · Exchange Online Protection Events [high] - UC-11.1.4 · Teams Usage Analytics [medium] - UC-11.1.5 · SharePoint/OneDrive Sharing Audit [high] - UC-11.1.6 · DLP Policy Events [high] - UC-11.1.7 · Admin Activity Audit [high] - UC-11.1.8 · Inbox Rule Monitoring [critical] - UC-11.1.9 · Service Health Monitoring [high] - UC-11.1.10 · License Utilization [medium] - UC-11.1.11 · Exchange Message Queue Depth [high] - UC-11.1.12 · Exchange Database Copy Queue Length [high] ### 11.2 Google Workspace - UC-11.2.1 · Admin Console Audit [high] - UC-11.2.2 · Gmail Message Flow [high] - UC-11.2.3 · Drive Sharing Anomalies [high] - UC-11.2.4 · Login Anomaly Detection [critical] - UC-11.2.5 · Meet Quality Monitoring [medium] - UC-11.2.6 · Third-Party App Access [high] - UC-11.2.7 · Drive External Sharing Alerts [high] - UC-11.2.8 · Admin Console Audit (Security Settings) [critical] - UC-11.2.9 · Gmail Suspicious Forwarding [critical] - UC-11.2.10 · Chrome Management Policy Compliance [high] - UC-11.2.11 · Google Vault Hold Compliance [high] - UC-11.2.12 · Workspace Marketplace App Review [high] - UC-11.2.13 · Groups Membership Changes [high] - UC-11.2.14 · Cloud Identity Device Management [high] - UC-11.2.15 · Google Meet Quality Metrics [medium] - UC-11.2.16 · Gmail Phishing Report Analysis [high] - UC-11.2.17 · Workspace DLP Rule Violations [high] - UC-11.2.18 · Google Takeout Monitoring [critical] ### 11.3 Unified Communications - UC-11.3.1 · Call Quality Monitoring — MOS (Cisco CUCM) [high] - UC-11.3.2 · Call Volume Trending (Cisco CUCM) [medium] - UC-11.3.3 · VoIP Jitter/Latency/Packet Loss (Cisco CUCM) [high] - UC-11.3.4 · Trunk Utilization (Cisco CUCM) [high] - UC-11.3.5 · Conference Bridge Capacity (Cisco CUCM) [medium] - UC-11.3.6 · Toll Fraud Detection (Cisco CUCM) [critical] - UC-11.3.7 · Phone Registration Status (Cisco CUCM) [high] - UC-11.3.8 · Webex Meeting Analytics [medium] - UC-11.3.9 · Mailbox Size and Quota Trending [medium] - UC-11.3.10 · Email Forwarding Rule and Auto-Reply Audit [high] - UC-11.3.11 · Collaboration App Permission and Consent Audit [high] [GDPR] - UC-11.3.12 · Voicemail and Call Recording Retention Compliance [medium] - UC-11.3.13 · Outbound Email Volume and Domain Anomaly [high] - UC-11.3.14 · Webex Meeting Quality Degradation Detection [high] - UC-11.3.15 · Webex Calling CDR and Call Flow Analysis [medium] - UC-11.3.16 · Webex Calling Queue Performance and SLA [critical] - UC-11.3.17 · Webex Admin Audit Trail [high] - UC-11.3.18 · Webex DLP and File Compliance Monitoring [critical] - UC-11.3.19 · Webex Device Health and Environmental Monitoring [high] - UC-11.3.20 · Webex License Utilization and Adoption Tracking [medium] - UC-11.3.21 · Webex Messaging Activity and Anomaly Detection [medium] - UC-11.3.22 · SharePoint Site Storage Utilization [medium] - UC-11.3.23 · SharePoint Search Crawl Health [medium] - UC-11.3.25 · SIP Server Availability Monitoring (ThousandEyes) [critical] - UC-11.3.26 · SIP Registration Time Tracking (ThousandEyes) [high] - UC-11.3.27 · RTP MOS Score Monitoring (ThousandEyes) [critical] - UC-11.3.28 · Webex Meeting Quality Assurance via ThousandEyes [high] - UC-11.3.29 · Microsoft Teams Network Readiness (ThousandEyes) [high] - UC-11.3.30 · Zoom Collaboration Performance (ThousandEyes) [high] - UC-11.3.31 · RoomOS Device Network Health via ThousandEyes [high] - UC-11.3.32 · Wire-Level VoIP Quality (MOS from RTP Stream) [critical] - UC-11.3.33 · Emergency Call (E911/E112) Tracking [critical] - UC-11.3.34 · Answer Seizure Ratio (ASR) by Route Group [high] - UC-11.3.35 · CUCM CDR Call Path Analysis [high] - UC-11.3.36 · CUCM CMR Call Quality Heatmap [high] - UC-11.3.37 · CUCM Phone Firmware Compliance [high] - UC-11.3.38 · CUCM Gateway and CUBE Utilization [critical] - UC-11.3.39 · CUCM Cluster Database Replication Health [critical] - UC-11.3.40 · CUCM Call Admission Control (CAC) Rejection Trending [high] - UC-11.3.41 · CUCM Hunt Group and Line Group Overflow [medium] - UC-11.3.42 · Webex Contact Center Agent State and Occupancy [high] - UC-11.3.43 · Webex Contact Center IVR Containment Rate [high] - UC-11.3.44 · Webex Contact Center Customer Wait Time SLA by Skill Group [critical] - UC-11.3.45 · UCCX Real-Time Queue and Agent Monitoring [high] - UC-11.3.46 · Contact Center Abandon Rate Correlation with Network Quality [high] - UC-11.3.47 · Jabber Client Version Compliance and Health [medium] - UC-11.3.48 · IM and Presence Service Availability [high] - UC-11.3.49 · Unity Connection Voicemail System Health [high] - UC-11.3.50 · Unity Connection Mailbox Usage and Retention Compliance [medium] - UC-11.3.51 · Pexip Conference Volume and Concurrency Trending [high] - UC-11.3.52 · Pexip Participant Call Quality Monitoring [critical] - UC-11.3.53 · Pexip Conferencing Node Capacity and Load [critical] - UC-11.3.54 · Pexip License Consumption Tracking [high] - UC-11.3.55 · Pexip Alarm and Service Health Monitoring [critical] - UC-11.3.56 · Pexip Registration and Gateway Call Routing [medium] - UC-11.3.57 · Pexip Participant Join Failure Analysis [high] - UC-11.3.58 · Pexip Interoperability and Protocol Mix [medium] ### 11.4 Mail Transport & Relay Infrastructure - UC-11.4.1 · SMTP Service Availability [high] - UC-11.4.2 · POP3 / IMAP Mail Retrieval Service Availability [medium] - UC-11.4.3 · Mail Queue Depth and Deferred Message Backlog [high] - UC-11.4.4 · SMTP Authentication and Relay Policy Violations [high] - UC-11.4.5 · Mail Delivery Rate and Bounce Rate by Domain [medium] - UC-11.4.6 · Outbound Mail Volume and Recipient Anomaly [high] - UC-11.4.7 · Mail Server TLS and Certificate Expiration [critical] - UC-11.4.8 · SMTP Relay Monitoring [high] ### 11.5 Video Conferencing & Collaboration Analytics - UC-11.5.1 · Zoom Meeting Quality Metrics (Jitter, Packet Loss, Latency) [high] - UC-11.5.2 · Zoom Call Drop Rate Monitoring [high] - UC-11.5.3 · Zoom Participant Join Failures [high] - UC-11.5.4 · Webex Device Health [high] - UC-11.5.5 · Webex Room System Uptime [medium] - UC-11.5.6 · Video Conferencing License Utilization [medium] - UC-11.5.7 · Meeting Recording Storage Trending [medium] - UC-11.5.8 · Teams Meeting Quality Analysis [high] - UC-11.5.9 · Meeting Room No-Show and Early Release Trending [medium] - UC-11.5.10 · Meeting Room People Count vs Capacity Optimization [medium] - UC-11.5.11 · Meeting Room AV Equipment Health [high] - UC-11.5.12 · Digital Signage and Room Scheduler Device Health [medium] ## 12. DevOps & CI/CD Source control, CI/CD pipelines, artifact management, and IaC — build failures, deployment frequency, and secret exposure. **Quick tip:** Forward CI/CD logs (Jenkins, GitHub Actions) via webhook or log file monitoring to Splunk. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-12-devops-ci-cd.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-12-devops-ci-cd.md ### 12.1 Source Control - UC-12.1.1 · Commit Activity Trending [medium] - UC-12.1.2 · Branch Protection Bypasses [critical] - UC-12.1.3 · Pull Request Metrics [medium] - UC-12.1.4 · Secret Exposure Detection [critical] - UC-12.1.5 · Repository Access Audit [high] - UC-12.1.6 · Force Push Detection [high] - UC-12.1.7 · GitHub Actions Workflow Run Time Trending [medium] - UC-12.1.8 · GitHub Actions Billing Usage [medium] - UC-12.1.9 · Branch Protection Bypass Detection [critical] - UC-12.1.10 · Force Push to Protected Branches [critical] - UC-12.1.11 · Sensitive File Commit Detection [critical] - UC-12.1.12 · Repository Permission Changes [high] - UC-12.1.13 · PR Review Bypass Detection [critical] - UC-12.1.14 · Fork Network Suspicious Activity [high] - UC-12.1.15 · CODEOWNERS File Modification Monitoring [high] - UC-12.1.16 · Large File Commit Detection [medium] - UC-12.1.17 · Signed Commit Enforcement [high] - UC-12.1.18 · Stale Branch Cleanup Tracking [medium] - UC-12.1.19 · Repository Webhook Health [high] - UC-12.1.20 · Code Scanning Alert Trends [high] ### 12.2 CI/CD Pipelines - UC-12.2.1 · Build Success Rate Trending [high] - UC-12.2.2 · Build Duration Monitoring [medium] - UC-12.2.3 · Deployment Frequency (DORA) [medium] - UC-12.2.4 · Lead Time for Changes (DORA) [medium] - UC-12.2.5 · Failed Deployment Tracking [critical] - UC-12.2.6 · Pipeline Queue Time [medium] - UC-12.2.7 · Test Coverage Trending [medium] - UC-12.2.8 · Security Scan Results in Pipeline [critical] - UC-12.2.9 · Jenkins Executor Utilization [medium] - UC-12.2.10 · Jenkins Node Offline Detection [high] - UC-12.2.11 · GitLab CI Runner Availability [high] - UC-12.2.12 · GitLab Pipeline Duration Trending [medium] - UC-12.2.14 · Jenkins Agent Offline Alerts [critical] - UC-12.2.15 · Pipeline Stage Duration Regression [medium] - UC-12.2.16 · Build Artifact Integrity Verification [critical] - UC-12.2.17 · Deploy Approval Bypass Detection [critical] - UC-12.2.18 · Parallel Build Resource Contention [medium] - UC-12.2.19 · Flaky Test Detection [high] - UC-12.2.20 · Deployment Frequency Tracking [medium] - UC-12.2.21 · Lead Time for Changes (Percentile) [medium] - UC-12.2.22 · Mean Time to Recovery (MTTR) [high] - UC-12.2.23 · Change Failure Rate [high] - UC-12.2.24 · Pipeline Secret Rotation Compliance [high] - UC-12.2.25 · Build Queue Wait Time SLA [high] - UC-12.2.26 · Test Coverage Regression [high] - UC-12.2.27 · Pipeline Resource Utilization [medium] ### 12.3 Artifact & Package Management - UC-12.3.1 · Artifact Repository Health [medium] - UC-12.3.2 · Dependency Vulnerability Alerts [critical] - UC-12.3.3 · Package Download Anomalies [high] - UC-12.3.4 · License Compliance Tracking [medium] - UC-12.3.5 · Terraform State Drift Detection [medium] - UC-12.3.6 · Container Image Vulnerability Scan Failures [critical] - UC-12.3.7 · Package Dependency Audit Alerts [high] - UC-12.3.8 · Artifact Retention Policy Compliance [medium] - UC-12.3.9 · SBOM Generation Compliance [high] - UC-12.3.10 · Artifact Signing Verification [critical] - UC-12.3.11 · Package Provenance Tracking [high] - UC-12.3.12 · Registry Storage Growth [medium] ### 12.4 Infrastructure as Code - UC-12.4.1 · Terraform Plan/Apply Tracking [high] - UC-12.4.2 · Configuration Drift Detection [high] - UC-12.4.3 · Ansible Playbook Outcomes [medium] - UC-12.4.4 · Puppet/Chef Compliance Reports [medium] - UC-12.4.5 · IaC Policy Violations [high] - UC-12.4.6 · Pipeline Failure Root Cause Trending [high] - UC-12.4.7 · Container Image Build and Push Audit [high] - UC-12.4.8 · Release Gate and Approval Lag [medium] - UC-12.4.9 · Feature Flag and Experiment Rollout Monitoring [medium] - UC-12.4.10 · Deployment Rollback and Canary Health [critical] - UC-12.4.11 · ArgoCD Application Sync Status [high] - UC-12.4.12 · Terraform Plan Drift Detection [high] - UC-12.4.13 · CloudFormation Stack Drift [high] - UC-12.4.14 · Ansible Playbook Failure Tracking [high] - UC-12.4.15 · Policy-as-Code Violation Trending [high] - UC-12.4.16 · IaC Module Version Compliance [medium] ### 12.5 GitOps & Deployment Automation - UC-12.5.1 · ArgoCD Sync Status Failures [high] - UC-12.5.2 · ArgoCD Drift Detection [high] - UC-12.5.3 · Flux Reconciliation Health [high] - UC-12.5.4 · GitHub Actions Workflow Failure Rate [medium] - UC-12.5.5 · GitHub Actions Runner Queue Depth [high] - UC-12.5.6 · GitLab CI Pipeline Duration Regression [medium] - UC-12.5.7 · Deployment Rollback Frequency Tracking [high] - UC-12.5.8 · Helm Release Health Monitoring [high] - UC-12.5.9 · Kustomize Build Error Tracking [medium] - UC-12.5.10 · GitOps Deployment Lead Time [medium] ### 12.6 DevOps Trending - UC-12.6.1 · DORA Metrics Trending Dashboard [high] - UC-12.6.2 · Security Scan Finding Trending [high] - UC-12.6.3 · Build Queue Wait Time Trending [medium] - UC-12.6.4 · Container Image Build Time Trending [medium] ## 13. Observability & Monitoring Stack Splunk platform health, APM, synthetic monitoring, and log aggregation — indexer queues, search performance, and forwarder health. **Quick tip:** Use the Monitoring Console (MC) built into Splunk and supplement with _internal index searches. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-13-observability-monitoring-stack.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-13-observability-monitoring-stack.md ### 13.1 Splunk Platform Health - UC-13.1.1 · Indexer Queue Fill Ratio [critical] - UC-13.1.2 · Search Concurrency Monitoring [high] - UC-13.1.3 · Forwarder Connectivity [critical] - UC-13.1.4 · License Usage Trending [high] - UC-13.1.5 · Skipped Search Detection [high] - UC-13.1.6 · Index Size Trending [medium] - UC-13.1.7 · KV Store Health [high] - UC-13.1.8 · Deployment Server Status [medium] - UC-13.1.9 · Data Ingestion Latency [high] - UC-13.1.10 · Search Head Cluster Status [critical] - UC-13.1.11 · Indexer Cluster Bucket Replication [critical] - UC-13.1.12 · HEC Endpoint Health [high] - UC-13.1.13 · Sourcetype Breakdown Trending [medium] - UC-13.1.14 · Long-Running Search Detection [medium] - UC-13.1.15 · Splunk Certificate Expiration [critical] - UC-13.1.16 · Parsing Queue Health (_internal) [high] - UC-13.1.17 · Merging Queue Health (_internal) [high] - UC-13.1.18 · Typing Queue Health (_internal) [high] - UC-13.1.19 · TCP Output Connection Failures (_internal) [critical] - UC-13.1.20 · Modular Input Errors (_internal) [high] - UC-13.1.21 · Data Model Acceleration Status (_internal) [medium] - UC-13.1.22 · Summary Indexing Failures (_internal) [high] - UC-13.1.23 · Indexer Disk Space Utilization (_internal) [critical] - UC-13.1.24 · SmartStore Cache Hit/Miss Ratio (_internal) [high] - UC-13.1.25 · Cluster Bundle Push Failures (_internal) [critical] - UC-13.1.26 · splunkd Unexpected Restart Detection (_internal) [critical] - UC-13.1.27 · Splunk Web UI Errors (_internal) [high] - UC-13.1.28 · SHC Configuration Replication Lag (_internal) [critical] - UC-13.1.29 · Ingest Actions Pipeline Status (_internal) [high] - UC-13.1.30 · Timestamp Parsing Accuracy (_internal) [high] - UC-13.1.31 · Workload Management Pool Saturation (_internal) [high] - UC-13.1.32 · Search Scheduler Fill Ratio (_internal) [high] - UC-13.1.33 · Knowledge Bundle Size Monitoring (_internal) [medium] - UC-13.1.34 · Real-Time Search Resource Consumption (_internal) [medium] - UC-13.1.35 · User Search Activity Audit (_audit) [medium] - UC-13.1.36 · Configuration File Change Tracking (_audit) [high] - UC-13.1.37 · Knowledge Object Modification Audit (_audit) [high] - UC-13.1.38 · REST API Access Pattern Analysis (_audit) [high] - UC-13.1.39 · Role and Capability Change Detection (_audit) [critical] - UC-13.1.40 · Per-Process CPU and Memory Trending (_introspection) [high] - UC-13.1.41 · Dispatch Directory Size (_introspection) [medium] - UC-13.1.42 · I/O Wait Bottleneck Detection (_introspection) [high] - UC-13.1.43 · Splunk Version Compliance (operational inventory) [high] - UC-13.1.44 · App Version Consistency Across SHC (operational inventory) [high] - UC-13.1.45 · Forwarder Version Compliance (operational inventory) [high] - UC-13.1.46 · Log Volume and Error Rate Anomaly per Sourcetype (MLTK) [critical] - UC-13.1.47 · License Usage Forecast with Seasonality (MLTK) [high] - UC-13.1.48 · Splunk Internal Queue Depth Multivariate Anomaly (MLTK) [high] - UC-13.1.49 · Service Latency Seasonality and Anomaly (MLTK) [high] - UC-13.1.50 · Kubernetes HPA Replica Count Anomaly (MLTK) [high] - UC-13.1.51 · SLO Burn-Rate Multivariate Anomaly (MLTK) [critical] ### 13.2 Splunk ITSI (Premium) - UC-13.2.1 · Service Health Score Trending [critical] - UC-13.2.2 · KPI Degradation Alerting [critical] - UC-13.2.3 · Episode Volume and MTTR [high] - UC-13.2.4 · Entity Status Monitoring [high] - UC-13.2.5 · Base Search Performance [medium] - UC-13.2.6 · Rules Engine Health [critical] - UC-13.2.7 · Predictive Service Degradation [high] - UC-13.2.8 · Glass Table NOC Display [medium] - UC-13.2.9 · Elasticsearch Ingest Pipeline Errors [high] - UC-13.2.10 · Fluentd / Fluent Bit Buffer Overflow [high] - UC-13.2.11 · KPI Threshold Violation Trending [high] - UC-13.2.12 · Episode Correlation Accuracy [medium] - UC-13.2.13 · Maintenance Window Compliance [high] - UC-13.2.14 · Glass Table SLA Breaches [high] - UC-13.2.15 · Service Dependency Health Propagation [critical] - UC-13.2.16 · ITSI Backup Set Integrity [critical] - UC-13.2.17 · Notable Event Suppression Audit [high] - UC-13.2.18 · Adaptive Thresholding Effectiveness [medium] - UC-13.2.19 · Multi-Tier Application Service Tree Modeling [critical] - UC-13.2.20 · Entity Discovery Completeness Audit [medium] - UC-13.2.21 · Content Pack Deployment Health (Monitoring and Alerting) [high] - UC-13.2.23 · Notable Event Volume Trending by Source [medium] - UC-13.2.24 · KPI Drift Detection for Gradual Degradation [high] - UC-13.2.25 · MLTK Custom Anomaly Detection on KPI Data [medium] - UC-13.2.26 · Splunk On-Call (VictorOps) Alert Routing [high] - UC-13.2.27 · Observability Cloud Alert Ingestion [medium] - UC-13.2.28 · Service Template Adoption and Consistency [medium] - UC-13.2.29 · Entity-Level Adaptive Threshold Tuning [medium] - UC-13.2.30 · Configuration Assistant Recommendations Tracking [medium] - UC-13.2.31 · Deep Dive Utilization and Performance [medium] - UC-13.2.32 · ITSI Team Permission and RBAC Audit [high] - UC-13.2.33 · Business Service SLA Composite Scoring [critical] - UC-13.2.34 · Episode MTTR Analysis by Service Tier [high] - UC-13.2.35 · ITSI License and Capacity Utilization [medium] - UC-13.2.36 · Azure Log Analytics Workspace Ingestion Health [high] - UC-13.2.37 · Entity-Level Multivariate Anomaly Detection (MLTK + ITSI) [critical] - UC-13.2.38 · Causal KPI Ranking — Root-Cause Acceleration (MLTK + ITSI) [high] ### 13.3 Third-Party Monitoring Integration - UC-13.3.1 · Nagios/Zabbix Alert Ingestion [medium] - UC-13.3.2 · Prometheus Metric Ingestion [medium] - UC-13.3.3 · PagerDuty/Opsgenie Integration [medium] - UC-13.3.4 · Monitoring Coverage Gap Detection [high] - UC-13.3.5 · Alert Storm Detection [critical] - UC-13.3.6 · SLO Burn Rate and Error Budget Tracking [high] - UC-13.3.7 · Distributed Trace Sampling and Coverage [medium] - UC-13.3.8 · Log Ingestion Backlog and Lag [critical] - UC-13.3.9 · Dashboard and Saved Search Usage Analytics [medium] - UC-13.3.10 · Synthetic Check Failure and Geographic Variance [high] - UC-13.3.11 · Prometheus Target Scrape Failures [high] - UC-13.3.12 · Prometheus TSDB Compaction Failures [high] - UC-13.3.13 · Grafana Datasource Health [medium] - UC-13.3.14 · OpenTelemetry Collector Dropped Spans and Metrics [high] - UC-13.3.15 · OpenTelemetry Collector Pipeline Throughput and Backpressure [critical] - UC-13.3.16 · OpenTelemetry Collector Memory and CPU Utilization [high] - UC-13.3.17 · OpenTelemetry Collector Configuration Drift Detection [medium] - UC-13.3.18 · OpenTelemetry Receiver Health by Signal Type [high] - UC-13.3.19 · OpenTelemetry Exporter Retry and Timeout Monitoring [high] ### 13.4 AI & LLM Observability - UC-13.4.1 · LLM API Latency and Error Rate (OpenAI, Azure OpenAI) [high] - UC-13.4.2 · Token Usage and Cost per Model and Application [medium] - UC-13.4.3 · GPU and TPU Utilization for Inference Workloads [high] - UC-13.4.4 · Model Version Deployment Tracking [medium] - UC-13.4.5 · AI Gateway Rate Limiting and Quota Management [high] - UC-13.4.6 · Ollama Local LLM Abuse Detection (ESCU) [critical] - UC-13.4.7 · MCP Server Suspicious Activity Detection (ESCU) [critical] - UC-13.4.8 · Microsoft 365 Copilot Data Exfiltration Risk (ESCU) [critical] - UC-13.4.9 · LLM Prompt Injection Attempt Detection [critical] - UC-13.4.10 · AI Model API Key Rotation Compliance [high] - UC-13.4.11 · LLM Output Content Policy Violation Logging [high] - UC-13.4.12 · AI Inference Pipeline Error Rate [high] - UC-13.4.13 · Seq2Seq Log Anomaly Detection via Reconstruction Error (DSDL) [critical] - UC-13.4.14 · Host-Metric Heatmap Anomaly via CNN (DSDL) [high] - UC-13.4.15 · MLTK Model Drift and Performance Monitoring [high] ### 13.5 OpenTelemetry, Observability Pipelines & SRE Patterns - UC-13.5.1 · Trace Duration Anomaly and Slow Transaction Detection [critical] - UC-13.5.2 · Trace Error Rate by Service and Operation [critical] - UC-13.5.3 · Trace Completeness and Orphan Span Detection [high] - UC-13.5.4 · Cross-Service Dependency Map from Traces [high] - UC-13.5.5 · Log-to-Trace Correlation Coverage [medium] - UC-13.5.6 · Trace Fanout and Depth Anomaly [high] - UC-13.5.7 · Splunk APM Service Map Health (RED Metrics) [critical] - UC-13.5.8 · Splunk APM Database Query Performance [high] - UC-13.5.9 · Splunk RUM Core Web Vitals Tracking [critical] - UC-13.5.10 · Splunk RUM JavaScript Error Rate by Page [high] - UC-13.5.11 · Splunk Synthetic Monitoring Multi-Step Transaction SLA [high] - UC-13.5.12 · Splunk Observability Cloud Detector Health [high] - UC-13.5.13 · RED Metrics Dashboard Template (Rate, Errors, Duration) [high] - UC-13.5.14 · USE Method for Infrastructure (Utilization, Saturation, Errors) [high] - UC-13.5.15 · Golden Signals Composite Health per Service [high] - UC-13.5.16 · SLO Definition and Multi-Window Burn Rate Alerting [critical] - UC-13.5.17 · Error Budget Policy Enforcement [high] - UC-13.5.18 · Observability Data Volume and Cost Attribution [high] - UC-13.5.19 · Observability Cardinality Explosion Detection [critical] - UC-13.5.20 · Instrumentation Coverage Audit [medium] - UC-13.5.21 · Telemetry Signal Freshness and Staleness [high] ## 14. IoT & Operational Technology (OT) Building management, industrial control, Splunk Edge Hub, and IoT platforms — sensor data, anomaly detection, and OT security. **Quick tip:** Deploy Splunk Edge Hub with built-in sensors or configure MQTT/OPC-UA/Modbus protocol collection. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-14-iot-operational-technology-ot.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-14-iot-operational-technology-ot.md ### 14.1 Building Management Systems (BMS) - UC-14.1.1 · HVAC Performance Monitoring [high] - UC-14.1.5 · Elevator/Equipment Health [medium] - UC-14.1.6 · Environmental Compliance [critical] - UC-14.1.7 · LoRaWAN Gateway Health [medium] - UC-14.1.8 · Modbus Device Communication Failure Rate [high] - UC-14.1.9 · OPC-UA Server Session Count and Subscription Health [high] - UC-14.1.10 · SNMP Trap Storm Detection [critical] - UC-14.1.11 · Device MIB Polling Failures [high] - UC-14.1.12 · Firmware Version Compliance Across Fleet [high] - UC-14.1.13 · Environmental Sensor Threshold Alerts [high] - UC-14.1.14 · SNMPv3 Authentication Failures [high] - UC-14.1.15 · Temperature Sensor Threshold Alerts (Meraki MT) [high] - UC-14.1.16 · Humidity Monitoring and Dew Point Tracking (Meraki MT) [medium] - UC-14.1.17 · Door Open/Close Event Detection and Alerts (Meraki MT) [high] - UC-14.1.18 · Water Leak Detection and Flood Alerts (Meraki MT) [critical] - UC-14.1.19 · Power Monitoring and Electrical Load Analysis (Meraki MT) [medium] - UC-14.1.20 · Air Quality and CO2 Monitoring (Meraki MT) [medium] - UC-14.1.21 · Ambient Noise Level Monitoring and Trend Analysis (Meraki MT) [low] - UC-14.1.22 · Indoor Climate Trending and HVAC Optimization (Meraki MT) [low] - UC-14.1.23 · Environmental Sensor Battery Health and Replacement Alerts (Meraki MT) [medium] - UC-14.1.24 · Sensor Connectivity and Heartbeat Monitoring (Meraki MT) [high] - UC-14.1.25 · AHU Supply Air Temperature Deviation [high] - UC-14.1.26 · VAV Box Damper Position Stuck Detection [high] - UC-14.1.27 · Chiller Plant COP Efficiency Trending [high] - UC-14.1.28 · Cooling Tower Approach Temperature Trending [medium] - UC-14.1.29 · HVAC Setpoint Override Frequency and Duration [medium] - UC-14.1.30 · Economizer Free Cooling Hours Tracking [medium] - UC-14.1.31 · Building Energy Consumption Intensity (kWh/m²) [high] - UC-14.1.32 · Sub-Meter Energy Distribution by System [medium] - UC-14.1.33 · After-Hours Energy Waste Detection [high] - UC-14.1.34 · Peak Demand Shaving Effectiveness [medium] - UC-14.1.35 · Lighting Schedule Compliance and Override Tracking [low] - UC-14.1.36 · Elevator Trip Count and Usage Trending [medium] - UC-14.1.37 · Elevator Door Fault Frequency and Prediction [critical] - UC-14.1.38 · Elevator Wait Time and Service Quality [medium] - UC-14.1.39 · Water Consumption Trending and Anomaly Detection [high] - UC-14.1.40 · Domestic Hot Water Temperature Compliance (Legionella Prevention) [critical] - UC-14.1.41 · Cooling Tower Water Chemistry Monitoring [medium] - UC-14.1.42 · Fire Alarm Panel Zone Health and Event Monitoring [critical] - UC-14.1.43 · Sprinkler System Valve Tamper and Supervisory Monitoring [critical] - UC-14.1.44 · Fire Pump Controller Status and Run Monitoring [critical] - UC-14.1.45 · BACnet Controller Communication Health [high] - UC-14.1.46 · BMS Alarm Flood Detection and Suppression [medium] - UC-14.1.47 · Parking Occupancy Trending and Capacity Planning [low] - UC-14.1.48 · EV Charging Station Availability and Utilization [medium] - UC-14.1.49 · Indoor Air Quality (IAQ) Index Monitoring [high] - UC-14.1.50 · Carbon Emissions Tracking from Building Operations (Scope 1+2) [medium] ### 14.2 Industrial Control Systems (ICS/SCADA) - UC-14.2.1 · PLC/RTU Health Monitoring [critical] - UC-14.2.2 · Process Variable Anomalies [critical] - UC-14.2.3 · Safety System Activation [critical] - UC-14.2.4 · Network Segmentation Monitoring [critical] - UC-14.2.5 · Firmware Version Tracking [high] - UC-14.2.6 · Unauthorized Access Detection [critical] - UC-14.2.7 · Modbus TCP Anomaly Detection [critical] - UC-14.2.8 · OPC-UA Session Abuse [critical] - UC-14.2.9 · PLC Firmware Change Detection [critical] - UC-14.2.10 · ICS Protocol Violation Alerts [critical] - UC-14.2.11 · NERC CIP Compliance Checks [critical] [NERC CIP] - UC-14.2.12 · Historian Data Integrity [high] - UC-14.2.13 · Safety Instrumented System Monitoring [critical] - UC-14.2.14 · HMI Unauthorized Access [critical] - UC-14.2.15 · Control Loop Deviation [high] - UC-14.2.16 · Process Variable Trending [medium] - UC-14.2.17 · ICS Network Segmentation Violations [critical] - UC-14.2.18 · Engineering Workstation Anomaly [critical] - UC-14.2.19 · OT Asset External Communication Detection [critical] - UC-14.2.20 · OT Protocol Port Monitoring [high] - UC-14.2.21 · Removable Media in OT Detection [critical] - UC-14.2.22 · OT/IT Boundary Traffic Analysis [high] - UC-14.2.23 · ICS Change Management Compliance [high] - UC-14.2.24 · Production Line Downtime Tracking [critical] - UC-14.2.25 · OEE Metrics Collection [high] - UC-14.2.26 · Batch Process Deviation Alerting [critical] - UC-14.2.27 · EDI Acknowledgement Monitoring [high] - UC-14.2.28 · Supplier Delivery Performance [medium] ### 14.3 Splunk Edge Hub - UC-14.3.1 · Temperature Anomaly Detection [high] - UC-14.3.2 · Vibration & Motion Monitoring [high] - UC-14.3.3 · Air Quality & VOC Monitoring [medium] - UC-14.3.4 · Sound Level Anomalies [medium] - UC-14.3.5 · MQTT Device Integration Monitoring [high] - UC-14.3.6 · SNMP Device Polling from Edge [medium] - UC-14.3.7 · Edge-to-Cloud Data Pipeline Health [high] - UC-14.3.9 · Cold Storage Room Temperature Excursion Alert [critical] - UC-14.3.10 · Museum & Archive Climate Control Compliance [high] - UC-14.3.11 · Greenhouse Humidity & Growth Optimization [medium] - UC-14.3.12 · Security Camera Motion Detection with Light Level Correlation [high] - UC-14.3.13 · Energy Management & HVAC Occupancy-Based Control [medium] - UC-14.3.14 · Warehouse Inventory Light-Based Shelf Monitoring [medium] - UC-14.3.15 · Structural Health Monitoring via Vibration Baseline Drift [high] - UC-14.3.16 · Door Open/Close Detection via Accelerometer Tilt [medium] - UC-14.3.17 · Equipment Alignment & Vibration Analysis via Gyroscope [medium] - UC-14.3.18 · Sound Frequency Analysis for Equipment Signatures [medium] - UC-14.3.19 · Multi-Sensor Environmental Baseline & Drift Detection [medium] - UC-14.3.20 · Pressure Monitoring for Cleanroom Compliance [critical] - UC-14.3.21 · HVAC Duct Pressure & Velocity Monitoring [medium] - UC-14.3.22 · Weather Station Data Integration & Altitude Compensation [medium] - UC-14.3.23 · Custom Python Container for Data Transformation & Enrichment [medium] - UC-14.3.24 · BACnet-to-MQTT Protocol Gateway Container [high] - UC-14.3.25 · Local Alerting & GPIO Relay Control Container [high] - UC-14.3.26 · Edge Analytics Container for Rolling Statistics & Threshold Logic [medium] - UC-14.3.27 · BLE Beacon Asset Tracking & Presence Detection [medium] - UC-14.3.28 · USB Camera Barcode & QR Code Scanning Container [medium] - UC-14.3.29 · Audio Classification for Anomalous Sound Detection [medium] - UC-14.3.30 · Predictive Maintenance via NPU-Based Model Inference [high] - UC-14.3.31 · OPC-UA Tag Browsing & Change Detection [high] - UC-14.3.32 · Modbus TCP Register Monitoring for Industrial Equipment [high] - UC-14.3.33 · Multi-Protocol Sensor Fusion (OPC-UA + MQTT + Built-in) [high] - UC-14.3.34 · Protocol Gateway Health & Connectivity Monitoring [medium] - UC-14.3.35 · Industrial Alarm Management via OPC-UA [critical] - UC-14.3.36 · Energy Meter Integration via Modbus TCP [medium] - UC-14.3.37 · PLC Program Change Detection via OPC-UA Timestamp Monitoring [critical] - UC-14.3.38 · SCADA HMI Event Capture & Operator Action Logging [medium] - UC-14.3.39 · Multi-Device Fleet Firmware Version Compliance [high] - UC-14.3.40 · Device Location Tracking via GNSS [medium] - UC-14.3.41 · Cellular Connectivity Quality & Signal Strength Monitoring [high] - UC-14.3.42 · Edge Hub Resource Capacity Planning & CPU/Memory Utilization [medium] - UC-14.3.43 · Configuration Drift Detection Across Fleet [high] - UC-14.3.44 · Local Backlog Monitoring & Data Loss Prevention [critical] - UC-14.3.45 · USB Camera People Counting for Occupancy & Capacity Management [medium] - UC-14.3.46 · USB Camera Visual Inspection for Manufacturing Defects [high] - UC-14.3.47 · Custom Python Container for API Integration & Data Enrichment [medium] - UC-14.3.48 · Pressure & Humidity Sensor Correlation for Leakage Detection [high] - UC-14.3.49 · Sound Level & Frequency Band Monitoring for Regulatory Compliance [medium] - UC-14.3.50 · Accelerometer-Based Fall Detection & Impact Monitoring [high] - UC-14.3.51 · Temperature & Humidity Sensor Calibration Drift Detection [high] - UC-14.3.52 · Light Sensor Ambient Light Level Anomaly Detection [medium] - UC-14.3.53 · Vibration Magnitude Threshold Monitoring for Equipment Protection [critical] - UC-14.3.54 · Multi-Zone Temperature Gradient Monitoring for Optimal Environment [medium] - UC-14.3.55 · Acoustic Anomaly Detection for Equipment Health Assessment [medium] - UC-14.3.56 · MQTT Topic Latency & Message Loss Monitoring [high] - UC-14.3.57 · Temperature Sensor Response Time Validation & Lag Detection [medium] ### 14.4 IoT Platforms & Sensors - UC-14.4.1 · Smart Sensor Fleet Health [high] - UC-14.4.2 · Environmental Monitoring [high] - UC-14.4.3 · Asset Tracking [medium] - UC-14.4.4 · Home Automation Monitoring [low] - UC-14.4.5 · IoT Device Firmware Compliance [high] - UC-14.4.6 · IoT Device Connectivity and Last-Seen Monitoring [high] - UC-14.4.7 · OT Protocol Anomaly and Unauthorized Command Detection [critical] - UC-14.4.8 · Sensor Calibration and Drift Detection [medium] - UC-14.4.9 · Gateway and Edge Node Resource Utilization [high] - UC-14.4.10 · IoT Data Pipeline Throughput and Latency [high] - UC-14.4.11 · Aranet Environmental Sensor Monitoring [medium] - UC-14.4.12 · IoT Device Fleet Health Dashboard [high] - UC-14.4.13 · Firmware Update Compliance [high] - UC-14.4.14 · Sensor Data Gap Detection [high] - UC-14.4.15 · MQTT Broker Overload [critical] - UC-14.4.16 · IoT Device Certificate Expiry [critical] - UC-14.4.17 · Edge-to-Cloud Sync Failures [high] - UC-14.4.18 · IoT Device Provisioning Audit [high] - UC-14.4.19 · BLE/Zigbee Gateway Health [high] ### 14.5 MQTT and OPC-UA (Edge Hub and Gateways) - UC-14.5.1 · MQTT Topic Message Rate and Subscription Health [high] - UC-14.5.2 · OPC-UA Server Connection and Session Count [high] - UC-14.5.3 · Edge Hub MQTT Broker Client Disconnections [high] - UC-14.5.4 · OPC-UA Node Value Change Rate and Anomaly [medium] - UC-14.5.5 · Edge Hub to Cloud HEC Forwarding Backlog [critical] - UC-14.5.6 · MQTT Retain and Last Will Message Audit [medium] - UC-14.5.7 · OPC-UA Alarms and Events Queue Depth [high] - UC-14.5.8 · MQTT QoS 0/1/2 Delivery and Drops [high] - UC-14.5.9 · OPC-UA Certificate Expiration and Trust [critical] - UC-14.5.10 · Edge Hub Local Storage and SQLite Backlog [high] - UC-14.5.11 · MQTT Authentication Failure and ACL Denials [high] - UC-14.5.12 · OPC-UA Subscription Latency and Sampling Overrun [medium] - UC-14.5.13 · Edge Hub Container Health (MQTT/OPC-UA Modules) [high] - UC-14.5.14 · MQTT TLS Handshake and Cipher Compliance [high] - UC-14.5.15 · OPC-UA Write and Permission Denials [high] - UC-14.5.16 · HiveMQ Cluster Node Health and Split-Brain Detection [critical] - UC-14.5.17 · MQTT Shared Subscription Load Distribution [medium] - UC-14.5.18 · HiveMQ Retained Message Store Growth [high] - UC-14.5.19 · MQTT Client Disconnect Reason Analysis [medium] - UC-14.5.20 · HiveMQ Extension Execution Errors [high] - UC-14.5.21 · MQTT Topic Tree Depth and Fan-Out Analysis [low] - UC-14.5.22 · HiveMQ License Utilization Trending [high] ### 14.6 Zeek ICS Deep Protocol Inspection - UC-14.6.1 · S7comm PLC Read/Write Operation Monitoring [critical] - UC-14.6.2 · S7comm Program Upload/Download Detection [critical] - UC-14.6.3 · S7comm CPU State Change Detection [high] - UC-14.6.4 · S7comm Unauthorized Function Block Access [high] - UC-14.6.5 · Modbus Function Code Distribution Audit [high] - UC-14.6.6 · Modbus Register Value Change Tracking [critical] - UC-14.6.7 · Modbus Device Identification Enumeration (FC 43 / 0x2B) [high] - UC-14.6.8 · DNP3 Unsolicited Response Monitoring [high] - UC-14.6.9 · DNP3 Control Relay Output Block (CROB) Tracking [critical] - UC-14.6.10 · DNP3 Cold/Warm Restart Detection [critical] - UC-14.6.11 · EtherNet/IP CIP Service Request Audit [high] - UC-14.6.12 · EtherNet/IP Unregistered Session Detection [high] - UC-14.6.13 · EtherNet/IP I/O Implicit Messaging Anomaly [high] - UC-14.6.14 · IEC 104 Interrogation Command Monitoring [high] - UC-14.6.15 · IEC 104 Spontaneous Value Change Tracking [high] - UC-14.6.16 · IEC 104 Clock Synchronization Deviation [high] - UC-14.6.17 · BACnet Object Access Audit [high] - UC-14.6.18 · BACnet Who-Is Broadcast Storm Detection [medium] - UC-14.6.19 · HART-IP Command 48 Additional Status Monitoring [medium] - UC-14.6.20 · Unknown Protocol on OT VLAN Detection [critical] ### 14.7 Litmus Edge Industrial IoT Gateway - UC-14.7.1 · Litmus Edge Gateway Connectivity Health [high] - UC-14.7.2 · PLC Tag Data Ingestion Validation [high] - UC-14.7.3 · Edge-to-Splunk Data Pipeline Latency [medium] - UC-14.7.4 · Production Sensor Data Completeness Audit [high] - UC-14.7.5 · Litmus Edge Device Inventory Drift [medium] - UC-14.7.6 · Edge Data Transformation Error Rate [high] - UC-14.7.7 · Multi-Site Litmus Edge Fleet Health [high] - UC-14.7.8 · Litmus Edge Connector Authentication Monitoring [critical] - UC-14.7.9 · Centralized Model Retraining for Industrial Sensor ML (DSDL) [high] ### 14.8 IoT & OT Trending - UC-14.8.1 · Device Fleet Online Rate Trending [high] - UC-14.8.2 · Sensor Data Quality Trending [high] - UC-14.8.3 · OEE Trending [high] - UC-14.8.4 · Predictive Maintenance Alert Volume Trending [medium] ### 14.9 OT Network Security Monitoring (Cisco Cyber Vision / Nozomi Networks) - UC-14.9.1 · OT Asset Discovery and Inventory Tracking [critical] - UC-14.9.2 · New OT Device Detection Alert [critical] - UC-14.9.3 · OT Asset Vulnerability Detection and CVE Tracking [critical] - UC-14.9.4 · OT Asset Risk Score Monitoring [high] - UC-14.9.5 · Baseline Deviation Detection [critical] - UC-14.9.6 · Snort IDS Threat Detection on OT Networks [critical] - UC-14.9.7 · PLC Program Download/Upload Detection [critical] - UC-14.9.8 · Controller Firmware Activation Monitoring [critical] - UC-14.9.9 · Forced Variable Detection in OT Processes [critical] - UC-14.9.10 · Control Action Monitoring on Industrial Assets [high] - UC-14.9.11 · Controller Mode Change Detection [critical] - UC-14.9.12 · New Communication Flow Detection [high] - UC-14.9.13 · Protocol Exception Monitoring [high] - UC-14.9.14 · OT Device Authentication Failure Detection [high] - UC-14.9.15 · Admin Connection Detection to ICS Assets [high] - UC-14.9.16 · Port Scan Detection on OT Networks [critical] - UC-14.9.17 · Weak Encryption Detection in OT Communications [medium] - UC-14.9.18 · SMB Protocol Activity in OT Networks [high] - UC-14.9.19 · Network Redundancy and HA Failover Events [high] - UC-14.9.20 · Cyber Vision Sensor Health and Resource Monitoring [high] - UC-14.9.21 · Cyber Vision Administration Audit Trail [medium] - UC-14.9.22 · IEC 62443 Zone and Conduit Compliance Monitoring [high] - UC-14.9.23 · OT Event Severity Distribution and Security Posture Dashboard [medium] - UC-14.9.24 · OT Protocol Usage Analysis and Inventory [medium] - UC-14.9.25 · Decode Failure and Malformed Packet Detection [medium] ## 15. Data Center Physical Infrastructure Power/UPS, cooling/CRAC, and environmental monitoring — battery health, thermal management, and physical security. **Quick tip:** Integrate DCIM or BMS platforms via SNMP or API to collect environmental and power data. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-15-data-center-physical-infrastructure.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-15-data-center-physical-infrastructure.md ### 15.1 Power & UPS - UC-15.1.1 · UPS Battery Health [critical] - UC-15.1.2 · PDU Power per Rack [high] - UC-15.1.3 · Power Redundancy Status [critical] - UC-15.1.4 · Generator Test Results [high] - UC-15.1.5 · PUE Calculation [medium] - UC-15.1.6 · Circuit Breaker Trips [critical] - UC-15.1.7 · APC PDU Outlet-Level Power Monitoring [medium] - UC-15.1.8 · Generator Runtime and Fuel Level [critical] - UC-15.1.9 · Rack Power Density Trending [medium] - UC-15.1.10 · UPS Battery Runtime Remaining [critical] - UC-15.1.11 · PDU Outlet-Level Power Draw [high] - UC-15.1.12 · Generator Fuel Level Monitoring [critical] - UC-15.1.13 · Transfer Switch Events [critical] - UC-15.1.14 · Power Factor Monitoring [medium] - UC-15.1.15 · PUE Efficiency Tracking vs Target [medium] - UC-15.1.16 · Breaker Panel Load Balancing [high] - UC-15.1.17 · UPS Self-Test Failure [critical] - UC-15.1.18 · Generator Start Failure [critical] - UC-15.1.19 · Power Redundancy Compliance (N+1) [critical] - UC-15.1.20 · PDU Branch Circuit Alerts [high] - UC-15.1.21 · Electrical Panel Phase Balancing [high] - UC-15.1.22 · UPS Battery Monitoring [critical] - UC-15.1.23 · Power Consumption Trending [medium] - UC-15.1.24 · Rack PDU Load and Phase Balance [high] - UC-15.1.25 · Generator Run Hours and Maintenance Due [high] ### 15.2 Cooling & Environmental - UC-15.2.1 · Temperature Monitoring per Zone [critical] - UC-15.2.2 · Humidity Monitoring [high] - UC-15.2.3 · CRAC/CRAH Unit Health [critical] - UC-15.2.4 · Hot Aisle Temperature Trending [medium] - UC-15.2.5 · Water Leak Detection [critical] - UC-15.2.6 · Cooling Capacity Planning [medium] - UC-15.2.7 · APC InRow / CRAC Unit Temperature Differential [high] - UC-15.2.8 · CRAC Unit Failure and Alarm State [critical] - UC-15.2.9 · Hot/Cold Aisle Temperature Delta [high] - UC-15.2.10 · Humidity Threshold Exceedance (ASHRAE) [high] - UC-15.2.11 · Chiller Plant Efficiency (kW/ton) [medium] - UC-15.2.12 · Liquid Cooling Loop Pressure [critical] - UC-15.2.13 · Air Handler Filter Differential Pressure [medium] - UC-15.2.14 · Cooling Capacity vs IT Load [high] - UC-15.2.15 · Economizer Mode Utilization [medium] - UC-15.2.16 · Condensation Risk Alerts [critical] - UC-15.2.17 · Cooling Redundancy Status [critical] - UC-15.2.18 · Data Center Humidity & Condensation Risk [critical] - UC-15.2.19 · Water Leak Sensor Zone Correlation [critical] ### 15.3 Physical Security - UC-15.3.1 · Badge Access Audit [high] - UC-15.3.2 · After-Hours Access Alerts [high] - UC-15.3.3 · Tailgating Detection [high] - UC-15.3.4 · Camera System Health [high] - UC-15.3.5 · Cabinet Door Monitoring [medium] - UC-15.3.7 · Fire Suppression and Detection System Alarms [critical] - UC-15.3.8 · Raised Floor and Cable Management Events [medium] - UC-15.3.10 · Data Center Capacity Headroom by Zone [high] - UC-15.3.11 · CCTV / IP Camera Health Monitoring [medium] - UC-15.3.12 · Fire Suppression System Status [critical] - UC-15.3.13 · Environmental Sensor Battery Status [medium] - UC-15.3.14 · Badge Tailgating and Anti-Passback Violations [high] - UC-15.3.15 · After-Hours Access Without Active Work Order [high] - UC-15.3.16 · Camera Feed Loss and Recording Gap Detection [high] - UC-15.3.17 · Visitor Badge Expiry Tracking [medium] - UC-15.3.18 · Cabinet Intrusion and Forced Rack Door Events [high] - UC-15.3.20 · Fire Suppression System Health and Supervisory Signals [critical] - UC-15.3.21 · Access Control Panel Tamper and Line Fault [critical] - UC-15.3.22 · Camera Uptime and Availability Tracking (Meraki MV) [medium] - UC-15.3.23 · Video Retention and Cloud Archive Storage Utilization (Meraki MV) [medium] - UC-15.3.24 · Motion Detection Events and Alert Volume Analysis (Meraki MV) [low] - UC-15.3.25 · Camera Video Quality Score and Stream Health (Meraki MV) [medium] - UC-15.3.26 · Cloud Archive Status and Backup Validation (Meraki MV) [medium] - UC-15.3.27 · Video Stream Connection Errors and Quality Issues (Meraki MV) [medium] - UC-15.3.28 · Camera Firmware Compliance and Update Management (Meraki MV) [medium] - UC-15.3.29 · Night Mode Effectiveness and Low-Light Performance (Meraki MV) [low] - UC-15.3.30 · People Counting Trends and Occupancy Analytics [low] - UC-15.3.31 · Building Occupancy Trending and Capacity Planning [high] - UC-15.3.32 · Visitor Dwell Time and Movement Flow Analysis [medium] - UC-15.3.33 · Environmental Sensor Monitoring (Temperature, Humidity, Air Quality) [critical] - UC-15.3.34 · Asset Tracking and Geofencing Alerts [high] - UC-15.3.35 · After-Hours Wireless Presence Detection [high] - UC-15.3.36 · Workspace Utilization and Ghost Booking Detection [medium] - UC-15.3.37 · Access Control Event Audit [high] - UC-15.3.38 · Cisco Spaces Wayfinding and Path Analytics [medium] - UC-15.3.39 · Cisco Spaces Proximity and Engagement Analytics [medium] - UC-15.3.40 · Cisco Spaces IoT Sensor Alert Correlation with Building Management [high] ## 16. Service Management & ITSM Ticketing systems and CMDB — incident trends, SLA compliance, MTTR, and change management correlation. **Quick tip:** Use Splunk Add-on for ServiceNow or REST API integration to pull ticket and CMDB data. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-16-service-management-itsm.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-16-service-management-itsm.md ### 16.1 Ticketing Systems - UC-16.1.1 · Incident Volume Trending [high] - UC-16.1.2 · SLA Compliance Monitoring [critical] - UC-16.1.3 · MTTR by Category [high] - UC-16.1.4 · Change Success Rate [high] - UC-16.1.5 · Change Collision Detection [high] - UC-16.1.6 · Problem Trending [medium] - UC-16.1.7 · Ticket Reassignment Rate [medium] - UC-16.1.8 · Aging Ticket Alerts [medium] - UC-16.1.9 · Change-Incident Correlation [critical] - UC-16.1.10 · Service Request Fulfillment Time [medium] - UC-16.1.11 · Problem Ticket Reopening Rate [medium] - UC-16.1.12 · Incident Priority Distribution Trending [medium] - UC-16.1.13 · On-Call Escalation Frequency [medium] - UC-16.1.14 · SLA Breach Prediction [critical] - UC-16.1.15 · Incident Reassignment Frequency [medium] - UC-16.1.16 · Ticket Aging by Priority [high] - UC-16.1.17 · Auto-Close Compliance [medium] - UC-16.1.18 · Recurring Incident Detection [high] - UC-16.1.19 · Problem Management Root Cause Linking [high] - UC-16.1.20 · Major Incident Post-Mortem Compliance [high] - UC-16.1.21 · War Room Activation Tracking [high] - UC-16.1.22 · Escalation Path Audit [medium] - UC-16.1.23 · Service Request Fulfillment Rate [medium] - UC-16.1.24 · ServiceNow Bidirectional Incident Sync [high] - UC-16.1.25 · First Response Time vs SLA Target [critical] - UC-16.1.26 · Catalog Request Item Backlog and WIP [high] - UC-16.1.27 · On-Hold Time Impact on Resolution SLA [medium] ### 16.2 Configuration Management (CMDB) - UC-16.2.1 · CMDB Data Quality Score [high] - UC-16.2.2 · CI Discovery Reconciliation [high] - UC-16.2.3 · Orphaned CI Detection [medium] - UC-16.2.4 · Relationship Integrity Check [medium] - UC-16.2.5 · CMDB Change Audit [medium] - UC-16.2.6 · CI Relationship Drift [high] - UC-16.2.7 · Asset Discovery Reconciliation [high] - UC-16.2.8 · End-of-Life Hardware Tracking [high] - UC-16.2.9 · CMDB Accuracy Scoring [high] - UC-16.2.10 · Undocumented Server Detection [critical] - UC-16.2.12 · Software Asset Management Compliance [medium] - UC-16.2.13 · Hardware Warranty Expiry [medium] - UC-16.2.14 · CI Lifecycle Management [medium] - UC-16.2.15 · Asset Decommission Verification [high] - UC-16.2.16 · Stale CI Discovery Freshness [high] - UC-16.2.17 · Duplicate CI Name Detection [high] - UC-16.2.18 · Application CI Business Service Coverage [medium] - UC-16.2.19 · CMDB Mandatory Attribute Completeness by Class [high] ### 16.3 Business Process & Availability Intelligence - UC-16.3.1 · Cross-Service Business Process Health Score [high] - UC-16.3.2 · Infrastructure Service Availability Heatmap [high] - UC-16.3.3 · First Contact Resolution Rate by Group [medium] - UC-16.3.4 · Escalation and Handoff Latency [high] - UC-16.3.5 · Knowledge Article Usage and Gap Detection [medium] - UC-16.3.6 · Major Incident and Post-Mortem Tracking [high] - UC-16.3.7 · Request Fulfillment and Approval Cycle Time [medium] - UC-16.3.8 · Knowledge Article Usage vs. Ticket Volume [low] - UC-16.3.9 · Mean Time Between Failures (MTBF) per CI [medium] - UC-16.3.10 · Business Service Availability (Composite SLA) [critical] - UC-16.3.11 · Batch Job Schedule Compliance [high] - UC-16.3.12 · Control-M Job Monitoring [high] - UC-16.3.13 · Service Request Item Fulfillment Cycle Time [high] - UC-16.3.14 · Priority 1–2 First-Assignment Latency [critical] - UC-16.3.15 · Open Problem Record Aging [high] - UC-16.3.16 · Knowledge Article Effectiveness on Incidents [medium] ### 16.4 Change & Release Management - UC-16.4.1 · Unauthorized Change Detection [critical] - UC-16.4.2 · Change Window Compliance Monitoring [high] - UC-16.4.3 · Failed Change Correlation with Incident Spikes [high] - UC-16.4.4 · Release Deployment Success Rate Tracking [high] - UC-16.4.5 · Emergency Change Frequency Monitoring [high] - UC-16.4.6 · Change Advisory Board (CAB) Approval Compliance [high] - UC-16.4.7 · Post-Implementation Review (PIR) Completion Tracking [medium] - UC-16.4.8 · Change Risk Assessment Accuracy [medium] - UC-16.4.9 · Change Backout and Rollback Rate [critical] - UC-16.4.10 · Change Implementation Duration vs Plan [high] - UC-16.4.11 · Same-CI Concurrent Scheduled Changes [critical] - UC-16.4.12 · Standard Change Volume and Mix Guardrail [medium] ### 16.5 ITSM Trending - UC-16.5.1 · Ticket Backlog Aging Trending [high] - UC-16.5.2 · Change Success Rate Trending [high] - UC-16.5.3 · Knowledge Article Deflection Rate Trending [medium] - UC-16.5.4 · MTTR by Priority Trending [high] - UC-16.5.5 · Escalation Rate Trending [medium] - UC-16.5.6 · First Response SLA Compliance Trending [critical] - UC-16.5.7 · Incident Channel Mix Trending [medium] - UC-16.5.8 · Open Incident WIP Trending by Priority [high] ## 17. Network Security & Zero Trust NAC (802.1X), micro-segmentation, and SASE — network access control, posture assessment, and zero trust enforcement. **Quick tip:** Collect ISE/NAC RADIUS accounting logs and install Splunk_TA_cisco-ise for structured data. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-17-network-security-zero-trust.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-17-network-security-zero-trust.md ### 17.1 Network Access Control (NAC) - UC-17.1.1 · NAC Authentication Trending [high] - UC-17.1.2 · Endpoint Posture Failures [high] - UC-17.1.3 · VLAN Assignment Audit [medium] - UC-17.1.4 · Guest Network Usage [medium] - UC-17.1.5 · BYOD Onboarding Tracking [medium] - UC-17.1.6 · MAC Authentication Bypass (MAB) [high] - UC-17.1.7 · Profiling Accuracy [medium] - UC-17.1.8 · NAC Policy Change Audit [high] - UC-17.1.9 · 802.1X Supplicant Timeout Tracking [medium] - UC-17.1.10 · RADIUS Accounting Discrepancies [medium] - UC-17.1.11 · Posture Assessment Failure Trends [high] - UC-17.1.12 · Rogue Device Detection [critical] - UC-17.1.13 · 802.1X Authentication Failure Analysis [high] - UC-17.1.14 · Guest Network Abuse Detection [high] - UC-17.1.15 · RADIUS Accounting NAS vs Session-ID Reconciliation [medium] - UC-17.1.16 · MAC Authentication Bypass Anomaly Detection [high] - UC-17.1.17 · Network Quarantine Effectiveness [medium] - UC-17.1.18 · NAC Policy Compliance Trending [high] - UC-17.1.19 · Endpoint Compliance Scoring [high] - UC-17.1.20 · Quarantine Release Audit [medium] - UC-17.1.21 · ISE Endpoint Posture Compliance [high] - UC-17.1.22 · NAC Quarantine and Remediation Duration [medium] ### 17.2 VPN & Remote Access - UC-17.2.1 · VPN Concurrent Sessions [high] - UC-17.2.2 · VPN Authentication Failures [high] - UC-17.2.3 · Geo-Location Anomalies [critical] - UC-17.2.4 · Split-Tunnel Compliance [medium] - UC-17.2.5 · VPN Tunnel Stability [medium] - UC-17.2.6 · Off-Hours VPN Access [medium] - UC-17.2.7 · VPN Bandwidth Consumption [medium] - UC-17.2.8 · Simultaneous Session Detection [critical] - UC-17.2.9 · VPN Split-Tunnel Policy Compliance [medium] - UC-17.2.10 · mTLS Certificate Rotation Tracking [high] - UC-17.2.11 · Split Tunnel Violation Detection [high] - UC-17.2.12 · VPN Concentrator Capacity [high] - UC-17.2.13 · Concurrent VPN Session Limits [medium] - UC-17.2.14 · Geo-Impossible VPN Connections [critical] - UC-17.2.15 · VPN Tunnel Keepalive Failure Analysis [medium] - UC-17.2.16 · Remote Desktop Gateway Health [high] - UC-17.2.17 · VPN Client Version Compliance [high] - UC-17.2.18 · Site-to-Site Tunnel Flapping [high] - UC-17.2.19 · Always-On VPN Enforcement [high] - UC-17.2.20 · VPN Bandwidth Utilization Trending [medium] - UC-17.2.21 · SSL VPN Certificate Compliance [high] - UC-17.2.22 · Remote Session Duration Anomalies [medium] - UC-17.2.23 · VPN Session Duration and Idle Timeout [medium] ### 17.3 Zero Trust / SASE - UC-17.3.1 · Conditional Access Enforcement [high] - UC-17.3.2 · Device Trust Scoring [high] - UC-17.3.3 · Micro-Segmentation Audit [high] - UC-17.3.4 · ZTNA Application Access [medium] - UC-17.3.5 · Posture Assessment Trending [medium] - UC-17.3.6 · Policy Drift Detection [high] - UC-17.3.7 · Device Certificate Expiration and Renewal [critical] - UC-17.3.8 · Zero Trust Access Denial Trending [high] - UC-17.3.11 · Micro-Segment Traffic Baseline Anomaly [high] - UC-17.3.12 · Zscaler ZIA Policy Violation Trends [high] - UC-17.3.13 · ZPA Application Segment Health [high] - UC-17.3.14 · Cisco Umbrella DNS Block Analysis [high] - UC-17.3.15 · SASE Tunnel Health [high] - UC-17.3.16 · Identity-Aware Proxy Access Anomalies [high] - UC-17.3.17 · Microsegmentation Policy Effectiveness [high] - UC-17.3.18 · Device Trust Score Trending [high] - UC-17.3.19 · Continuous Authentication Compliance [medium] - UC-17.3.20 · Browser Isolation Usage [medium] - UC-17.3.21 · SWG Bypass Attempt Detection [critical] - UC-17.3.22 · ZTNA Application Access Latency [medium] - UC-17.3.23 · Prisma Access Tunnel Health [high] - UC-17.3.24 · Conditional Access Policy Enforcement (Entra ID) [high] - UC-17.3.25 · Cato Security Event Monitoring (Cato Networks) [high] - UC-17.3.26 · Cato WAN Link Health and Quality (Cato Networks) [high] - UC-17.3.27 · Cato Threat Prevention Events (Cato Networks) [critical] - UC-17.3.28 · Cato Cloud Firewall Policy Audit (Cato Networks) [medium] - UC-17.3.29 · Cato SD-WAN Tunnel Health (Cato Networks) [critical] - UC-17.3.30 · Cato SDP Client Connection Monitoring (Cato Networks) [high] - UC-17.3.31 · Cato DLP and CASB Event Analysis (Cato Networks) [high] - UC-17.3.32 · Netskope Cloud App Risk Assessment [high] - UC-17.3.33 · Netskope DLP Policy Violations [critical] - UC-17.3.34 · Netskope Threat Protection Events [critical] - UC-17.3.35 · Netskope SWG Web Category Blocking [high] - UC-17.3.36 · Netskope Private Access (NPA) Health [high] - UC-17.3.37 · Netskope CASB Inline Policy Enforcement [high] - UC-17.3.38 · Netskope Admin Audit Trail [medium] - UC-17.3.39 · FortiSASE SWG Policy Violation Trends (Fortinet) [high] - UC-17.3.40 · FortiSASE ZTNA Application Access (Fortinet) [high] - UC-17.3.41 · FortiSASE Threat Detection Events (Fortinet) [critical] - UC-17.3.42 · FortiSASE Thin Edge Health (Fortinet) [high] - UC-17.3.43 · FortiSASE Admin Configuration Audit (Fortinet) [medium] - UC-17.3.44 · Check Point Harmony SASE Threat Prevention (Check Point) [critical] - UC-17.3.45 · Check Point Harmony SASE Internet Access Policy (Check Point) [high] - UC-17.3.46 · Check Point Harmony SASE Private Access (Check Point) [high] - UC-17.3.47 · Check Point Harmony SASE Admin Audit (Check Point) [medium] - UC-17.3.48 · Check Point Harmony SASE DLP Events (Check Point) [critical] - UC-17.3.49 · Akamai Guardicore Segmentation Policy Violations [critical] - UC-17.3.50 · Akamai Guardicore Reveal Map Anomalies [high] - UC-17.3.51 · Akamai Guardicore Agent Health [high] - UC-17.3.52 · Akamai Guardicore Incident Investigation [critical] - UC-17.3.53 · Broadcom Symantec Cloud SWG Policy Analysis (Broadcom) [high] - UC-17.3.54 · Broadcom Symantec CASB Shadow IT Detection (Broadcom) [high] - UC-17.3.55 · Broadcom Symantec Cloud SWG Threat Events (Broadcom) [critical] - UC-17.3.56 · Cloudflare Access (ZTNA) Policy Enforcement [high] - UC-17.3.57 · Cloudflare Gateway (SWG) DNS and HTTP Filtering [high] - UC-17.3.58 · Cloudflare Tunnel Health [high] - UC-17.3.59 · Forcepoint ONE SSE Web Security Events (Forcepoint) [high] - UC-17.3.60 · Forcepoint ONE ZTNA Private Access Health (Forcepoint) [high] - UC-17.3.61 · SonicWall Cloud SWG and SMA Access Events (SonicWall) [high] - UC-17.3.62 · Versa SASE Security and Access Events (Versa Networks) [high] ## 18. Data Center Fabric & SDN Cisco ACI, NSX-T, and software-defined networking — fabric health, policy compliance, and endpoint tracking. **Quick tip:** Install Splunk Add-on for Cisco ACI and connect to APIC for fault, event, and audit data. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-18-data-center-fabric-sdn.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-18-data-center-fabric-sdn.md ### 18.1 Cisco ACI - UC-18.1.1 · Fabric Health Score Monitoring [critical] - UC-18.1.2 · Fault Trending by Severity [high] - UC-18.1.3 · Endpoint Mobility Tracking [high] - UC-18.1.4 · Contract/Filter Hit Analysis [high] - UC-18.1.5 · Tenant Configuration Audit [medium] - UC-18.1.6 · Leaf/Spine Interface Utilization [high] - UC-18.1.7 · APIC Cluster Health [critical] - UC-18.1.8 · Spine-Leaf Fabric Latency [medium] - UC-18.1.9 · ACI Contract Hit/Miss Ratio Analysis [high] - UC-18.1.10 · ACI Endpoint Group (EPG) Health [high] - UC-18.1.11 · ACI Fault Lifecycle Tracking [high] - UC-18.1.12 · Fabric Node Decommission Events [medium] - UC-18.1.13 · Bridge Domain Subnet Utilization [high] - UC-18.1.14 · L3Out Prefix Monitoring [high] - UC-18.1.15 · APIC Policy CAM Utilization [high] - UC-18.1.16 · ACI Tenant Configuration Compliance Audit [medium] - UC-18.1.17 · ACI Multisite Health [critical] - UC-18.1.18 · APIC Cluster Replication Latency [high] - UC-18.1.19 · ACI Fault Domain Severity Rollup [high] - UC-18.1.20 · Contract Violation and Implicit Deny Bursts [critical] - UC-18.1.21 · EPG Endpoint Learning and Deletion Churn [high] - UC-18.1.22 · Fabric Port-Channel and Member Link Imbalance [high] - UC-18.1.23 · APIC Controller Resource Exhaustion Watch [critical] ### 18.2 VMware NSX - UC-18.2.1 · Distributed Firewall Rule Hits [high] - UC-18.2.2 · Micro-Segmentation Enforcement [high] - UC-18.2.3 · Logical Switch Health [high] - UC-18.2.4 · NSX Edge Performance [high] - UC-18.2.5 · Transport Node Connectivity [critical] - UC-18.2.6 · Distributed Firewall Rule Hit Rate Analysis [high] - UC-18.2.7 · Micro-Segmentation Policy Drift [high] - UC-18.2.8 · NSX Edge Gateway Health [critical] - UC-18.2.9 · NSX-T Transport Node Overlay Path Health [critical] - UC-18.2.10 · Load Balancer Pool Health [high] - UC-18.2.11 · NAT Rule Utilization [medium] - UC-18.2.12 · T0/T1 Gateway Failover Events [critical] - UC-18.2.13 · NSX Manager Cluster Health [critical] - UC-18.2.14 · NSX Intelligence Top Flows and Anomalous East-West Volume [high] - UC-18.2.15 · Distributed Firewall Rule Hit Counts by Application Tier [medium] - UC-18.2.16 · Edge Cluster BFD and Uplink Session Health [critical] - UC-18.2.17 · Transport Node Data Plane Interface Errors and Drops [high] - UC-18.2.18 · NSX Intelligence Recommended Firewall Rule Publish Queue [medium] ### 18.3 Other SDN - UC-18.3.1 · Cilium/Calico Network Policy Monitoring [medium] - UC-18.3.2 · OpenStack Neutron Events [medium] - UC-18.3.3 · SDN Controller Health [critical] - UC-18.3.4 · VXLAN Tunnel and Overlay Health [critical] - UC-18.3.5 · EVPN Route and MAC Mobility Events [high] - UC-18.3.6 · ACI Contract Deny and Drop Statistics [high] - UC-18.3.7 · NSX-T Segment and Gateway Capacity [high] - UC-18.3.8 · SDN Configuration Change and Rollback Audit [critical] - UC-18.3.9 · VXLAN VTEP Reachability [high] - UC-18.3.10 · EVPN Route Type Distribution [medium] - UC-18.3.11 · EVPN/VXLAN Tunnel Health [critical] - UC-18.3.12 · SDN Controller High Availability [critical] - UC-18.3.13 · Fabric Upgrade Compliance [medium] - UC-18.3.14 · Spine-Leaf Topology Anomalies [high] - UC-18.3.15 · BGP EVPN Route Table Convergence [high] - UC-18.3.16 · VTEP Reachability and Loss [high] - UC-18.3.17 · Leaf Switch Resource Utilization [high] - UC-18.3.18 · BGP EVPN Route Withdrawal Rate and Flap Storms [critical] - UC-18.3.19 · Spine-Leaf ECMP Member Utilization Balance [high] - UC-18.3.20 · Fabric Host Route and ARP Scale Headroom [high] - UC-18.3.21 · EVPN Ethernet Segment (ESI) DF Election and BUM Stability [high] - UC-18.3.22 · VXLAN Underlay Path MTU and DF Bit Fragmentation Risk [medium] ### 18.4 Cisco Nexus Dashboard & NX-OS Fabric - UC-18.4.1 · Nexus Dashboard Insights Anomaly Monitoring [critical] - UC-18.4.2 · NDFC Fabric Compliance and Configuration Drift [high] - UC-18.4.3 · Nexus Dashboard Advisory and Field Notice Alerts [high] - UC-18.4.4 · Nexus 9000 NX-OS Streaming Telemetry Health [medium] - UC-18.4.5 · NX-OS VXLAN EVPN Fabric Underlay BGP Health [critical] - UC-18.4.6 · NX-OS Control Plane Policing (CoPP) Drops [high] - UC-18.4.7 · Nexus Dashboard Orchestrator Cross-Fabric Consistency [high] - UC-18.4.8 · NDFC Switch Inventory and Lifecycle Status [medium] - UC-18.4.9 · Nexus Dashboard Site and Fabric Assurance Health Score [high] - UC-18.4.10 · Golden Firmware Image Compliance Across NDFC Fabrics [high] - UC-18.4.11 · NDFC Flow Telemetry Drop and Export Health [medium] - UC-18.4.12 · Nexus Dashboard Insights Alert Noise and Category Mix [medium] - UC-18.4.13 · NDFC POAP / ZTP Bootstrap and Day-0 Onboarding Failures [high] ## 19. Compute Infrastructure (HCI & Converged) Cisco UCS, Nutanix, and hyper-converged infrastructure — blade health, service profiles, and hardware faults. **Quick tip:** Install vendor TA (UCS Manager, Nutanix Prism) and configure XML API or REST collection. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-19-compute-infrastructure-hci-converged.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-19-compute-infrastructure-hci-converged.md ### 19.1 Cisco UCS - UC-19.1.1 · Blade/Rack Server Health (Cisco UCS) [critical] - UC-19.1.2 · Service Profile Compliance (Cisco UCS) [high] - UC-19.1.3 · Firmware Compliance (Cisco UCS) [medium] - UC-19.1.4 · Fault Trending by Severity (Cisco UCS) [high] - UC-19.1.5 · FI Port Channel Health [critical] - UC-19.1.6 · Power and Thermal Monitoring (Cisco UCS) [high] - UC-19.1.10 · Blade Firmware Compliance (Cisco UCS) [high] - UC-19.1.11 · Service Profile Association Failures (Cisco UCS) [critical] - UC-19.1.12 · Fault Suppression Policy Audit (Cisco UCS) [medium] - UC-19.1.13 · FI Port Channel Member Errors and CRCs [critical] - UC-19.1.14 · UCS Manager Backup Validation [high] - UC-19.1.15 · Chassis PSU Redundancy [critical] - UC-19.1.16 · IOM Uplink Utilization [high] - UC-19.1.17 · BIOS Policy Compliance [medium] - UC-19.1.18 · UCS Central Registration Health [medium] - UC-19.1.19 · Intersight Server Alarm Monitoring [critical] - UC-19.1.20 · Intersight Firmware Compliance [high] - UC-19.1.21 · Intersight HCL Compliance Status [medium] - UC-19.1.22 · Intersight Server Power and Thermal Telemetry [medium] - UC-19.1.23 · Intersight Audit Log and Configuration Changes [high] - UC-19.1.24 · Intersight Contract and Warranty Compliance [medium] - UC-19.1.25 · UCS X-Series Intelligent Fabric Module Health [high] - UC-19.1.26 · Nutanix Prism Central Alert Monitoring [high] - UC-19.1.27 · Nutanix AOS Version Compliance [medium] - UC-19.1.28 · Nutanix Snapshot Retention Compliance [medium] - UC-19.1.29 · Blade Server ECC Memory Error Rate (Cisco UCS) [high] - UC-19.1.30 · Rack Server PSU N+1 Redundancy (Cisco UCS C-Series) [critical] - UC-19.1.31 · Fabric Interconnect HA Cluster State [critical] - UC-19.1.32 · CNA / vNIC Adapter Firmware Drift (Cisco UCS) [medium] - UC-19.1.33 · Intersight Device Connector / Tunnel Health [high] - UC-19.1.34 · Chassis Thermal Runaway Risk (Blade Enclosures) [critical] - UC-19.1.35 · IOM / FEX to FI Link Flap Events [high] - UC-19.1.36 · Service Profile vNIC Redundancy and Failover Audit [high] ### 19.2 Hyper-Converged Infrastructure (HCI) - UC-19.2.1 · Cluster Health Monitoring [critical] - UC-19.2.2 · Storage Pool Capacity [high] - UC-19.2.3 · Storage I/O Latency [critical] - UC-19.2.4 · Node Performance Balance [medium] - UC-19.2.5 · Disk Failure Tracking [critical] - UC-19.2.6 · Replication Factor Compliance [critical] - UC-19.2.7 · CVM (Controller VM) Health [critical] - UC-19.2.8 · HCI Cluster Balance and Skew [high] - UC-19.2.9 · HCI Data Resiliency and Rebuild Progress [critical] - UC-19.2.10 · HCI Hypervisor and AOS Version Compliance [high] - UC-19.2.11 · HCI Network and Storage Controller Saturation [high] - UC-19.2.12 · HCI Prism Central and Management Plane Health [critical] - UC-19.2.13 · Dell VxRail Cluster Health [high] - UC-19.2.14 · Nutanix CVM Resource and Service Health [critical] - UC-19.2.15 · Storage Pool Rebalance Monitoring [medium] - UC-19.2.16 · HCI Node Failure Domain Risk [critical] - UC-19.2.17 · vSAN Disk Group Health [critical] - UC-19.2.18 · Cluster Expansion Events [medium] - UC-19.2.19 · Nutanix AHV Host Capacity [high] - UC-19.2.20 · SimpliVity Backup Efficiency [medium] - UC-19.2.21 · Azure Stack HCI Cluster Health [critical] - UC-19.2.22 · HPE dHCI Tier Health [high] - UC-19.2.23 · vSAN Witness Appliance Health [critical] - UC-19.2.24 · HCI Deduplication Efficiency Ratio [medium] - UC-19.2.25 · Nutanix Cluster Health Score and Critical Services [critical] - UC-19.2.26 · VxRail LCM Compliance and Staged Bundle Drift [high] - UC-19.2.27 · vSAN Disk Group Capacity Headroom and Mount State [critical] - UC-19.2.28 · Nutanix Storage Pool Erasure Coding vs RF Footprint [medium] - UC-19.2.29 · Nutanix Controller VM Storage Bandwidth Saturation [high] - UC-19.2.30 · vSAN Component Overhead and Resync Backlog Depth [high] - UC-19.2.31 · Nutanix Async Remote Site Replication Lag and RPO Risk [high] - UC-19.2.32 · VxRail vCenter Extension and Marvin Plugin Health [high] ### 19.3 Azure Stack HCI - UC-19.3.1 · Azure Stack HCI Cluster Validation and Quorum Health [critical] - UC-19.3.2 · Storage Spaces Direct Pool Utilization and Tier Imbalance [high] - UC-19.3.3 · VM Placement and Live Migration Failure Rate [high] - UC-19.3.4 · Azure Arc for Servers Heartbeat and Extension Inventory [high] - UC-19.3.5 · Windows Admin Center Connection and Gateway Audit Events [medium] - UC-19.3.6 · Cluster-Aware Updating Run Status and Node Drain Failures [high] - UC-19.3.7 · S2D Cache Device Health and Predictive Failure SMART Signals [critical] ## 20. Cost & Capacity Management Cloud cost monitoring and capacity planning — spend trends, idle resources, rightsizing, and budget alerts. **Quick tip:** Ingest cloud billing data (AWS CUR, Azure Cost Management) and use Splunk for trend analysis. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-20-cost-capacity-management.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-20-cost-capacity-management.md ### 20.1 Cloud Cost Monitoring - UC-20.1.1 · Daily Spend Trending [high] - UC-20.1.2 · Cost Anomaly Detection [critical] - UC-20.1.3 · Reserved Instance Utilization [medium] - UC-20.1.4 · Idle Resource Identification [high] - UC-20.1.5 · Budget Threshold Alerting [high] - UC-20.1.6 · Cost Allocation by Team [medium] - UC-20.1.7 · Spot/Preemptible Instance Tracking [medium] - UC-20.1.8 · Data Transfer Cost Analysis [medium] - UC-20.1.9 · Predictive Disk / Volume Exhaustion [high] - UC-20.1.10 · Reserved Instance Coverage Gaps [high] - UC-20.1.11 · Spot Instance Interruption Rate [medium] - UC-20.1.12 · FinOps Budget Alert Correlation [high] - UC-20.1.13 · Cost Anomaly by Cloud Service [critical] - UC-20.1.14 · Savings Plan Utilization and Hourly Burn [high] - UC-20.1.15 · Data Transfer Cost Attribution by Tag [medium] - UC-20.1.16 · Container Workload Right-Sizing Cost [high] - UC-20.1.17 · Serverless Invocation Cost Trending [medium] - UC-20.1.18 · Orphaned Cloud Resource Detection [high] - UC-20.1.19 · Cost Allocation Tag Compliance [high] - UC-20.1.20 · Idle Resource Identification by Account [high] - UC-20.1.21 · Azure Cost Management Daily Spend by Meter Category [high] - UC-20.1.22 · GCP Billing Export Cost by Project and Service [high] - UC-20.1.23 · Reserved Instance Purchase Amortization vs On-Demand Leakage [medium] - UC-20.1.24 · Savings Plan Coverage of Eligible Compute Spend [high] - UC-20.1.25 · NAT Gateway and VPC Endpoint Egress Cost Concentration [medium] - UC-20.1.26 · Spot Fleet Savings vs Interrupted Instance-Hours [medium] - UC-20.1.27 · Cross-Cloud Consolidated FinOps Executive Rollup [high] ### 20.2 Capacity Planning - UC-20.2.1 · Compute Capacity Forecasting [high] - UC-20.2.2 · Storage Growth Forecasting [high] - UC-20.2.3 · Network Bandwidth Trending [medium] - UC-20.2.4 · License Utilization Tracking [medium] - UC-20.2.5 · Right-Sizing Recommendations [medium] - UC-20.2.6 · Database Growth Projection [medium] - UC-20.2.7 · Seasonal Capacity Modeling [medium] - UC-20.2.8 · IP Address Space Utilization [medium] - UC-20.2.9 · Cloud Commitment and Savings Plan Utilization [high] - UC-20.2.10 · Anomalous Cost Spike by Service or Account [high] - UC-20.2.11 · Unused and Orphaned Resource Cost Attribution [medium] - UC-20.2.12 · License and Subscription Consumption vs Entitlement [high] - UC-20.2.13 · Cost Forecast vs Budget and Variance Alert [critical] - UC-20.2.14 · Software License Compliance Audit [medium] - UC-20.2.15 · Power Consumption Cost Trending [medium] - UC-20.2.16 · Cloud Committed-Use Discount Coverage [medium] - UC-20.2.17 · Storage Capacity Forecast by Tier [high] - UC-20.2.18 · Compute Cluster Scaling Headroom [high] - UC-20.2.19 · Network Bandwidth Utilization Trending (Site Interconnect) [medium] - UC-20.2.20 · Seasonal Capacity Planning Baseline [medium] - UC-20.2.21 · CPU and Memory Right-Sizing (Host and VM) [medium] - UC-20.2.22 · Disk IOPS Saturation Trending [high] - UC-20.2.23 · VM Sprawl Detection [medium] - UC-20.2.24 · Cloud Cost Anomaly with Seasonal Decomposition (MLTK) [critical] - UC-20.2.25 · Capacity Exhaustion Prediction with Confidence Intervals (MLTK) [critical] - UC-20.2.26 · Kubernetes Namespace Resource Quota Pressure [high] - UC-20.2.27 · Object Storage Bucket Growth Forecast [high] - UC-20.2.28 · Database Datafile Size and Autogrow Trending [high] - UC-20.2.29 · Site-to-Site VPN Tunnel Bandwidth Headroom [high] - UC-20.2.30 · Search and Analytics Cluster Disk Watermark Risk [critical] - UC-20.2.31 · Message Broker Disk and Retention Capacity [high] - UC-20.2.32 · GPU Pool Utilization for ML Workload Capacity [medium] - UC-20.2.33 · Domain Controller Performance Under LDAP Load [high] ### 20.3 License & Subscription Management - UC-20.3.1 · SaaS License Utilization (Assigned vs Active) [high] - UC-20.3.2 · Software Audit Readiness Reporting [high] - UC-20.3.3 · Subscription Renewal Forecasting [medium] - UC-20.3.4 · License Compliance Gap Detection [critical] - UC-20.3.5 · Multi-Year Contract Consumption Trending [medium] - UC-20.3.6 · License Pool Allocation Optimization [medium] - UC-20.3.7 · Auto-Renewal Risk Detection [high] - UC-20.3.8 · Microsoft 365 Inactive License Harvest Candidates [high] - UC-20.3.9 · Salesforce Seat Activity vs Purchased Licenses [medium] - UC-20.3.10 · ServiceNow Fulfiller versus Requester License Mix [high] - UC-20.3.11 · Oracle Database Option Usage versus Entitlements [critical] - UC-20.3.12 · Splunk Enterprise License Pool Usage and Stack Warnings [high] - UC-20.3.13 · SAP Named User License versus Concurrent Session Peaks [critical] - UC-20.3.14 · Software License Harvesting Queue from SAM Reclamation [medium] - UC-20.3.15 · GitHub Enterprise Seat Utilization versus Active Contributors [medium] - UC-20.3.16 · Webex or Zoom Concurrent License Peak versus Subscription [high] - UC-20.3.17 · Citrix Virtual Apps and Desktops Concurrent Session versus License Count [high] ## 21. Industry Verticals Industry-specific operational monitoring — energy, manufacturing, healthcare, transportation, oil & gas, retail, aviation, telecom, water utilities, and insurance. **Quick tip:** Combine standard infrastructure TAs with industry-specific data sources (SCADA historians, HL7 feeds, fleet telematics, POS systems) for vertical-specific observability. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-21-industry-verticals.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-21-industry-verticals.md ### 21.1 Energy and Utilities - UC-21.1.1 · SCADA Alarm Rate Monitoring and Alarm Flooding Detection [critical] - UC-21.1.2 · Substation RTU Communication Failure [critical] - UC-21.1.3 · Smart Meter Data Gap Detection [high] - UC-21.1.4 · Power Quality Event Correlation [high] - UC-21.1.5 · Renewable Generation Forecast vs Actual Deviation [high] - UC-21.1.6 · Distribution Feeder Load Imbalance [medium] - UC-21.1.7 · Transformer Dissolved Gas Analysis (DGA) Trending [critical] - UC-21.1.8 · Generator Trip Event Correlation [critical] - UC-21.1.9 · Energy Trading Position Reconciliation [critical] - UC-21.1.10 · AMI Mesh Network Health [medium] - UC-21.1.11 · Demand Response Event Compliance Verification [high] - UC-21.1.12 · Outage Management System vs SCADA State Correlation [critical] - UC-21.1.13 · Vegetation Management Work Order Tracking [medium] - UC-21.1.14 · Utility Fleet GPS and Dispatch Optimization [high] - UC-21.1.15 · Customer Billing Exception Monitoring [high] ### 21.2 Manufacturing and Process Industry - UC-21.2.1 · Overall Equipment Effectiveness (OEE) Calculation [high] - UC-21.2.2 · Unplanned Downtime Root Cause Correlation [critical] - UC-21.2.3 · Production Batch Yield Tracking [high] - UC-21.2.4 · Quality SPC Chart Monitoring [high] - UC-21.2.5 · Predictive Maintenance Vibration Baseline Drift [medium] - UC-21.2.6 · Energy Consumption Per Unit Produced [medium] - UC-21.2.7 · MES Order Completion Tracking [high] - UC-21.2.8 · Supply Chain EDI Message Failure Rate [high] - UC-21.2.9 · Bill of Materials (BOM) Discrepancy Detection [medium] - UC-21.2.10 · Warehouse Pick-Pack-Ship Cycle Time [medium] - UC-21.2.11 · Robotic Cell Cycle Time Deviation [high] - UC-21.2.12 · Conveyor Belt Speed and Jam Detection [high] - UC-21.2.13 · Compressed Air System Leak Detection [medium] - UC-21.2.14 · Clean-in-Place (CIP) Cycle Validation [critical] - UC-21.2.15 · Production Shift Handover Report Generation [medium] ### 21.3 Healthcare and Life Sciences - UC-21.3.1 · EHR System Response Time Monitoring [critical] - UC-21.3.2 · Clinical Application Uptime SLA Tracking [critical] - UC-21.3.3 · Nurse Call System Response Time [high] - UC-21.3.4 · Blood Bank Refrigerator Temperature Compliance [critical] - UC-21.3.5 · Pharmaceutical Cold Chain Deviation Alerting [critical] - UC-21.3.6 · Lab Information System Result Turnaround Time [high] - UC-21.3.7 · FDA 21 CFR Part 11 Electronic Signature Audit Trail [high] - UC-21.3.8 · GxP System Change Control Log Monitoring [high] - UC-21.3.9 · Clinical Trial Data Integrity Monitoring [high] - UC-21.3.10 · Radiology Reading Turnaround Time [high] - UC-21.3.11 · Patient Flow and Bed Management Analytics [high] - UC-21.3.12 · Emergency Department Wait Time Tracking [critical] - UC-21.3.13 · Surgical Suite Utilization and Turnover Monitoring [high] - UC-21.3.14 · Biomedical Equipment Preventive Maintenance Compliance [medium] - UC-21.3.15 · Medication Administration Record Reconciliation [high] - UC-21.3.16 · Telehealth Session Quality Monitoring [medium] - UC-21.3.17 · Clinical Decision Support Response Time [medium] - UC-21.3.18 · DIPS Arena Application Response Time [critical] - UC-21.3.19 · DIPS Arena FHIR API Availability and Latency [critical] - UC-21.3.20 · DIPS Arena User Authentication and SSO Monitoring [high] - UC-21.3.21 · DIPS Arena Database Performance [critical] - UC-21.3.22 · DIPS Communicator Message Throughput and Failures [high] - UC-21.3.23 · DIPS Arena Integration Engine Error Monitoring [high] - UC-21.3.24 · DIPS Arena Concurrent Session and License Utilization [medium] - UC-21.3.25 · DIPS Arena Clinical Document Generation Latency [medium] - UC-21.3.26 · DIPS Arena Scheduled Job Monitoring [high] - UC-21.3.27 · DIPS Arena openEHR AQL Query Performance [medium] ### 21.4 Transportation and Logistics - UC-21.4.1 · Fleet Vehicle GPS Tracking and Geofence Alerting [high] - UC-21.4.2 · Driver Behavior Scoring [medium] - UC-21.4.3 · Fuel Consumption Anomaly Detection [medium] - UC-21.4.4 · Vehicle Diagnostic Trouble Code Monitoring [high] - UC-21.4.5 · Port Container Crane Cycle Time Analytics [medium] - UC-21.4.6 · Rail Signaling System Health Monitoring [critical] - UC-21.4.7 · Airport Baggage Handling System Throughput [high] - UC-21.4.8 · Warehouse Management System Order Accuracy [medium] - UC-21.4.9 · Last-Mile Delivery SLA Compliance [high] - UC-21.4.10 · Cold Chain Temperature Excursion for Perishable Goods [critical] - UC-21.4.11 · Intermodal Container Dwell Time [medium] - UC-21.4.12 · Traffic Management System Sensor Availability [high] ### 21.5 Oil, Gas, and Mining - UC-21.5.1 · Pipeline Pressure and Flow Rate Anomaly Detection [critical] - UC-21.5.2 · Wellhead Telemetry Data Gap Monitoring [high] - UC-21.5.3 · Gas Compressor Vibration Trending [high] - UC-21.5.4 · Flare Stack Event Correlation and Emissions Tracking [high] - UC-21.5.5 · Mineral Processing Throughput Optimization [medium] - UC-21.5.6 · Haul Truck Fleet Utilization and Payload Tracking [medium] - UC-21.5.7 · Drill Rig Sensor Health Monitoring [high] - UC-21.5.8 · Safety Instrumented System Trip Event Analysis [critical] - UC-21.5.9 · Environmental Compliance Effluent Monitoring [high] - UC-21.5.10 · Tank Farm Level Monitoring and Overflow Prevention [critical] - UC-21.5.11 · Cathodic Protection System Integrity [medium] - UC-21.5.12 · Seismic Monitoring Data Quality Validation [medium] ### 21.6 Retail and E-Commerce Operations - UC-21.6.1 · POS Terminal Transaction Response Time Monitoring [high] - UC-21.6.2 · Self-Checkout Lane Availability and Error Rate [high] - UC-21.6.3 · In-Store Wi-Fi and Network Infrastructure Health [high] - UC-21.6.4 · Foot Traffic Analytics [medium] - UC-21.6.5 · Click-and-Collect Order Fulfillment Cycle Time [high] - UC-21.6.6 · E-Commerce Platform Checkout Funnel Latency [high] - UC-21.6.7 · Inventory Replenishment Trigger Accuracy [medium] - UC-21.6.8 · Store HVAC and Energy Consumption Optimization [medium] - UC-21.6.9 · Digital Signage Content Delivery Health [medium] - UC-21.6.10 · Mobile POS Device Battery and Connectivity [high] - UC-21.6.11 · Loss Prevention Camera System Uptime [high] - UC-21.6.12 · Multi-Location Store Infrastructure Comparison [medium] ### 21.7 Aviation and Airport Operations - UC-21.7.1 · Baggage Handling System Throughput and Misroute Detection [critical] - UC-21.7.2 · Security Lane Processing Time and Queue Length [critical] - UC-21.7.3 · Aircraft Turnaround Time Monitoring (A-CDM) [critical] - UC-21.7.4 · Airfield Ground Vehicle Tracking and Geofencing [high] - UC-21.7.5 · Flight Information Display System (FIDS) Health [high] - UC-21.7.6 · Airport Wi-Fi Capacity and Congestion Monitoring [medium] - UC-21.7.7 · Runway and Taxiway Lighting System Status [critical] - UC-21.7.8 · Gate Allocation Optimization Analytics [high] - UC-21.7.9 · Passenger Flow and Terminal Capacity [high] - UC-21.7.10 · Airport SCADA Alarm Monitoring [critical] ### 21.8 Telecommunications Operations - UC-21.8.1 · RAN Cell Site Availability [critical] - UC-21.8.2 · Core Network Element Health (MME, SGW, PGW) [critical] - UC-21.8.3 · Subscriber Provisioning Workflow Completion Rate [high] - UC-21.8.4 · Network Capacity Planning (Spectrum Utilization Trending) [high] - UC-21.8.5 · Service Activation and Billing Mediation Latency [high] - UC-21.8.6 · OSS/BSS System Integration Health [high] - UC-21.8.7 · Customer Trouble Ticket Mean Time to Resolution [medium] - UC-21.8.8 · 5G NR gNodeB Performance Monitoring [high] - UC-21.8.9 · Network Slice Resource Utilization [high] - UC-21.8.10 · Content Delivery Network Cache Hit Ratio [medium] ### 21.9 Water and Wastewater Utilities - UC-21.9.1 · Treatment Plant Process Parameter Monitoring [critical] - UC-21.9.2 · Pump Station Run Time and Efficiency Trending [high] - UC-21.9.3 · Distribution System Pressure Zone Monitoring [critical] - UC-21.9.4 · Sewer Overflow Early Warning [critical] - UC-21.9.5 · Water Quality Compliance Sampling Automation [high] - UC-21.9.6 · SCADA RTU Communication Health Across Remote Sites [critical] - UC-21.9.7 · Water Loss and Non-Revenue Water Detection [high] - UC-21.9.8 · Lift Station Failure Prediction [high] ### 21.10 Insurance and Claims Processing - UC-21.10.1 · Claims Processing Cycle Time Monitoring [high] - UC-21.10.2 · First Notice of Loss Channel Analysis [medium] - UC-21.10.3 · Claims Adjuster Workload Balancing [high] - UC-21.10.4 · Subrogation Recovery Tracking [medium] - UC-21.10.5 · Policy Underwriting Decision Audit Trail [high] - UC-21.10.6 · Insurance Fraud Ring Detection [critical] - UC-21.10.7 · Workers Compensation Return-to-Work Tracking [high] - UC-21.10.8 · Catastrophe Event Claims Surge Capacity Monitoring [critical] ## 22. Regulatory and Compliance Frameworks Cross-industry regulatory compliance monitoring — GDPR, NIS2, DORA, CCPA, MiFID II, ISO 27001, NIST CSF, and SOC 2. Deployable SPL for PII detection, breach notification timelines, data subject rights tracking, ICT risk management, and continuous control evidence. **Quick tip:** Map ES correlation searches and risk scores to specific regulatory articles for auditable, data-driven compliance evidence. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-22-regulatory-compliance.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-22-regulatory-compliance.md ### 22.1 GDPR - UC-22.1.1 · GDPR PII Detection in Application Log Data (Art. 5/6) [critical] [CCPA, GDPR] - UC-22.1.2 · GDPR Data Subject Access Request Fulfillment Tracking (Art. 15-22) [critical] [CCPA, GDPR] - UC-22.1.3 · GDPR Breach Notification Timeline Monitoring (Art. 33, 72-hour rule) [critical] [GDPR] - UC-22.1.4 · GDPR Data Retention Policy Enforcement (Art. 5(1)(e)) [high] [CCPA, GDPR] - UC-22.1.5 · GDPR Consent Management Audit Trail (Art. 7) [high] [GDPR] - UC-22.1.6 · GDPR Cross-Border Data Transfer Monitoring (Art. 44-49) [critical] [GDPR] - UC-22.1.7 · GDPR Security of Processing — Encryption and Pseudonymisation Coverage (Art. 32) [critical] [GDPR] - UC-22.1.8 · GDPR Records of Processing Activities Completeness (Art. 30) [high] [GDPR] - UC-22.1.9 · GDPR Data Protection by Design — Data Minimisation Validation (Art. 25) [high] [CCPA, GDPR] - UC-22.1.10 · GDPR Privileged Access to Personal Data Stores (Art. 5(1)(f) / Art. 32) [critical] [CCPA, GDPR] - UC-22.1.11 · GDPR Right to Erasure Verification (Art. 17) [critical] [GDPR] - UC-22.1.12 · GDPR Breach Scope and Affected Data Subject Quantification (Art. 33(3)) [critical] [CCPA, GDPR] - UC-22.1.13 · GDPR High-Risk Breach Communication to Data Subjects (Art. 34) [critical] [CCPA, GDPR] - UC-22.1.14 · GDPR Data Protection Impact Assessment Coverage (Art. 35) [high] [CCPA, GDPR] - UC-22.1.15 · GDPR Third-Party Processor Compliance Monitoring (Art. 28) [high] [GDPR] - UC-22.1.16 · GDPR Consent Withdrawal Processing Enforcement (Art. 7(3)) [high] [GDPR] - UC-22.1.17 · GDPR Audit Log Integrity and Tamper Protection (Art. 5(2)) [high] [GDPR] - UC-22.1.18 · GDPR Automated Decision-Making and Profiling Transparency (Art. 22) [high] [GDPR] - UC-22.1.19 · GDPR Data Subject Rights Response SLA Dashboard (Art. 12) [high] [CCPA, GDPR] - UC-22.1.20 · GDPR Legitimate Interest Balancing Test Evidence (Art. 6(1)(f)) [high] [GDPR] - UC-22.1.21 · GDPR Encryption at Rest Audit Evidence (Art. 32(1)(a)) [high] [GDPR] - UC-22.1.22 · GDPR Access Control Review and Privileged Access Evidence (Art. 32(1)(b)) [high] [GDPR] - UC-22.1.23 · GDPR Pseudonymisation Validation in Pipelines and Logs (Art. 32(1)(a)) [high] [GDPR] - UC-22.1.24 · GDPR Security Testing Evidence Aggregation (Pen Test / Red Team) (Art. 32(1)(d)) [high] [GDPR] - UC-22.1.25 · GDPR Security Incident Tracking Linked to Personal Data Impact (Art. 32(1)(c)) [critical] [CCPA, GDPR] - UC-22.1.26 · GDPR Resilience and Availability Monitoring for Personal-Data Services (Art. 32(1)(b)(c)) [high] [GDPR] - UC-22.1.27 · GDPR Processor Compliance Attestation Tracking (Art. 28(3)) [high] [GDPR] - UC-22.1.28 · GDPR Sub-Processor Change Monitoring (Art. 28(2), Art. 28(4)) [high] [GDPR] - UC-22.1.29 · GDPR Processor Personal Data Breach Notification SLA (Art. 28(3)(f), Art. 33) [critical] [CCPA, GDPR] - UC-22.1.30 · GDPR Data Processing Agreement Obligation Control Matrix (Art. 28(3)) [high] [GDPR] - UC-22.1.31 · GDPR Processor Audit Evidence — Right to Audit and Inspection Logs (Art. 28(3)(h)) [high] [GDPR] - UC-22.1.32 · GDPR DPIA Completion Tracking Against High-Risk Processing (Art. 35(7)) [high] [GDPR] - UC-22.1.33 · GDPR DPIA Residual Risk Scoring and Escalation (Art. 35(7)(b)) [high] [GDPR] - UC-22.1.34 · GDPR DPIA Supervisory Authority Consultation Tracking (Art. 36) [high] [GDPR] - UC-22.1.35 · GDPR DPIA Remediation Monitoring and Mitigation Closure (Art. 35(7)(d)) [high] [GDPR] - UC-22.1.36 · GDPR Transfer Impact Assessment (TIA) Status for Third-Country Transfers (Art. 44-46) [high] [GDPR] - UC-22.1.37 · GDPR Standard Contractual Clauses (SCCs) Compliance Tracking (Art. 46(2)(c)) [high] [GDPR] - UC-22.1.38 · GDPR Data Localization Enforcement for Restricted Processing (Art. 44-49) [critical] [GDPR] - UC-22.1.39 · GDPR Adequacy Decision and Legal Basis Change Monitoring (Art. 45) [high] [GDPR] - UC-22.1.40 · GDPR Binding Corporate Rules (BCR) Evidence and Intra-Group Transfer Monitoring (Art. 47) [high] [GDPR] - UC-22.1.41 · GDPR Unauthorized Cloud Service Detection (Shadow SaaS) (Art. 5(2), Art. 32) [high] [GDPR] - UC-22.1.42 · GDPR Shadow IT Personal Data Processing Indicators (Art. 5(2)) [high] [CCPA, GDPR] - UC-22.1.43 · GDPR Personal Data in Non-Approved Systems (ROPA Drift Detection) (Art. 5(2), Art. 30) [high] [CCPA, GDPR] - UC-22.1.44 · GDPR Cross-Border Personal Data Flow Anomaly Detection (Arts. 44-49) [high] [CCPA, GDPR] - UC-22.1.45 · GDPR Privacy Settings Default Validation (Privacy by Design / Default) (Art. 25(2)) [high] [GDPR] - UC-22.1.46 · GDPR Consent Mechanism Audit (Lawful Basis Alignment) (Art. 25(1), Art. 7) [high] [GDPR] - UC-22.1.47 · GDPR Data Minimisation Compliance in Logs and APIs (Art. 25(2), Art. 5(1)(c)) [high] [GDPR] - UC-22.1.48 · GDPR Purpose Limitation Enforcement Across Systems (Art. 25(1), Art. 5(1)(b)) [high] [GDPR] - UC-22.1.49 · GDPR Storage Limitation Automation Evidence (Art. 25(2), Art. 5(1)(e)) [high] [GDPR] - UC-22.1.50 · GDPR Transparency Notice Completeness and Version Alignment (Art. 12-14, Art. 25(1)) [high] [GDPR] ### 22.2 NIS2 - UC-22.2.1 · NIS2 Incident Detection and 24-Hour Early Warning Reporting (Art. 23) [critical] [EU NIS2] - UC-22.2.2 · NIS2 Supply Chain Security Monitoring (Art. 21(2)(d)) [high] [EU NIS2] - UC-22.2.3 · NIS2 Vulnerability Disclosure and Patch Management Tracking (Art. 21(2)(e)) [critical] [EU NIS2] - UC-22.2.4 · NIS2 Business Continuity and Crisis Management Monitoring (Art. 21(2)(c)) [critical] [EU NIS2] - UC-22.2.5 · NIS2 Network and Information Systems Access Control Audit (Art. 21(2)(i)) [critical] [EU NIS2] - UC-22.2.6 · NIS2 Risk Analysis and Information System Security Policy Evidence (Art. 21(2)(a)) [critical] [EU NIS2] - UC-22.2.7 · NIS2 72-Hour Incident Notification Readiness (Art. 23(2)) [critical] [EU NIS2] - UC-22.2.8 · NIS2 One-Month Final Incident Report Tracking (Art. 23(4)) [high] [EU NIS2] - UC-22.2.9 · NIS2 Effectiveness Assessment of Cybersecurity Measures (Art. 21(2)(f)) [high] [EU NIS2] - UC-22.2.10 · NIS2 Cyber Hygiene and Training Compliance (Art. 21(2)(g)) [medium] [EU NIS2] - UC-22.2.11 · NIS2 Cryptography and Encryption Policy Monitoring (Art. 21(2)(h)) [high] [EU NIS2] - UC-22.2.12 · NIS2 Multi-Factor Authentication and Secure Communications (Art. 21(2)(j)) [critical] [EU NIS2] - UC-22.2.13 · NIS2 Asset Management and Configuration Baseline (Art. 21(2)(i)) [high] [EU NIS2] - UC-22.2.14 · NIS2 Human Resources Security — Joiner/Mover/Leaver Process (Art. 21(2)(i)) [high] [EU NIS2] - UC-22.2.15 · NIS2 Secure System Acquisition and Development Lifecycle (Art. 21(2)(e)) [high] [EU NIS2] - UC-22.2.16 · NIS2 Supply Chain Third-Party Risk Continuous Monitoring (Art. 21(2)(d)) [high] [EU NIS2] - UC-22.2.17 · NIS2 Backup Management and Disaster Recovery Verification (Art. 21(2)(c)) [critical] [EU NIS2] - UC-22.2.18 · NIS2 Network Security Monitoring and Anomaly Detection (Art. 21(2)(a)) [critical] [EU NIS2] - UC-22.2.19 · NIS2 Cross-Border Incident Impact Assessment (Art. 23(3)) [high] [EU NIS2] - UC-22.2.20 · NIS2 Management Body Accountability and Governance Evidence (Art. 20) [high] [EU NIS2] - UC-22.2.21 · NIS2 Risk Analysis Evidence for Essential Entities (Art. 21(2)) [critical] [NIS2] - UC-22.2.22 · NIS2 Risk Analysis Evidence for Important Entities (Art. 21(2)) [high] [NIS2] - UC-22.2.23 · NIS2 Incident Handling Procedure Adherence and Playbook Execution (Art. 21(2)(b)) [critical] [NIS2] - UC-22.2.24 · NIS2 Business Continuity and ICT Continuity Evidence (Art. 21(2)(c)) [critical] [NIS2] - UC-22.2.25 · NIS2 Supply Chain Security Assessment Coverage (Art. 21(2)(d)) [high] [NIS2] - UC-22.2.26 · NIS2 Network Security Monitoring Coverage by Segment (Art. 21(2)(a)) [critical] [NIS2] - UC-22.2.27 · NIS2 Vulnerability Disclosure Policy Operational Signals (Art. 21(2)(e)) [high] [NIS2] - UC-22.2.28 · NIS2 Cyber Hygiene Practices — Baseline Control Compliance (Art. 21(2)(g)) [high] [NIS2] - UC-22.2.29 · NIS2 Cryptography Policy Compliance — TLS and Certificate Posture (Art. 21(2)(h)) [high] [NIS2] - UC-22.2.30 · NIS2 Human Resources Security Measures Evidence (Art. 21(2)(i)) [high] [NIS2] - UC-22.2.31 · NIS2 Entity Classification Validation (Essential vs Important) (Art. 2(1), national transposition) [high] [NIS2] - UC-22.2.32 · NIS2 Proportional Security Measure Verification by Tier (Art. 21(2)) [high] [NIS2] - UC-22.2.33 · NIS2 Incident Reporting Timeline Compliance (24h Early Warning / 72h Notification) (Art. 23) [critical] [NIS2] - UC-22.2.34 · NIS2 Cross-Border Incident Coordination Task Tracking (Art. 23(3)) [high] [NIS2] - UC-22.2.35 · NIS2 Supervisory Compliance Evidence Pack Readiness (Art. 32-33, national measures) [high] [NIS2] - UC-22.2.36 · NIS2 OT Network Segmentation Validation (Art. 21(2)(a)) [critical] [NIS2] - UC-22.2.37 · NIS2 SCADA System Access Monitoring (Art. 21(2)(a)) [critical] [NIS2] - UC-22.2.38 · NIS2 Industrial Control System Patching and Change Evidence (Art. 21(2)(e)) [high] [NIS2] - UC-22.2.39 · NIS2 OT Incident Detection — Process and Protocol Anomalies (Art. 21(2)(f)) [critical] [NIS2] - UC-22.2.40 · NIS2 Safety System Integrity Monitoring (SIL / SIS Interlocks) (Art. 21(2)(c)) [critical] [NIS2] - UC-22.2.41 · NIS2 Management Body Cybersecurity Training Evidence (Art. 20) [high] [NIS2] - UC-22.2.42 · NIS2 Board-Level Cyber Risk Reporting Distribution Audit (Art. 20) [high] [NIS2] - UC-22.2.43 · NIS2 Annual Security Assessment Completion Tracking (Art. 21(2)(f)) [high] [NIS2] - UC-22.2.44 · NIS2 Cooperation Group and Sector Information Sharing Participation (Art. 14) [high] [NIS2] - UC-22.2.45 · NIS2 CSIRT Notification Compliance and Channel Health (Art. 23) [critical] [NIS2] ### 22.3 DORA - UC-22.3.1 · DORA ICT Risk Management Dashboard (Art. 5-16) [critical] [DORA] - UC-22.3.2 · DORA ICT Incident Classification and Reporting (Art. 17-23) [critical] [DORA] - UC-22.3.3 · DORA Digital Operational Resilience Testing (Art. 24-27) [high] [DORA] - UC-22.3.4 · DORA Third-Party ICT Provider Concentration Risk (Art. 28-44) [high] [DORA] - UC-22.3.5 · DORA Cross-Region Disaster Recovery Compliance (Art. 11-12) [critical] [DORA] - UC-22.3.6 · DORA ICT Change Management and Patch Compliance (Art. 9(4)(e)) [critical] [DORA] - UC-22.3.7 · DORA ICT Anomaly Detection Capabilities (Art. 10) [critical] [DORA] - UC-22.3.8 · DORA ICT Incident Response and Recovery Time Tracking (Art. 11) [critical] [DORA] - UC-22.3.9 · DORA Backup Completeness and Restoration Testing (Art. 12) [critical] [DORA] - UC-22.3.10 · DORA Post-Incident Review and Learning (Art. 13) [high] [DORA] - UC-22.3.11 · DORA Major ICT Incident 7-Criteria Classification (Art. 18) [critical] [DORA] - UC-22.3.12 · DORA ICT Incident Intermediate and Final Report Tracking (Art. 19) [critical] [DORA] - UC-22.3.13 · DORA Register of Information for ICT Third-Party Arrangements (Art. 28(3)) [high] [DORA] - UC-22.3.14 · DORA ICT Third-Party SLA Performance Monitoring (Art. 30) [high] [DORA] - UC-22.3.15 · DORA ICT Access Control and Authentication Monitoring (Art. 9(4)(c)) [critical] [DORA] - UC-22.3.16 · DORA Vulnerability Assessment and Penetration Test Tracking (Art. 25) [high] [DORA] - UC-22.3.17 · DORA Threat-Led Penetration Testing (TLPT) Lifecycle (Art. 26) [high] [DORA] - UC-22.3.18 · DORA ICT Third-Party Exit Strategy Readiness (Art. 28(8)) [high] [DORA] - UC-22.3.19 · DORA Management Body ICT Governance and Oversight (Art. 5) [high] [DORA] - UC-22.3.20 · DORA ICT Crisis Communication Readiness (Art. 14) [high] [DORA] - UC-22.3.21 · DORA ICT Concentration — Single-Provider Spend and Workload Share Thresholds [high] [DORA] - UC-22.3.22 · DORA ICT Concentration — Critical Service Dependency Fan-In by Provider [critical] [DORA] - UC-22.3.23 · DORA ICT Concentration — Regional Provider Outage Correlation Exposure Score [high] [DORA] - UC-22.3.24 · DORA ICT Concentration — Substitutability and Secondary Sourcing Readiness Index [medium] [DORA] - UC-22.3.25 · DORA TLPT — Test Planning Milestone and Scope Lock Audit Trail [high] [DORA] - UC-22.3.26 · DORA TLPT — Tester Independence and Conflict-of-Interest Attestation Log [high] [DORA] - UC-22.3.27 · DORA TLPT — Findings Severity, Remediation Owner, and Due Date Tracking [high] [DORA] - UC-22.3.28 · DORA TLPT — Retest and Control Effectiveness Verification Events [high] [DORA] - UC-22.3.29 · DORA Information Sharing — FINCERT-Style Submission Timeliness and Acknowledgment Log [high] [DORA] - UC-22.3.30 · DORA Information Sharing — Indicator Distribution to Subsidiaries and Branches Coverage [medium] [DORA] - UC-22.3.31 · DORA Information Sharing — Anonymized Incident TTP Contribution Quality Metrics [medium] [DORA] - UC-22.3.32 · DORA Outsourcing Registers — Sub-Processor Notification Lag vs Contractual Notice Period [high] [DORA] - UC-22.3.33 · DORA Outsourcing Registers — Function Mapping Completeness for Each Outsourced Arrangement [high] [DORA] - UC-22.3.34 · DORA Outsourcing Registers — Data Localization and Cross-Border Transfer Field Validation [critical] [DORA] - UC-22.3.35 · DORA Exit Strategy — Alternative Provider Shortlist Currency and RFP Readiness [high] [DORA] - UC-22.3.36 · DORA Exit Strategy — Data Portability Test Evidence and Export Volume Integrity [high] [DORA] - UC-22.3.37 · DORA Exit Strategy — Runbook Step Completion and Sign-Off SLA for Critical Providers [high] [DORA] - UC-22.3.38 · DORA ICT Third-Party Risk Register — Inherent vs Residual Risk Score Reconciliation [high] [DORA] - UC-22.3.39 · DORA ICT Third-Party Risk Register — Control Testing Evidence Freshness by Provider Tier [high] [DORA] - UC-22.3.40 · DORA ICT Third-Party Risk Register — Issue Density and Open Finding Trend by Provider [medium] [DORA] ### 22.4 CCPA - UC-22.4.1 · CCPA Consumer Data Access and Deletion Request Tracking (§1798.100-105) [high] [CCPA] - UC-22.4.2 · CCPA Data Sale Opt-Out Enforcement Monitoring (§1798.120) [high] [CCPA] - UC-22.4.3 · CCPA Sensitive Personal Information Processing Audit (§1798.121) [critical] [CCPA] - UC-22.4.4 · CCPA Right to Correct Inaccurate Personal Information (§1798.106) [high] [CCPA] - UC-22.4.5 · CCPA Data Broker Sale Disclosure and Third-Party Sharing Audit (§1798.99.80, §1798.115) [critical] [CCPA] - UC-22.4.6 · CCPA Global Privacy Control and “Do Not Sell or Share” Signal Enforcement (§1798.120, §1798.135(b)) [critical] [CCPA] - UC-22.4.7 · CCPA Financial Incentive Program Consent and Withdrawal Monitoring (§1798.125) [high] [CCPA, GDPR] - UC-22.4.8 · CCPA Authorized Agent Request Verification and Fulfillment (§1798.140(ah), §1798.145) [medium] [CCPA] - UC-22.4.9 · CCPA/CPRA — Sensitive PI — Precise Geolocation Collection Stop Signal After User Opt-Out [high] [CCPA/CPRA] - UC-22.4.10 · CCPA/CPRA — Sensitive PI — Health Information Field Exposure in Non-PHI Indexes [critical] [CCPA/CPRA] - UC-22.4.11 · CCPA/CPRA — Sensitive PI — Racial or Ethnic Origin Attributes in Model Training Feature Stores [critical] [CCPA/CPRA] - UC-22.4.12 · CCPA/CPRA — Data Broker Registry — Sale/Share Disclosure Parity vs Published Broker Categories [high] [CCPA/CPRA] - UC-22.4.13 · CCPA/CPRA — Data Broker Registry — Opt-Out Propagation Latency to Downstream Data Partners [high] [CCPA/CPRA] - UC-22.4.14 · CCPA/CPRA — Automated Decision Profiling — Opt-Out for Automated Decisioning Honored in Scoring API [high] [CCPA/CPRA] - UC-22.4.15 · CCPA/CPRA — Automated Decision Profiling — Feature Drift Alerts on Consumer-Profile Models [medium] [CCPA/CPRA] - UC-22.4.16 · CCPA/CPRA — Automated Decision Profiling — Human Review Queue Depth for Adverse Automated Eligibility Decisions [high] [CCPA/CPRA] - UC-22.4.17 · CCPA/CPRA — Minor Consent — Age-Gating API Denials vs Account Creation Success Mismatch [critical] [CCPA/CPRA, GDPR] - UC-22.4.18 · CCPA/CPRA — Minor Consent — Marketing Cookie Fires Before Parental Consent Timestamp [high] [CCPA/CPRA, GDPR] - UC-22.4.19 · CCPA/CPRA — Dark Patterns — Forced Navigation Loops on “Do Not Sell or Share” Choice Screen [high] [CCPA/CPRA] - UC-22.4.20 · CCPA/CPRA — Dark Patterns — Pre-Checked “Financial Incentive” Enrollment on Account Settings Save [high] [CCPA/CPRA] - UC-22.4.21 · CCPA/CPRA — Cross-Context Behavioral Advertising — Cross-Site ID Sync Pixel After GPC Signal [high] [CCPA/CPRA] - UC-22.4.22 · CCPA/CPRA — Cross-Context Behavioral Advertising — SSP Auction Requests After “Limit Use of Sensitive PI” Flag [critical] [CCPA/CPRA] - UC-22.4.23 · CCPA/CPRA — Cross-Context Behavioral Advertising — Household Device Graph Linking Without Aggregated Opt-Out Propagation [high] [CCPA/CPRA] - UC-22.4.24 · CCPA/CPRA — Correction/Deletion Verification — Downstream Data Warehouse Row Still Present After Deletion Certificate [critical] [CCPA/CPRA] - UC-22.4.25 · CCPA/CPRA — Correction/Deletion Verification — Search Index and Cache Purge Lag After Correction Request [high] [CCPA/CPRA] ### 22.5 MiFID II - UC-22.5.1 · MiFID II Trade and Transaction Reporting Completeness (Art. 26) [critical] [MiFID II] - UC-22.5.2 · MiFID II Communications Recording and Retention Audit (Art. 16(7)) [critical] [MiFID II] - UC-22.5.3 · MiFID II Best Execution Monitoring (Art. 27) [high] [MiFID II] - UC-22.5.4 · MiFID II Transaction Reporting Timeliness and Rejection Root-Cause (RTS 22, Art. 26) [critical] [MiFID II] - UC-22.5.5 · MiFID II Product Governance and Target Market Appropriateness Evidence (Art. 9(3) MiFIR, Art. 16(3) MiFID II) [high] [MiFID II] - UC-22.5.6 · MiFID II Order and Decision Data Record Integrity (Art. 25) [critical] [MiFID II] - UC-22.5.7 · MiFID II Clock Synchronization and Timestamp Quality for Reporting (RTS 25) [critical] [MiFID II] - UC-22.5.8 · MiFID II Algorithmic Trading Strategy Limits and Kill-Switch Audit (Art. 17) [critical] [MiFID II] - UC-22.5.9 · MiFID II Algo Trading — Per-Instrument Circuit Breaker Trigger Frequency and Cooling-Off Compliance [critical] [MiFID II] - UC-22.5.10 · MiFID II Algo Trading — Kill-Switch Activation Audit Trail and Dual Authorization [critical] [MiFID II] - UC-22.5.11 · MiFID II Algo Trading — Message Rate Throttle Breaches vs Exchange Limits [high] [MiFID II] - UC-22.5.12 · MiFID II Client Suitability — Know-Your-Client Refresh Overdue by Risk Segment [high] [MiFID II] - UC-22.5.13 · MiFID II Client Suitability — Appropriateness Test Pass Required Before Complex Product Orders [critical] [MiFID II] - UC-22.5.14 · MiFID II Client Suitability — Investment Objective Mismatch Alerts vs Held Positions [high] [MiFID II] - UC-22.5.15 · MiFID II Conflicts of Interest — Personal Account Dealing Near Client Block Trades [critical] [MiFID II] - UC-22.5.16 · MiFID II Conflicts of Interest — Research Analyst vs Trading Desk Information Barrier Violations [critical] [MiFID II] - UC-22.5.17 · MiFID II Conflicts of Interest — Gift and Entertainment Threshold Breach Trending [medium] [MiFID II] - UC-22.5.18 · MiFID II Market Abuse — Layering and Spoofing Pattern Scores by Trader [critical] [MiFID II] - UC-22.5.19 · MiFID II Market Abuse — Insider List Access Log Correlation Before Price-Sensitive Events [critical] [MiFID II] - UC-22.5.20 · MiFID II Market Abuse — Cross-Venue Wash Trade Risk Linking by Beneficial Owner [critical] [MiFID II] - UC-22.5.21 · MiFID II Best Execution — Venue Quality of Execution Report Ingestion Completeness [high] [MiFID II] - UC-22.5.22 · MiFID II Best Execution — Slippage vs Reference Price by Client Segment and Instrument Class [high] [MiFID II] - UC-22.5.23 · MiFID II Best Execution — Client Limit Order Price Improvement vs Top of Book [medium] [MiFID II] - UC-22.5.24 · MiFID II Transaction Reporting — Field Population Quality Scorecards by Counterparty [high] [MiFID II] - UC-22.5.25 · MiFID II Transaction Reporting — End-to-End Latency from Execution to ARM Accept Acknowledgment [high] [MiFID II] ### 22.6 ISO 27001 - UC-22.6.1 · ISO 27001 Annex A Control Effectiveness Monitoring [critical] [ISO 27001] - UC-22.6.2 · ISO 27001 Information Security Event Log Review Compliance (A.12.4) [high] [ISO 27001] - UC-22.6.3 · ISO 27001 Access Rights Review and Recertification (A.9.2.5) [critical] [ISO 27001] - UC-22.6.4 · ISO 27001 Information Labelling and Media Handling via DLP (A.8.2.3) [high] [ISO 27001] - UC-22.6.5 · ISO 27001 Cryptographic Key and Certificate Lifecycle Monitoring (A.10.1.2) [critical] [ISO 27001] - UC-22.6.6 · ISO 27001 Network Security — Segmentation and Firewall Deny Baseline (A.13.1.1) [high] [ISO 27001] - UC-22.6.7 · ISO 27001 Supplier IAM and SaaS Integration Change Surveillance (A.15.1.2) [high] [ISO 27001] - UC-22.6.8 · ISO 27001 Segregation of Duties — Privileged Splunk Knowledge Object Changes (A.5.3) [critical] [ISO 27001, SOX] - UC-22.6.9 · ISMS Policy Acknowledgment and Version Drift in Confluence or SharePoint (A.5.1) [high] [ISO 27001:2022] - UC-22.6.10 · Security Role Changes vs RACI in ServiceNow CMDB Ownership (A.5.2) [medium] [ISO 27001:2022] - UC-22.6.11 · Threat Intelligence Feed Freshness and STIX Object Ingest Gaps (A.5.7) [high] [ISO 27001:2022] - UC-22.6.12 · Project Security Gate — Production Deploys Without Security CAB Tag (A.5.8) [medium] [ISO 27001:2022] - UC-22.6.13 · Cloud Shared Responsibility Control Coverage Map (A.5.23) [high] [ISO 27001:2022] - UC-22.6.14 · Business Continuity — RTO Breach Signals from ITSI Service Degradation (A.5.29) [medium] [ISO 27001:2022] - UC-22.6.15 · ICT Readiness for BC — Backup Window Overruns vs RPO (A.5.30) [high] [ISO 27001:2022] - UC-22.6.16 · Compliance with Policies — Splunk Search Head Knowledge Object Violations (A.5.36) [medium] [ISO 27001:2022] - UC-22.6.17 · Personnel Screening — Contractor Badge Activations Before Background Check Complete (A.6.1) [high] [ISO 27001:2022] - UC-22.6.18 · Security Awareness Completion Rate by Department (A.6.3) [medium] [ISO 27001:2022] - UC-22.6.19 · Disciplinary Process Triggers — HR Case Codes Correlated with Security Incidents (A.6.4) [high] [ISO 27001:2022] - UC-22.6.20 · Remote Working — VPN Split Tunnel and Sensitive App Access (A.6.7) [medium] [ISO 27001:2022] - UC-22.6.21 · Physical Perimeter — After-Hours Badge Swipes Without Matching Shift (A.7.1) [high] [ISO 27001:2022] - UC-22.6.22 · Physical Security Monitoring — Camera NVR Offline or Disk Full Events (A.7.4) [medium] [ISO 27001:2022] - UC-22.6.23 · Removable Storage — USB Mount Events on Engineering Workstations (A.7.10) [high] [ISO 27001:2022] - UC-22.6.24 · Secure Disposal — Asset Decommission Wipe Confirmation Before CMDB Retire (A.7.14) [medium] [ISO 27001:2022] - UC-22.6.25 · User Endpoint Patch Latency Beyond SLA (A.8.1) [high] [ISO 27001:2022] - UC-22.6.26 · Privileged Access — Sudo and RunAs Usage Outside PAM Session (A.8.2) [medium] [ISO 27001:2022] - UC-22.6.27 · Information Access Restriction — SharePoint Anonymous Link Creation Blocked vs Attempted (A.8.3) [high] [ISO 27001:2022] - UC-22.6.28 · Secure Authentication — Password Spray Pattern in Entra Sign-Ins (A.8.5) [medium] [ISO 27001:2022] - UC-22.6.29 · Capacity Management — Disk Utilization Forecast Breach in 14 Days (A.8.6) [high] [ISO 27001:2022] - UC-22.6.30 · Malware Protection — AV Engine Disabled or Out of Date Events (A.8.7) [medium] [ISO 27001:2022] - UC-22.6.31 · Technical Vulnerability Management — Exploitable CVEs with Public PoC on In-Scope Hosts (A.8.8) [high] [ISO 27001:2022] - UC-22.6.32 · Configuration Management — Drift on CIS Hardening Parameters for Web Tier (A.8.9) [medium] [ISO 27001:2022] - UC-22.6.33 · Information Deletion — S3 Object Delete Storm Outside Retention Workflow (A.8.10) [high] [ISO 27001:2022] - UC-22.6.34 · Data Masking — Sampled PII Pattern Hits in Non-Production Test Indexes (A.8.11) [medium] [CCPA, GDPR, ISO 27001:2022] - UC-22.6.35 · Data Leakage Prevention — High Volume Print to PDF on HR Workstations (A.8.12) [high] [ISO 27001:2022] - UC-22.6.36 · Information Backup — Immutable Backup Bucket Policy Change Attempts (A.8.13) [medium] [ISO 27001:2022] - UC-22.6.37 · Redundancy of IT — Cluster Node Loss Events for Critical Databases (A.8.14) [high] [ISO 27001:2022] - UC-22.6.38 · Logging — Forwarder Stopped or CrashLoop on Security-Relevant Hosts (A.8.15) [medium] [ISO 27001:2022] - UC-22.6.39 · Monitoring Activities — SOC Queue Depth vs On-Shift Analyst Headcount (A.8.16) [high] [ISO 27001:2022] - UC-22.6.40 · Clock Synchronization — Kerberos Clock Skew Related Authentication Failures (A.8.17) [medium] [ISO 27001:2022] - UC-22.6.41 · Network Security — East-West Firewall Deny Spike on Server VLAN (A.8.20) [high] [ISO 27001:2022] - UC-22.6.42 · Web and Email Filtering — Denied High-Risk Categories Toward Young Domains (A.8.21 / A.8.23) [medium] [ISO 27001:2022] - UC-22.6.43 · Network Segmentation — Cross-VLAN RDP Allowed by Mis-Tuned ACL (A.8.22) [high] [ISO 27001:2022] - UC-22.6.44 · Use of Cryptography — Weak Cipher Suites Negotiated on Public Load Balancer (A.8.24) [medium] [ISO 27001:2022] - UC-22.6.45 · Secure SDLC, App Security Requirements, and Secure Coding Pipeline Gates (A.8.25 / A.8.26 / A.8.28) [high] [ISO 27001:2022] ### 22.7 NIST CSF - UC-22.7.1 · NIST CSF Maturity Posture Dashboard (Identify/Protect/Detect/Respond/Recover) [high] [NIST CSF] - UC-22.7.2 · NIST CSF Detect Function Coverage Gap Analysis (MITRE ATT&CK) [high] [NIST CSF] - UC-22.7.3 · NIST CSF Identify — Asset Inventory Coverage and Shadow SaaS Signals (ID.AM-2) [high] [NIST CSF] - UC-22.7.4 · NIST CSF Protect — Identity Authentication Hardening and MFA Gaps (PR.AC-1) [critical] [NIST CSF] - UC-22.7.5 · NIST CSF Detect — Continuous Vulnerability Exposure Drift on Critical Servers (DE.CM-7) [high] [NIST CSF] - UC-22.7.6 · NIST CSF Respond — Incident Response Playbook Execution and Stage Timestamps (RS.RP-1) [critical] [NIST CSF] - UC-22.7.7 · NIST CSF Recover — Backup Job Success and RTO Readiness for Critical Databases (RC.RP-1) [critical] [NIST CSF] - UC-22.7.8 · Governance Context — Business Critical Services Mapped to IT Assets (GV.OC-01) [high] [NIST CSF 2.0] - UC-22.7.9 · External Stakeholder Dependencies — Third-Party SaaS in Auth Flows (GV.OC-02) [high] [NIST CSF 2.0] - UC-22.7.10 · Enterprise Risk Appetite vs Open Critical Vulnerabilities (GV.RM-01) [medium] [NIST CSF 2.0] - UC-22.7.11 · Security Role Attestation — RBAC Changes vs HR Start Dates (GV.RR-01) [high] [NIST CSF 2.0] - UC-22.7.12 · Policy Exception Tracking — Conditional Access Exclusion Groups (GV.PO-01) [high] [NIST CSF 2.0] - UC-22.7.13 · Documented Baseline Drift — Firewall Rule Adds Outside CAB Window (GV.PO-02) [medium] [NIST CSF 2.0] - UC-22.7.14 · Executive Oversight Dashboard — Mean Time to Acknowledge Critical Alerts (GV.OV-01) [high] [NIST CSF 2.0] - UC-22.7.15 · Supply Chain — New Package Installs in CI Against Approved Registry (GV.SC-01) [medium] [NIST CSF 2.0] - UC-22.7.16 · Hardware Asset Coverage — Agents Missing on In-Scope Servers (ID.AM-01) [high] [NIST CSF 2.0] - UC-22.7.17 · Software Bill of Materials Signals — Container Image Digests (ID.AM-02) [medium] [NIST CSF 2.0] - UC-22.7.18 · Data Asset Classification — Sensitive Columns in Query Logs (ID.AM-03) [high] [NIST CSF 2.0] - UC-22.7.19 · Business Process Impact — Incidents by Critical Application (ID.RA-01) [high] [NIST CSF 2.0] - UC-22.7.20 · Control Weakness Heatmap — Failed CIS Benchmark Checks (ID.RA-02) [medium] [NIST CSF 2.0] - UC-22.7.21 · Lessons Learned — Post-Incident Analyst Search Activity (ID.IM-01) [high] [NIST CSF 2.0] - UC-22.7.22 · Process KPI — Median Days to Remediate High and Critical CVEs (ID.IM-02) [medium] [NIST CSF 2.0] - UC-22.7.23 · Privileged Path — PAM JIT Elevation vs Standing Admin Logons (PR.AA-01) [high] [NIST CSF 2.0] - UC-22.7.24 · Non-Human Identity — Service Principal Secret and Certificate Adds (PR.AA-02) [medium] [NIST CSF 2.0] - UC-22.7.25 · Phishing Simulation Clicks vs Security Awareness Completion (PR.AT-01) [high] [NIST CSF 2.0] - UC-22.7.26 · Encryption in Transit — Deprecated TLS on Internal APIs (PR.DS-01) [medium] [NIST CSF 2.0] - UC-22.7.27 · DLP — Blocked Exfil to Personal Email Domains (PR.DS-02) [high] [NIST CSF 2.0] - UC-22.7.28 · Platform Integrity — sudoers or nsswitch Changes on Linux (PR.PS-01) [medium] [NIST CSF 2.0] - UC-22.7.29 · DNS Resolver Error Rate SLO for Internal Resolvers (PR.IR-01) [high] [NIST CSF 2.0] - UC-22.7.30 · Storage Path — Cluster Failover or Multipath Events (PR.IR-02) [medium] [NIST CSF 2.0] - UC-22.7.31 · EDR Heartbeat Gap Beyond Policy SLA (DE.CM-01) [high] [NIST CSF 2.0] - UC-22.7.32 · Administrative API Logging Volume Drop vs Baseline (DE.CM-02) [medium] [NIST CSF 2.0] - UC-22.7.33 · Proxy Denies Toward Young Threat-Intel Domains (DE.CM-03) [high] [NIST CSF 2.0] - UC-22.7.34 · Database Connection Storm from Application Service Account (DE.CM-04) [medium] [NIST CSF 2.0] - UC-22.7.35 · Certificate Transparency — New Public Cert for Corporate Brand (DE.CM-05) [high] [NIST CSF 2.0] - UC-22.7.36 · Lateral Movement Chain — Auth, RDP, and Process Create Same Src (DE.AE-01) [medium] [NIST CSF 2.0] - UC-22.7.37 · Anomaly on Outbound Bytes from Database Subnet (DE.AE-02) [high] [NIST CSF 2.0] - UC-22.7.38 · Risk Index Spike for Privileged Accounts (DE.AE-03) [medium] [NIST CSF 2.0] - UC-22.7.39 · IR Ticket Stuck in Containment Beyond SLA (RS.MA-01) [high] [NIST CSF 2.0] - UC-22.7.40 · SOAR Case Backlog Aging by Severity (RS.MA-02) [medium] [NIST CSF 2.0] - UC-22.7.41 · Root Cause Field Completeness on Closed Incidents (RS.AN-01) [high] [NIST CSF 2.0] - UC-22.7.42 · Composite Timeline — Notable, AV, and Proxy Same Host One Hour (RS.AN-02) [medium] [NIST CSF 2.0] - UC-22.7.43 · Executive Paging Lag After Sev-1 Playbook Start (RS.CO-01) [medium] [NIST CSF 2.0] - UC-22.7.44 · Legal Hold Population — Elevated File Export Activity (RS.CO-02) [high] [NIST CSF 2.0] - UC-22.7.45 · EDR Host Isolation Action Success Rate (RS.MI-01) [high] [NIST CSF 2.0] - UC-22.7.46 · Scheduled Restore Test Outcomes vs Policy Frequency (RC.RP-01) [high] [NIST CSF 2.0] - UC-22.7.47 · AD Forest Recovery Drill — Directory Service Restore Events (RC.RP-02) [medium] [NIST CSF 2.0] - UC-22.7.48 · Multi-Region Failover — Health-Check Driven DNS Answer Changes (RC.RP-03) [high] [NIST CSF 2.0] - UC-22.7.49 · Crisis Email Blast Size to All Employees (RC.CO-01) [medium] [NIST CSF 2.0] - UC-22.7.50 · Status Page Update Cadence During Major Incident (RC.CO-02) [high] [NIST CSF 2.0] ### 22.8 SOC 2 - UC-22.8.1 · SOC 2 Trust Services Criteria Continuous Control Monitoring (CC6-CC8) [critical] [SOC 2] - UC-22.8.2 · SOC 2 System Availability and Incident Response Evidence Collection (A1) [critical] [SOC 2] - UC-22.8.3 · SOC 2 Confidentiality Classification and DLP Event Audit (C1) [high] [SOC 2] - UC-22.8.4 · SOC 2 Control Environment and Board-Level Attestation Workflow (CC1.2, CC2.1) [medium] [SOC 2] - UC-22.8.5 · SOC 2 Risk Assessment — Change-Induced Emergency Pattern Monitoring (CC3.2, CC3.3) [high] [SOC 2] - UC-22.8.6 · SOC 2 Processing Integrity — Financial Batch Job Reconciliation Exceptions (PI1.3) [critical] [SOC 2] - UC-22.8.7 · SOC 2 Privacy — Consent Log Integrity and Downstream Propagation Checks (P4.2, P4.3) [high] [GDPR, SOC 2] - UC-22.8.8 · SOC 2 Fraud Risk and Anomalous Privileged Activity Correlation (CC9.2) [critical] [SOC 2] - UC-22.8.9 · SOC 2 CC1 — Board and Committee ICT Oversight Evidence Trail [high] [SOC 2] - UC-22.8.10 · SOC 2 CC2 — Ethical Conduct and Acceptable-Use Violation Monitoring [medium] [SOC 2] - UC-22.8.11 · SOC 2 CC2 — Organizational Structure and Segregation-of-Duties Validation [high] [SOC 2] - UC-22.8.12 · SOC 2 CC3 — Management Accountability for Control Deficiency Remediation SLAs [high] [SOC 2] - UC-22.8.13 · SOC 2 CC4 — Enterprise Risk Register Ingestion and Coverage Gaps [high] [SOC 2] - UC-22.8.14 · SOC 2 CC4 — Fraud Risk Scenario Testing Evidence from Anomaly Correlation [critical] [SOC 2] - UC-22.8.15 · SOC 2 CC5 — Change Impact Analysis Completeness for Production Releases [high] [SOC 2] - UC-22.8.16 · SOC 2 CC6 — Credential Lifecycle — Orphan and Contractor Account Detection [high] [SOC 2] - UC-22.8.17 · SOC 2 CC6 — Physical Access Review Exception Tracking for Sensitive Facilities [high] [SOC 2] - UC-22.8.18 · SOC 2 CC6 — Encryption in Transit Policy Enforcement for Admin and API Paths [critical] [SOC 2] - UC-22.8.19 · SOC 2 CC6 — Timeliness of Access Removal After HR Termination Events [critical] [SOC 2] - UC-22.8.20 · SOC 2 CC7 — Unauthorized Production Configuration Change Detection [critical] [SOC 2] - UC-22.8.21 · SOC 2 CC7 — Incident Classification Consistency and Severity Drift Audit [high] [SOC 2] - UC-22.8.22 · SOC 2 CC7 — Operational Anomaly Detection on Critical Batch and API SLOs [high] [SOC 2] - UC-22.8.23 · SOC 2 CC7 — Vulnerability Management SLA and Exception Expiry Tracking [high] [SOC 2] - UC-22.8.24 · SOC 2 CC8 — Infrastructure-as-Code Drift vs Approved Terraform Modules [high] [SOC 2] - UC-22.8.25 · SOC 2 CC8 — Software Development Lifecycle Control Gates from CI/CD Telemetry [high] [SOC 2] - UC-22.8.26 · SOC 2 CC9 — Change Authorization Dual-Control on Privileged Cloud Roles [critical] [SOC 2] - UC-22.8.27 · SOC 2 A1 — Capacity Planning Signals for In-Scope Production Services [medium] [SOC 2] - UC-22.8.28 · SOC 2 A1 — Disaster Recovery Test Execution and Evidence Timestamps [high] [SOC 2] - UC-22.8.29 · SOC 2 C1 — Confidential Information Disposal and Secure Destruction Evidence [high] [SOC 2] - UC-22.8.30 · SOC 2 PI1 — Processing Completeness Validation Across Multi-Stage Pipelines [high] [SOC 2] ### 22.9 Compliance Trending - UC-22.9.1 · Compliance Posture Score Trending [high] - UC-22.9.2 · Audit Finding Closure Rate Trending [high] - UC-22.9.3 · Control Effectiveness Trending [high] - UC-22.9.4 · Regulatory Incident Response Time Trending [medium] - UC-22.9.5 · Policy Violation Volume Trending [medium] - UC-22.9.6 · Compliance Trending — SOC 2 Control Test Pass Rate vs Prior Quarter Baseline [medium] [Multiple] - UC-22.9.7 · Compliance Trending — ISO 27001 Statement of Applicability Control Exception Burn-Down [high] [Multiple] - UC-22.9.8 · Compliance Trending — Auditor Evidence Pack Generation Volume and Deficiency Rate [medium] [Multiple] - UC-22.9.9 · Compliance Trending — Regulatory Change Feed Impact Score on In-Scope Controls [high] [Multiple] - UC-22.9.10 · Compliance Trending — Weighted Compliance Posture Composite and Driver Attribution [high] [Multiple] ### 22.11 PCI DSS v4.0 - UC-22.11.1 · Scheduled Firewall Rule Review Evidence for CDE NSCs (PCI DSS Req 1.1.6, 1.2.8) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.2 · NSC Configuration Change Correlation to Change Tickets (PCI DSS Req 1.1.2, 1.2.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.3 · CDE Boundary Traffic — Unexpected Corporate-to-Payment Flows (PCI DSS Req 1.2.3, 1.3.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.4 · Denied Inbound Attempts to Payment Application Ports (PCI DSS Req 1.2.7, 1.3.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.5 · DMZ Originated Sessions Hitting CDE Internal Segments (PCI DSS Req 1.3.4, 1.3.7) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.6 · Wireless Client Pools Reaching CDE Hosts (PCI DSS Req 1.2.3, 2.2.4) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.7 · Outbound Service Allow-List Violations from CDE Servers (PCI DSS Req 1.2.1, 1.2.6) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.8 · Default and Vendor Account Authentications on In-Scope Systems (PCI DSS Req 2.2.2) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.9 · Configuration Drift vs CIS Hardening Benchmark on Windows CDE Members (PCI DSS Req 2.2.1, 2.2.3) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.10 · Listening Services and Daemons on Linux Payment Middleware (PCI DSS Req 2.2.4, 2.2.5) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.11 · System Component Inventory Reconciliation — New In-Scope Hosts (PCI DSS Req 2.1.1, 2.1.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.12 · Removal of Vendor Default SNMP and Community Strings (PCI DSS Req 2.2.2, 2.2.4) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.13 · Security Parameter Drift on In-Scope Routers from Gold Config Hash (PCI DSS Req 2.2.1, 2.2.3) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.14 · Primary Account Number Pattern Discovery in Application Indexes (PCI DSS Req 3.3.1, 3.4.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.15 · Key Management Operations from HSM and KMS Audit Trails (PCI DSS Req 3.5.1, 3.6.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.16 · Data Retention Job Failures for Cardholder Data Stores (PCI DSS Req 3.2.1, 3.3.1) [high] [CCPA, GDPR, PCI DSS, PCI DSS v4.0] - UC-22.11.17 · Cryptographic Erasure Verification After Decommission (PCI DSS Req 3.2.1, 3.5.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.18 · PAN Masking Validation in Point-of-Sale and Web Receipt Logs (PCI DSS Req 3.3.3, 3.4.1) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.19 · Sensitive Authentication Data (SAD) in Auth Broker Logs (PCI DSS Req 3.3.1, 3.2.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.20 · Hash and Truncation Method Changes on Tokenization Database (PCI DSS Req 3.3.1, 3.5.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.21 · Cryptographic Key Rotation and Custodian Acknowledgement Trail (PCI DSS Req 3.6.1, 3.6.4) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.22 · TLS 1.2 Minimum Version Violations on Payment APIs (PCI DSS Req 4.1.1, 4.2.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.23 · Weak Cipher Suites Offered by Internal TLS Terminators (PCI DSS Req 4.1.1, 4.2.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.24 · Certificate Expiry Risk for Public-Facing Payment Hostnames (PCI DSS Req 4.2.1, 4.2.1.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.25 · Cleartext PAN Indicators in HTTP Headers or Query Strings (PCI DSS Req 4.1.1, 3.4.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.26 · Wireless Link Encryption Downgrade for Store WLAN Carrying Payment Terminals (PCI DSS Req 4.1.1, 2.2.4) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.27 · Anti-Malware Agent Coverage Gaps on CDE Windows Servers (PCI DSS Req 5.2.1, 5.3.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.28 · Malware Definition and Sensor Policy Update Lag (PCI DSS Req 5.2.2, 5.3.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.29 · Scheduled Malware Scan or On-Demand Scan Failures (PCI DSS Req 5.3.1, 5.3.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.30 · Malware Detection Volume Trend by Store and Server Tier (PCI DSS Req 5.2.1, 5.3.1) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.31 · Phishing Simulation Click-Through Rates for Users with CDE Access (PCI DSS Req 5.3.3, 12.6.1) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.32 · Anti-Malware Tamper and Bypass Attempt Telemetry (PCI DSS Req 5.2.1, 5.3.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.33 · Critical and High Vulnerabilities on Payment Application Servers (PCI DSS Req 6.3.1, 11.3.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.34 · Critical CVE Remediation SLA Breach Tracking (PCI DSS Req 6.3.1, 6.3.3) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.35 · Web Application Firewall Blocks and Anomalies on Checkout URIs (PCI DSS Req 6.4.1, 6.4.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.36 · Pull-Request and Code Review Evidence for Payment Microservices (PCI DSS Req 6.2.4, 6.3.1) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.37 · Change Control Completeness for Production Payment Releases (PCI DSS Req 6.5.1, 6.5.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.38 · DAST and SAST Finding Density Before Payment Service Releases (PCI DSS Req 6.3.1, 6.3.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.39 · Public-Facing Payment Web Tier Patch and Library Drift (PCI DSS Req 6.3.3, 6.2.4) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.40 · Role-Based Group Membership Drift for Active Directory CDE OU (PCI DSS Req 7.2.1, 7.2.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.41 · Excessive Database Grants on Schemas Storing Tokenized PAN (PCI DSS Req 7.2.1, 7.2.5) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.42 · Access Request and Approval Completeness for CDE VPN Accounts (PCI DSS Req 7.2.3, 8.2.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.43 · Least-Privilege Validation — Interactive Logons to Database Tier from Workstations (PCI DSS Req 7.2.5, 8.2.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.44 · Privilege Escalation Chains on CDE Windows Servers (PCI DSS Req 7.2.5, 10.2.2) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.45 · Shared and Break-Glass Account Usage on Payment Infrastructure (PCI DSS Req 8.2.6, 8.6.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.46 · Vendor Remote Access Sessions into CDE Jump Hosts (PCI DSS Req 7.2.5, 12.8.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.47 · MFA Gap Detection for CDE Interactive and Remote Access (PCI DSS Req 8.4.1, 8.4.2) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.48 · Domain Password Policy Compliance via Resultant Set of Policy Events (PCI DSS Req 8.3.6, 8.3.7) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.49 · Failed Authentication Burst Detection on Payment Gateway Accounts (PCI DSS Req 8.3.4, 10.2.4) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.50 · Account Lifecycle — New AD Users with Immediate CDE Group Assignment (PCI DSS Req 8.2.1, 8.2.4) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.51 · Inactive Human Accounts Still Entitled to CDE Groups (PCI DSS Req 8.2.5, 8.2.6) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.52 · Generic Account Prohibition — `admin` / `root` Interactive Success on CDE (PCI DSS Req 8.2.6, 2.2.2) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.53 · Remote Access MFA Evidence Correlation — VPN Success Without Step-Up Token (PCI DSS Req 8.4.2, 8.5.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.54 · Service Account Inventory Reconciliation — Unexpected SPN or Delegation Changes (PCI DSS Req 8.2.1, 8.6.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.55 · Session Timeout Enforcement on Payment Web Admin Consoles (PCI DSS Req 8.2.8) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.56 · Physical Badge Access to Data Center Containing Cardholder Systems (PCI DSS Req 9.2.1, 9.4.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.57 · Visitor Log Completeness for Data Center Escorted Access (PCI DSS Req 9.4.1, 9.4.4) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.58 · Secure Media Destruction Workflow Completion for Backup Tapes with CHD (PCI DSS Req 9.5.1, 3.2.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.59 · POS Terminal Tamper and Intrusion Switch Alerts (PCI DSS Req 9.5.1, 9.3.2) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.60 · Quarterly Physical Access List Review Exception Tracking (PCI DSS Req 9.2.4, 12.1.1) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.61 · Audit Log Source Completeness — Missing Windows Security Events per CDE Host (PCI DSS Req 10.2.1, 10.3.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.62 · Log Ingestion Pipeline Lag and Parser Error Rate for PCI Indexes (PCI DSS Req 10.2.1, 10.5.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.63 · Daily Log Review Workflow — PCI Queue Ticket Closure SLA (PCI DSS Req 10.4.1, 10.4.1.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.64 · NTP Stratum and Sync Failure Events on Payment Switches and Firewalls (PCI DSS Req 10.6.1, 10.6.1.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.65 · Splunk `_audit` Tamper Indicators — Saved Search Deletes and Role Changes (PCI DSS Req 10.5.1, 10.2.1.2) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.66 · Critical System Clock Skew Between Database and Application Tier (PCI DSS Req 10.6.1, 10.6.1.3) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.67 · Comprehensive Audit Trail for Successful CDE Administrator Logons (PCI DSS Req 10.2.1, 10.2.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.68 · Log Retention Index Frozen Bucket Age Compliance (PCI DSS Req 10.5.1, 10.5.1.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.69 · Automated Log Review — Correlation of Firewall Deny Bursts with IDS Signatures (PCI DSS Req 10.4.1, 11.4.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.70 · File Integrity Monitoring Alerts on Payment Web Roots (PCI DSS Req 10.5.2, 11.5.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.71 · Security Event Correlation — Payment API Errors with Concurrent Admin Logons (PCI DSS Req 10.4.1, 10.2.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.72 · Log Source Coverage Gaps — Expected Sourcetypes with Zero Events (PCI DSS Req 10.2.1, 12.10.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.73 · ASV External Scan Failure and Non-Compliant Finding Trend (PCI DSS Req 11.3.1, 11.3.2) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.74 · Internal Authenticated Vulnerability Scan Coverage by CDE Subnet (PCI DSS Req 11.3.1, 11.3.1.3) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.75 · Unauthorized Wireless Access Point Detection by SSID and BSSID (PCI DSS Req 11.3.1, 1.2.3) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.76 · Penetration Test Finding Severity and Re-test Status (PCI DSS Req 11.4.1, 11.4.5) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.77 · IDS and IPS Alert Volume Baseline and Spike Detection (PCI DSS Req 11.4.1, 11.4.4) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.78 · Segmentation Control Validation — Scanner IP Blocked at CDE Border as Expected (PCI DSS Req 11.4.1, 1.3.3) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.79 · Quarterly Internal Scan Remediation Aging Buckets (PCI DSS Req 11.3.1.1, 6.3.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.80 · External Network Scan Job Failures and Timeout Trending (PCI DSS Req 11.3.2, 6.3.1) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.81 · Critical Payment Application Binary and Config File Integrity Alerts (PCI DSS Req 11.5.1, 11.5.1.1) [critical] [PCI DSS, PCI DSS v4.0] - UC-22.11.82 · Network Topology Drift — New L3 Adjacency or BGP Peer on CDE Perimeter (PCI DSS Req 11.4.1, 1.2.1) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.83 · Security Awareness Training Completion for Personnel with CDE Access (PCI DSS Req 12.6.1, 12.6.3) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.84 · Incident Response Plan Tabletop and Live Test Execution Logging (PCI DSS Req 12.10.1, 12.10.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.85 · Formal Risk Assessment Evidence and Residual Risk Score Trend (PCI DSS Req 12.3.1, 12.3.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.86 · Third-Party Service Provider Compliance Scorecard Ingest (PCI DSS Req 12.8.1, 12.8.2) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.87 · Acceptable Use Policy Annual Attestation Completion (PCI DSS Req 12.1, 12.6.1) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.88 · Security Roles and Responsibilities Assignment Completeness (PCI DSS Req 12.1.3, 12.5.1) [medium] [PCI DSS, PCI DSS v4.0] - UC-22.11.89 · Technology Acceptable Use — USB Mass Storage on CDE Workstations (PCI DSS Req 12.3.2, 2.2.4) [high] [PCI DSS, PCI DSS v4.0] - UC-22.11.90 · Annual Information Security Policy Review and Approval Workflow (PCI DSS Req 12.1.1, 12.1.2) [medium] [PCI DSS, PCI DSS v4.0] ### 22.10 HIPAA - UC-22.10.1 · HIPAA Risk Analysis Evidence — Asset & ePHI System Inventory (§164.308(a)(1)) [critical] [HIPAA] - UC-22.10.2 · HIPAA Risk Management — Control Deficiency Tracking (§164.308(a)(1)) [critical] [HIPAA] - UC-22.10.3 · Information System Activity Review — Cross-Source ePHI Access Summary (§164.308(a)(1)(ii)(D)) [critical] [HIPAA] - UC-22.10.4 · Workforce Clearance — HR Hire vs AD Account Creation (§164.308(a)(3)) [high] [HIPAA] - UC-22.10.5 · Termination — Access Revocation Within Policy Window (§164.308(a)(3)(ii)(C)) [critical] [HIPAA] - UC-22.10.6 · Security Awareness & Training — Phish Simulation Failure to ePHI Risk (§164.308(a)(5)) [high] [HIPAA] - UC-22.10.7 · Login Monitoring & Security Incident Procedures — Brute Force to Clinical SSO (§164.308(a)(6)) [critical] [HIPAA] - UC-22.10.8 · Contingency Plan — Backup Job Success for ePHI Databases (§164.308(a)(7)) [critical] [HIPAA] - UC-22.10.9 · Periodic Evaluation — Control Test Evidence Ingest (§164.308(a)(8)) [high] [HIPAA] - UC-22.10.10 · Business Associate Contracts — BAA Coverage for Connected Systems (§164.308(a)(1)(ii)(B)) [high] [HIPAA] - UC-22.10.11 · Business Associate Agreements — Expiry & Auto-Renewal Monitoring (§164.308(b)(1)) [high] [HIPAA] - UC-22.10.12 · Sanction Policy — Privileged Abuse on EHR Audit Logs (§164.308(a)(1)(ii)(C)) [critical] [HIPAA] - UC-22.10.13 · Unique User Identification — Shared or Generic EHR Accounts (§164.312(a)(2)(i)) [critical] [HIPAA] - UC-22.10.14 · Emergency Access Procedure — Downtime / Break-Glass Account Usage (§164.312(a)(2)(ii)) [critical] [HIPAA] - UC-22.10.15 · Automatic Logoff — Stale Clinical Workstation Sessions (§164.312(a)(2)(iii)) [high] [HIPAA] - UC-22.10.16 · Encryption of ePHI at Rest — TDE / BitLocker Status for Clinical Datastores (§164.312(a)(2)(iv)) [critical] [HIPAA] - UC-22.10.17 · Audit Controls — High-Volume ePHI Read Baseline & Anomaly (§164.312(b)) [critical] [HIPAA] - UC-22.10.18 · Integrity — Unexpected UPDATE/DELETE on PHI Tables (Clarity/Caboodle) (§164.312(c)(1)) [critical] [HIPAA] - UC-22.10.19 · Entity Authentication — Smart Card / Certificate Logon Failures (§164.312(d)) [high] [HIPAA] - UC-22.10.20 · Transmission Security — TLS 1.0/1.1 Deprecation for EHR Integrations (§164.312(e)(1)) [high] [HIPAA] - UC-22.10.21 · Access Control — Role-Based Violations (Coder Accessing Medication Admin) (§164.312(a)(1)) [critical] [HIPAA] - UC-22.10.22 · Remote ePHI Access — MFA Gap for VPN + O365 Clinical Mail (§164.312(e)(1) / §164.308(a)(1)) [critical] [HIPAA] - UC-22.10.23 · FHIR / SMART on FHIR App Access to ePHI Scopes (§164.312(d)) [high] [HIPAA] - UC-22.10.24 · Medical Device Integration — Unapproved HL7 Feeds to EMPI (§164.312(a)(1)) [high] [HIPAA] - UC-22.10.25 · Endpoint Controls — ePHI Clipboard/Print from VDI (§164.312(a)(1)) [high] [HIPAA] - UC-22.10.26 · Transmission Security — Unencrypted SMTP with PHI Patterns (§164.312(e)(1)) [critical] [HIPAA] - UC-22.10.27 · Integrity — Caboodle / Clarity ETL Job Failures & Partial Loads (§164.312(c)(1)) [high] [HIPAA] - UC-22.10.28 · Workstation Security — Unattended Unlocked Sessions in Clinical Pods (§164.310(b)) [high] [HIPAA] - UC-22.10.29 · Device & Media Controls — USB Mass Storage on ePHI Workstations (§164.310(d)(1)) [critical] [HIPAA] - UC-22.10.30 · Media Controls — Large PHI Print Jobs to Non-Secure Printers (§164.310(d)(2)) [high] [HIPAA] - UC-22.10.31 · Facility vs Logical Access — Badge-In Without VPN/SSO for Remote Roles (§164.310(a)(1)) [high] [HIPAA] - UC-22.10.32 · Workstation Use — After-Hours Login from Non-Clinical IP Space (§164.310(b) / §164.310(c)) [high] [HIPAA] - UC-22.10.33 · Minimum Necessary — Access Outside Active Care Team (§164.502(b) / §164.514(d)) [critical] [HIPAA] - UC-22.10.34 · Break-Glass — Emergency Access Reason Codes & Post-Review (§164.502(a)(2)(ii) / policy) [critical] [HIPAA] - UC-22.10.35 · Non-Treating Provider — Specialty Mismatch Chart Access (§164.502(a)(1)) [high] [HIPAA] - UC-22.10.36 · Bulk ePHI Export — Clarity SQL / Caboodle Extract Volume Spike (§164.502(b) / §164.312(b)) [critical] [HIPAA] - UC-22.10.37 · After-Hours ePHI Access — Billing Users on Inpatient Charts (§164.502(b)) [high] [HIPAA] - UC-22.10.38 · Deceased Patient Records — Access After Death Date (§164.502(f) / policy) [high] [HIPAA] - UC-22.10.39 · VIP / High-Profile Patient — Elevated Access Monitoring (§164.502(a) / policy) [critical] [HIPAA] - UC-22.10.40 · Research Access — Chart Views Without Active IRB Consent Flag (§164.502(a)(1) / §164.512(i)) [critical] [GDPR, HIPAA] - UC-22.10.41 · Accounting of Disclosures — Registry vs EHR-Logged Disclosures (§164.528) [high] [HIPAA] - UC-22.10.42 · Patient Portal — Suspicious MyChart Password Reset & MFA Changes (§164.312(d) / §164.530(c)) [critical] [HIPAA] - UC-22.10.43 · Breach Discovery — Time-to-Detect from First PHI Indicator (§164.404) [critical] [HIPAA] - UC-22.10.44 · Breach Risk Assessment — Four-Factor Documentation Tracking (§164.402 / §164.404) [critical] [HIPAA] - UC-22.10.45 · Individual Notification — Letter Generation & Mailing Evidence (§164.404(b), (d)(1)) [critical] [HIPAA] - UC-22.10.46 · HHS Secretary Notification — 500+ Individuals Threshold Watch (§164.408) [critical] [HIPAA] - UC-22.10.47 · Media Notification — Large-State Resident Threshold Tracking (§164.406(c)) [critical] [HIPAA] - UC-22.10.48 · Breach Log / Incident Register — Immutable Chronological Record (§164.402 / policy) [high] [HIPAA] - UC-22.10.49 · Breach Remediation — Control Implementation Evidence Post-Incident (§164.308(a)(1)(ii)(A)) [high] [HIPAA] - UC-22.10.50 · Annual Breach Reporting — Trend of Affected Individuals & Root Cause (§164.408 / OCR reporting) [high] [HIPAA] - UC-22.10.51 · Business Associate Access — VPN/SSO Sessions Originating from BA Address Space (§164.308(b) / §164.502(e)) [high] [HIPAA] - UC-22.10.52 · BAA Compliance Evidence — Control Attestations vs Technical Telemetry (§164.308(b)(3) / §164.502(e)) [high] [HIPAA] - UC-22.10.53 · Subcontractor Access — Downstream API Keys Touching ePHI Interfaces (§164.502(e) / BAA chain) [critical] [HIPAA] - UC-22.10.54 · Third-Party Data Sharing — O365 Sharing Links to External Domains on PHI Libraries (§164.502(b) / §164.514(e)) [critical] [HIPAA] - UC-22.10.55 · Cloud Service Provider — ePHI Hosting Admin Actions in AWS or Azure Audit (§164.308(a)(1) / §164.502(e)) [critical] [HIPAA] ### 22.13 NERC CIP - UC-22.13.1 · BES Cyber Asset Inventory Reconciliation Against Telemetry (CIP-002-6 R1 Part 1.1) [critical] [NERC CIP] - UC-22.13.2 · BES Cyber System Impact Rating Drift Detection (CIP-002-6 R2) [high] [NERC CIP] - UC-22.13.3 · ESP Boundary Change Detection via Firewall Configuration Events (CIP-002-6 R1 Part 1.2) [critical] [NERC CIP] - UC-22.13.4 · Annual CIP-002 Categorization Review Evidence Package (CIP-002-6 R4) [high] [NERC CIP] - UC-22.13.5 · Security Policy Exception Register with Expiration Tracking (CIP-003-8 R1 Part 1.2) [high] [NERC CIP] - UC-22.13.6 · Cyber Security Plan Technical Control Attestation — MFA for Privileged Access (CIP-003-8 R2) [critical] [NERC CIP] - UC-22.13.7 · Delegated Authority Register Change History (CIP-003-8 R3) [high] [NERC CIP] - UC-22.13.8 · Low-Impact BES Cyber System Electronic Access Path Enforcement (CIP-003-8 R4) [high] [NERC CIP] - UC-22.13.9 · Security Awareness Training Completion for BES Personnel (CIP-004-6 R1 Part 1.1) [high] [NERC CIP] - UC-22.13.10 · Personnel Risk Assessment Due-Date Monitoring (CIP-004-6 R2) [high] [NERC CIP] - UC-22.13.11 · Electronic Access Authorization Record Coverage for PAM Sessions (CIP-004-6 R3) [critical] [NERC CIP] - UC-22.13.12 · Post-Termination Access Revocation within 24 Hours (CIP-004-6 R4 Part 4.2) [critical] [NERC CIP] - UC-22.13.13 · Quarterly Access Review Dataset — Interactive Sessions by System (CIP-004-6 R5) [high] [NERC CIP] - UC-22.13.14 · Background Investigation Recency for ESP and PAM Users (CIP-004-6 R6) [high] [NERC CIP] - UC-22.13.15 · ESP Inbound First-Seen External Source Detection (CIP-005-6 R1 Part 1.3) [critical] [NERC CIP] - UC-22.13.16 · ESP Outbound Bytes Spike versus Rolling Baseline (CIP-005-6 R2 Part 2.1) [high] [NERC CIP] - UC-22.13.17 · Denied ESP Traversal Bursts Followed by Allowed Sessions (CIP-005-6 R2 Part 2.3) [critical] [NERC CIP] - UC-22.13.18 · Interactive Remote Access Session Duration on Jump Hosts (CIP-005-6 R3) [high] [NERC CIP] - UC-22.13.19 · EACMS and IRA Authentication Failure Concentration (CIP-005-6 R4 Part 4.2) [critical] [NERC CIP] - UC-22.13.20 · ESP Security Rule Commit Without Approved Change Record (CIP-005-6 R1 Part 1.4) [critical] [NERC CIP] - UC-22.13.21 · Vendor Interactive Remote Access — Encryption and Session Recording Evidence (CIP-005-6 R3 Part 3.2) [critical] [NERC CIP] - UC-22.13.22 · Dial-Up or Serial Out-of-Band Access on ESP-Adjacent Segments (CIP-005-6 R2 Part 2.4) [high] [NERC CIP] - UC-22.13.23 · Physical Access Outside Approved Maintenance Window at PSP (CIP-006-6 R1 Part 1.2) [high] [NERC CIP] - UC-22.13.24 · Unauthorized Physical Access Attempts at PSP (CIP-006-6 R2) [critical] [NERC CIP] - UC-22.13.25 · Visitor Badge Without Escort Within Policy Window (CIP-006-6 R3 Part 3.1) [high] [NERC CIP] - UC-22.13.26 · Physical Access Log Ingest Continuity for Retention Evidence (CIP-006-6 R4) [high] [NERC CIP] - UC-22.13.27 · PSP Forced Door with Concurrent ESP Interactive Logon (CIP-006-6 R3 Part 3.2) [critical] [NERC CIP] - UC-22.13.28 · Listening Port and Service Baseline Deviation on BES Servers (CIP-007-6 R1 Part 1.2) [high] [NERC CIP] - UC-22.13.29 · Security Patch Evaluation Completion Tracking (CIP-007-6 R2 Part 2.1) [high] [NERC CIP] - UC-22.13.30 · Patch Installation or Mitigation within 35-Day Window (CIP-007-6 R2 Part 2.3) [critical] [NERC CIP] - UC-22.13.31 · Malware Prevention Agent Coverage on BES Cyber Assets (CIP-007-6 R3 Part 3.1) [high] [NERC CIP] - UC-22.13.32 · Malware Detection Events on BES Cyber Systems (CIP-007-6 R4 Part 4.1) [critical] [NERC CIP] - UC-22.13.33 · Security Event Log Generation Validation for Windows BES Hosts (CIP-007-6 R4 Part 4.2) [high] [NERC CIP] - UC-22.13.34 · Failed and Successful Login Attempt Monitoring on BES Assets (CIP-007-6 R5 Part 5.1) [high] [NERC CIP] - UC-22.13.35 · Default, Built-In, or Generic Account Usage on BES Hosts (CIP-007-6 R5 Part 5.2) [critical] [NERC CIP] - UC-22.13.36 · Shared Account Justification Review Queue (CIP-007-6 R5 Part 5.3) [high] [NERC CIP] - UC-22.13.37 · Password or Passphrase Policy Violations from Domain Controller Auditing (CIP-007-6 R5 Part 5.4) [high] [NERC CIP] - UC-22.13.38 · Cyber Security Incident Identification from Correlated ESP and Endpoint Alerts (CIP-008-6 R1 Part 1.1) [critical] [NERC CIP] - UC-22.13.39 · Reportable Incident Classification — BES Reliability Impact Signals (CIP-008-6 R2 Part 2.1) [critical] [NERC CIP] - UC-22.13.40 · Incident Response Timeline Milestone Tracking (CIP-008-6 R3 Part 3.2) [critical] [NERC CIP] - UC-22.13.41 · NERC Filing Deadline Compliance Countdown (CIP-008-6 R4 Part 4.1) [critical] [NERC CIP] - UC-22.13.42 · Incident Evidence Preservation — Splunk Search Artifact Export Audit (CIP-008-6 R5 Part 5.1) [high] [NERC CIP] - UC-22.13.43 · Post-Incident Lessons Learned Action Item Tracking (CIP-008-6 R6) [high] [NERC CIP] - UC-22.13.44 · Backup Job Success and Failure for BES Databases and Configuration Stores (CIP-009-6 R1 Part 1.1) [critical] [NERC CIP] - UC-22.13.45 · Backup Media Integrity Test Results (CIP-009-6 R2 Part 2.2) [high] [NERC CIP] - UC-22.13.46 · Recovery Plan Exercise Attendance and Scenario Evidence (CIP-009-6 R3 Part 3.1) [high] [NERC CIP] - UC-22.13.47 · Data Preservation During Recovery Activities (CIP-009-6 R4 Part 4.1) [critical] [NERC CIP] - UC-22.13.48 · BES Cyber System Restore Drill — RTO Measurement (CIP-009-6 R5 Part 5.1) [high] [NERC CIP] - UC-22.13.49 · Baseline Configuration Deviation — Key OS and Application Settings (CIP-010-4 R1 Part 1.1) [high] [NERC CIP] - UC-22.13.50 · Unauthorized Software Installation on BES Windows Servers (CIP-010-4 R2 Part 2.1) [critical] [NERC CIP] - UC-22.13.51 · Configuration Change Authorization Linkage for Network Devices (CIP-010-4 R3 Part 3.1) [critical] [NERC CIP] - UC-22.13.52 · Vulnerability Assessment After Material Configuration Changes (CIP-010-4 R4 Part 4.1) [high] [NERC CIP] - UC-22.13.53 · Transient Cyber Asset Connection Logging to ESP Jump Zones (CIP-010-4 R5 Part 5.1) [high] [NERC CIP] - UC-22.13.54 · Removable Media Mount Events on Engineering Workstations (CIP-010-4 R6 Part 6.1) [high] [NERC CIP] - UC-22.13.55 · TCA Scan-Before-Connect Compliance from NAC or Agent Logs (CIP-010-4 R5 Part 5.3) [critical] [NERC CIP] - UC-22.13.56 · Baseline Update Documentation — Config Baseline Version Changes (CIP-010-4 R1 Part 1.3) [high] [NERC CIP] - UC-22.13.57 · BES Cyber System Information Access via Share and Web Downloads (CIP-011-3 R1 Part 1.1) [critical] [NERC CIP] - UC-22.13.58 · BCSI Storage Location Inventory vs. Observed Disk Paths (CIP-011-3 R2 Part 2.1) [high] [NERC CIP] - UC-22.13.59 · Information Handling Procedure Compliance — Email DLP for BCSI (CIP-011-3 R3 Part 3.1) [critical] [NERC CIP] - UC-22.13.60 · BCSI Destruction and Sanitization Evidence from ITAD Tickets (CIP-011-3 R4 Part 4.1) [high] [NERC CIP] - UC-22.13.61 · Control Center Real-Time Assessment TLS Cipher and Certificate Health (CIP-012-1 R1 Part 1.1) [critical] [NERC CIP] - UC-22.13.62 · Inter-Control-Center Link Availability from Synthetic Tests (CIP-012-1 R2 Part 2.1) [critical] [NERC CIP] - UC-22.13.63 · Communication Path Integrity — Unexpected Route or ASN Changes (CIP-012-1 R3 Part 3.1) [high] [NERC CIP] - UC-22.13.64 · Vendor Risk Assessment Due Dates for Critical Suppliers (CIP-013-1 R1 Part 1.1) [high] [NERC CIP] - UC-22.13.65 · Software Package Integrity — Signed Installer Verification Failures (CIP-013-1 R2 Part 2.1) [critical] [NERC CIP] - UC-22.13.66 · Vendor Security Incident Notification Receipt Tracking (CIP-013-1 R3 Part 3.1) [high] [NERC CIP] - UC-22.13.67 · Supply Chain Incident Response Task Tracking (CIP-013-1 R4 Part 4.1) [critical] [NERC CIP] - UC-22.13.68 · Transmission Station Threat Assessment Evidence Indexing (CIP-014-3 R1 Part 1.1) [high] [NERC CIP] - UC-22.13.69 · Transmission Physical Security Plan Control Checklist Status (CIP-014-3 R2 Part 2.1) [high] [NERC CIP] - UC-22.13.70 · Unplanned Physical Security Incidents at Transmission Sites (CIP-014-3 R3 Part 3.1) [critical] [NERC CIP] ### 22.14 NIST 800-53 Rev. 5 - UC-22.14.1 · Centralized Audit Event Logging Policy Coverage (AU-2) [critical] [NIST 800-53] - UC-22.14.2 · Audit Record Content Completeness for Privileged Actions (AU-3) [critical] [NIST 800-53] - UC-22.14.3 · Audit Storage Capacity and Index Growth Guardrails (AU-4) [high] [NIST 800-53] - UC-22.14.4 · Response to Audit Logging Failures and Forwarder Gaps (AU-5) [critical] [NIST 800-53] - UC-22.14.5 · Audit Review, Analysis, and Reporting for Privileged Users (AU-6) [critical] [NIST 800-53] - UC-22.14.6 · Audit Reduction and Report Generation Integrity (AU-7) [high] [NIST 800-53] - UC-22.14.7 · Time Synchronization and Clock Skew for Audit Timestamps (AU-8) [high] [NIST 800-53] - UC-22.14.8 · Protection of Audit Information — Tamper Detection on Audit Indexes (AU-9) [critical] [NIST 800-53] - UC-22.14.9 · Non-Repudiation Evidence for Sensitive Transactions (AU-10) [high] [NIST 800-53] - UC-22.14.10 · Audit Record Retention Compliance vs Policy (AU-11) [high] [NIST 800-53] - UC-22.14.11 · Audit Generation Coverage for Critical Network Controls (AU-12) [critical] [NIST 800-53] - UC-22.14.12 · Monitoring for Information Disclosure via DLP and Web Exfil Patterns (AU-13) [high] [NIST 800-53] - UC-22.14.13 · Session Audit for Privileged Interactive Access (AU-14) [high] [NIST 800-53] - UC-22.14.14 · Alternate Audit Capability During Control Outages (AU-15) [high] [NIST 800-53] - UC-22.14.15 · Cross-Organizational Audit Forwarding Health to SIEM (AU-16) [high] [NIST 800-53] - UC-22.14.16 · Account Management — Orphan and Stale Privileged Accounts (AC-2) [critical] [NIST 800-53] - UC-22.14.17 · Access Enforcement — Unauthorized Access Attempts to Sensitive Shares (AC-3) [critical] [NIST 800-53] - UC-22.14.18 · Separation of Duties Violations in Change Tickets (AC-5) [high] [NIST 800-53] - UC-22.14.19 · Least Privilege — Excessive Cloud IAM Permissions (AC-6) [critical] [NIST 800-53] - UC-22.14.20 · Unsuccessful Logon Attempts and Account Lockout Patterns (AC-7) [high] [NIST 800-53] - UC-22.14.21 · System Use Notification Banner Acceptance in SSH Sessions (AC-8) [high] [NIST 800-53] - UC-22.14.22 · Session Lock Events for Workstation Inactivity Policy (AC-11) [high] [NIST 800-53] - UC-22.14.23 · Session Termination on Logoff and VPN Disconnect (AC-12) [high] [NIST 800-53] - UC-22.14.24 · Remote Access Anomalies — Geo-Velocity and Off-Hours VPN (AC-17) [critical] [NIST 800-53] - UC-22.14.25 · Use of External Systems — Unmanaged SaaS OAuth Grants (AC-20) [high] [NIST 800-53] - UC-22.14.26 · Multifactor Authentication Gaps for Interactive Sign-Ins (IA-2) [critical] [NIST 800-53] - UC-22.14.27 · Device Identification for Corporate-Managed Endpoints (IA-3) [high] [NIST 800-53] - UC-22.14.28 · Identifier Management — Non-Human Service Account Sprawl (IA-4) [high] [NIST 800-53] - UC-22.14.29 · Authenticator Management — Password Age and Rotation Anomalies (IA-5) [high] [NIST 800-53] - UC-22.14.30 · Authentication Feedback — Credential Stuffing via Login Failures (IA-6) [medium] [NIST 800-53] - UC-22.14.31 · Identification of Non-Organization Users in Collaboration Tools (IA-8) [high] [NIST 800-53] - UC-22.14.32 · Re-Authentication for Sensitive Application Roles (IA-11) [high] [NIST 800-53] - UC-22.14.33 · Identity Proofing Evidence for HR Onboarding Events (IA-12) [high] [NIST 800-53] - UC-22.14.34 · Flaw Remediation SLA Tracking from Vulnerability Scans (SI-2) [critical] [NIST 800-53] - UC-22.14.35 · Malicious Code Protection — EDR / AV Detections Volume and Gaps (SI-3) [critical] [NIST 800-53] - UC-22.14.36 · System Monitoring — Host Instrumentation Coverage vs Inventory (SI-4) [critical] [NIST 800-53] - UC-22.14.37 · Security Alerts Ingestion Health from Vendor Feeds (SI-5) [high] [NIST 800-53] - UC-22.14.38 · Security Function Verification — Forwarder Config Change Auditing (SI-6) [high] [NIST 800-53] - UC-22.14.39 · Software and Firmware Integrity — Unexpected Driver Loads (SI-7) [critical] [NIST 800-53] - UC-22.14.40 · Information Input Validation — Web Parameter Anomalies (SI-10) [high] [NIST 800-53] - UC-22.14.41 · Error Handling — Application Stack Traces Exposing Internals (SI-11) [medium] [NIST 800-53] - UC-22.14.42 · Information Management — Sensitive Fields in Unapproved Indexes (SI-12) [high] [NIST 800-53] - UC-22.14.43 · Memory Protection Signals — Exploitation Primitives in EDR Telemetry (SI-16) [critical] [NIST 800-53] - UC-22.14.44 · Incident Response Training Completion Tracking (IR-2) [medium] [NIST 800-53] - UC-22.14.45 · Incident Handling Stage Timestamps from Case Management (IR-4) [critical] [NIST 800-53] - UC-22.14.46 · Incident Monitoring — SOC Queue Depth and Severity Mix (IR-5) [high] [NIST 800-53] - UC-22.14.47 · Incident Reporting to Authorities — Regulatory Timer Watch (IR-6) [critical] [NIST 800-53] - UC-22.14.48 · Incident Response Assistance — External IR Firm Access Auditing (IR-7) [high] [NIST 800-53] - UC-22.14.49 · Incident Response Plan Test Evidence from Scheduled Tabletop Tags (IR-8) [medium] [NIST 800-53] - UC-22.14.50 · Information Spillage — DLP High-Severity Exfil Indicators (IR-9) [critical] [NIST 800-53] - UC-22.14.51 · Integrated Information Security Analysis Team Handoffs (IR-10) [high] [NIST 800-53] - UC-22.14.52 · Baseline Configuration Drift vs Gold Build (CM-2) [high] [NIST 800-53] - UC-22.14.53 · Configuration Change Control — Unauthorized Firewall Rule Adds (CM-3) [critical] [NIST 800-53] - UC-22.14.54 · Security Impact Analysis Signals for Emergency Changes (CM-4) [high] [NIST 800-53] - UC-22.14.55 · Access Restrictions for Change — Privileged Route Changes (CM-5) [high] [NIST 800-53] - UC-22.14.56 · Configuration Settings Compliance — CIS Benchmark Control Checks (CM-6) [high] [NIST 800-53] - UC-22.14.57 · Least Functionality — Unexpected Listening Ports (CM-7) [high] [NIST 800-53] - UC-22.14.58 · System Component Inventory vs Observed Network Assets (CM-8) [high] [NIST 800-53] - UC-22.14.59 · User-Installed Software Detections on Corporate Images (CM-11) [medium] [NIST 800-53] - UC-22.14.60 · Control Assessment Findings Ingest and Aging (CA-2) [high] [NIST 800-53] - UC-22.14.61 · Information Exchange Agreements — Data Share Volume Anomalies (CA-3) [high] [NIST 800-53] - UC-22.14.62 · Plan of Action and Milestones Open Items Past Due (CA-5) [high] [NIST 800-53] - UC-22.14.63 · Continuous Monitoring Control Health Scores (CA-7) [critical] [NIST 800-53] - UC-22.14.64 · Penetration Test Windows and Detected Activities (CA-8) [high] [NIST 800-53] - UC-22.14.65 · Internal System Connections — East-West New Service Relationships (CA-9) [high] [NIST 800-53] - UC-22.14.66 · Residual Information in Shared Cloud Object Stores (SC-4) [high] [NIST 800-53] - UC-22.14.67 · Boundary Protection — Firewall Deny Burst to Sensitive Segments (SC-7) [critical] [NIST 800-53] - UC-22.14.68 · Transmission Confidentiality and Integrity — TLS Policy Downgrades (SC-8) [critical] [NIST 800-53] - UC-22.14.69 · Network Disconnect for Inactive Sessions on Admin Services (SC-10) [high] [NIST 800-53] - UC-22.14.70 · Cryptographic Key Management Events from Cloud KMS (SC-12) [critical] [NIST 800-53] - UC-22.14.71 · Cryptographic Protection — BitLocker or Disk Encryption Status Drops (SC-13) [high] [NIST 800-53] - UC-22.14.72 · Session Authenticity — Token Replay Across Geographies (SC-23) [critical] [NIST 800-53] - UC-22.14.73 · Protection of Information at Rest — Storage Encryption Misconfigurations (SC-28) [critical] [NIST 800-53] - UC-22.14.74 · Risk Assessment Inputs — Control Deficiency Hotspots (RA-3) [high] [NIST 800-53] - UC-22.14.75 · Vulnerability Monitoring — Exploitable in the Wild Prioritization (RA-5) [critical] [NIST 800-53] - UC-22.14.76 · Risk Response Effectiveness After Control Changes (RA-7) [medium] [NIST 800-53] - UC-22.14.77 · Threat Hunting Outcomes Logged for Repeatable Hunts (RA-10) [high] [NIST 800-53] - UC-22.14.78 · Contingency Plan Tabletop and Activation Logging (CP-2) [medium] [NIST 800-53] - UC-22.14.79 · System Backup Success and RPO Violations (CP-9) [critical] [NIST 800-53] - UC-22.14.80 · System Recovery Time Objective Tracking from DR Drills (CP-10) [critical] [NIST 800-53] ### 22.15 IEC 62443 - UC-22.15.1 · OT Security Policy Control Evidence from Log Review (IEC 62443-2-1 / 4.2.2) [high] [IEC 62443] - UC-22.15.2 · IACS Cyber Risk Assessment — Critical OT Asset Exposure (IEC 62443-2-1 / 4.2.3) [critical] [IEC 62443] - UC-22.15.3 · OT Security Awareness Training Completion (IEC 62443-2-1 / 4.3.2.6) [medium] [IEC 62443] - UC-22.15.4 · Privileged OT Account Changes vs Personnel Screening (IEC 62443-2-1 / 4.3.3.4) [high] [IEC 62443] - UC-22.15.5 · IACS Incident Response Containment Interval (IEC 62443-2-1 / 4.3.4.5) [critical] [IEC 62443] - UC-22.15.6 · Control System Continuity — Historian Export and OT Backup Health (IEC 62443-2-1 / 4.3.4.3) [critical] [IEC 62443] - UC-22.15.7 · OT Security Audit Population Sampling Dashboard (IEC 62443-2-1 / 4.4.3) [high] [IEC 62443] - UC-22.15.8 · OT Change Management — PLC Download Without CM Ticket (IEC 62443-2-1 / 4.3.4.4) [critical] [IEC 62443] - UC-22.15.9 · Physical Access vs OT Network First-Seen Asset (IEC 62443-2-1 / 4.3.3.3) [high] [IEC 62443] - UC-22.15.10 · Vendor Remote Maintenance Window and Dual-Control Evidence (IEC 62443-2-1 / 4.4.3.2) [high] [IEC 62443] - UC-22.15.11 · HMI and Jump Host Human User Identification Gaps (IEC 62443-3-3 / SR 1.1) [critical] [IEC 62443] - UC-22.15.12 · Non-Interactive Industrial Protocol Clients Without Device Identity (IEC 62443-3-3 / SR 1.2) [high] [IEC 62443] - UC-22.15.13 · Stale or Shared OT Service Accounts (IEC 62443-3-3 / SR 1.3) [high] [IEC 62443] - UC-22.15.14 · Weak OTP or Missing MFA Step for OT VPN (IEC 62443-3-3 / SR 1.5) [critical] [IEC 62443] - UC-22.15.15 · Short or Default Password Patterns in OT Authentication Logs (IEC 62443-3-3 / SR 1.7) [high] [IEC 62443] - UC-22.15.16 · Certificate-Based OPC-UA Logon Failures and Weak Trust Stores (IEC 62443-3-3 / SR 1.9) [high] [IEC 62443] - UC-22.15.17 · OT Access from Untrusted Networks Without Split Tunnel Block (IEC 62443-3-3 / SR 1.13) [critical] [IEC 62443] - UC-22.15.18 · Unauthorized Writes to Modbus Holding Registers (IEC 62443-3-3 / SR 2.1) [critical] [IEC 62443] - UC-22.15.19 · Unsigned Macros or Scripts Executed on Engineering Workstation (IEC 62443-3-3 / SR 2.4) [high] [IEC 62443] - UC-22.15.20 · HMI Session Lock Bypass — Long Idle Operator Consoles (IEC 62443-3-3 / SR 2.5) [medium] [IEC 62443] - UC-22.15.21 · Forced Remote Engineering Session Termination After Hours (IEC 62443-3-3 / SR 2.6) [high] [IEC 62443] - UC-22.15.22 · OT Auditable Event Coverage by Zone and Source (IEC 62443-3-3 / SR 2.8) [high] [IEC 62443] - UC-22.15.23 · Audit Index Growth vs Licensed Retention (Capacity Risk) (IEC 62443-3-3 / SR 2.9) [medium] [IEC 62443] - UC-22.15.24 · Forwarder Stops — Audit Pipeline Failure Response (IEC 62443-3-3 / SR 2.10) [critical] [IEC 62443] - UC-22.15.25 · Clock Skew on OT Hosts vs NTP Stratum (IEC 62443-3-3 / SR 2.11) [high] [IEC 62443] - UC-22.15.26 · Dual-Signature PLC Program Change Without Four-Eyes Ticket (IEC 62443-3-3 / SR 2.12) [critical] [IEC 62443] - UC-22.15.27 · OPC-UA Message Tampering Indicators via Signature Failures (IEC 62443-3-3 / SR 3.1) [critical] [IEC 62443] - UC-22.15.28 · PLC Firmware Verification Job Failures (IEC 62443-3-3 / SR 3.3) [high] [IEC 62443] - UC-22.15.29 · Unexpected PLC Logic CRC Change (IEC 62443-3-3 / SR 3.4) [critical] [IEC 62443] - UC-22.15.30 · Out-of-Range SCADA Setpoints and Invalid Control Commands (IEC 62443-3-3 / SR 3.5) [critical] [IEC 62443] - UC-22.15.31 · Cleartext Industrial Credentials in PCAP-Derived Metadata (IEC 62443-3-3 / SR 4.1) [critical] [IEC 62443] - UC-22.15.32 · Deprecated TLS or SSH Algorithms on OT Jump Hosts (IEC 62443-3-3 / SR 4.3) [high] [IEC 62443] - UC-22.15.33 · East-West OT Traffic Crossing Intended Purdue Levels (IEC 62443-3-3 / SR 5.1) [critical] [IEC 62443] - UC-22.15.34 · Denied Exploit Attempts at OT DMZ Boundary (IEC 62443-3-3 / SR 5.2) [critical] [IEC 62443] - UC-22.15.35 · Mixed Safety and Non-Safety Traffic on Same VLAN Evidence (IEC 62443-3-3 / SR 5.4) [high] [IEC 62443] - UC-22.15.36 · PLC Local Console Login Without Corporate Identity (IEC 62443-4-2 / CR 1.1) [high] [IEC 62443] - UC-22.15.37 · Unauthorized Firmware Upload Attempt on RTU (IEC 62443-4-2 / CR 2.1) [critical] [IEC 62443] - UC-22.15.38 · Embedded PLC Audit Log Forwarding Gaps (IEC 62443-4-2 / CR 2.8) [high] [IEC 62443] - UC-22.15.39 · Secure Boot or Image Hash Mismatch on Industrial Appliance (IEC 62443-4-2 / CR 3.4) [critical] [IEC 62443] - UC-22.15.40 · Modbus Serial Gateway Exposing Registers to Wrong TCP Subnet (IEC 62443-4-2 / CR 4.1) [high] [IEC 62443] - UC-22.15.41 · Duplicate IP or MAC on OT Switch — Segmentation Violation (IEC 62443-4-2 / CR 5.1) [high] [IEC 62443] - UC-22.15.42 · High-Rate Modbus Exception Responses (Potential DoS) (IEC 62443-4-2 / CR 6.1) [critical] [IEC 62443] - UC-22.15.43 · PLC CPU Load and Scan Cycle Degradation (IEC 62443-4-2 / CR 6.2) [high] [IEC 62443] - UC-22.15.44 · Redundant Controller Failover During Attack Window (IEC 62443-4-2 / CR 7.1) [critical] [IEC 62443] - UC-22.15.45 · Historian Query Saturation During Incident (IEC 62443-4-2 / CR 7.2) [medium] [IEC 62443] - UC-22.15.46 · Zone Boundary Traffic Monitoring — Anomalous Inter-Zone Volume (IEC 62443-3-2 / Zone boundary traffic monitoring) [high] [IEC 62443] - UC-22.15.47 · Conduit Traffic Allowlist Enforcement — Unexpected DNP3 Functions (IEC 62443-3-2 / Conduit traffic allowlist enforcement) [critical] [IEC 62443] - UC-22.15.48 · Cross-Zone Protocol Anomaly Detection — IEC 61850 GOOSE Floods (IEC 62443-3-2 / Cross-zone protocol anomaly detection) [critical] [IEC 62443] - UC-22.15.49 · Safety Zone Isolation Verification — Non-Safety OPC on SIS VLAN (IEC 62443-3-2 / Safety zone isolation verification) [critical] [IEC 62443] - UC-22.15.50 · DMZ Integrity Between IT and OT — Corporate Browser to OT HMI (IEC 62443-3-2 / DMZ integrity between IT and OT) [high] [IEC 62443] - UC-22.15.51 · Engineering Workstation Access Control — RDP Skips Jump Tier (IEC 62443-3-2 / Engineering workstation access control) [critical] [IEC 62443] - UC-22.15.52 · Historian-to-Corporate Data Flow Audit — Large ODBC Without SPN (IEC 62443-3-2 / Historian-to-corporate data flow audit) [high] [IEC 62443] - UC-22.15.53 · Wireless Zone Security Monitoring — Unknown Clients on OT SSID (IEC 62443-3-2 / Wireless zone security monitoring) [high] [IEC 62443] - UC-22.15.54 · Remote Access Conduit Integrity — Split Tunnel on OT VPN Portal (IEC 62443-3-2 / Remote access conduit integrity) [critical] [IEC 62443] - UC-22.15.55 · Zone Trust Level Verification — SL-T vs Observed Purdue Layer (IEC 62443-3-2 / Zone trust level verification) [high] [IEC 62443] ### 22.12 SOX / ITGC - UC-22.12.1 · User provisioning evidence tied to financial application accounts (SOX §404 / COSO) [high] [SOX / ITGC] - UC-22.12.2 · Privileged access review completion and aging for financial systems (SOX §404) [medium] [SOX / ITGC] - UC-22.12.3 · Segregation of duties conflicts across SAP / Oracle financial roles (SOX §404) [low] [SOX, SOX / ITGC] - UC-22.12.4 · Administrator and break-glass usage on production financial hosts (SOX §404) [critical] [SOX / ITGC] - UC-22.12.5 · Terminated-user authentication after HR termination date (SOX §404) [high] [SOX / ITGC] - UC-22.12.6 · Periodic access certification exceptions for in-scope applications (SOX §404) [medium] [SOX / ITGC] - UC-22.12.7 · Orphaned and dormant accounts with recent interactive activity (SOX §404) [low] [SOX / ITGC] - UC-22.12.8 · Emergency change retrospective documentation completeness (SOX ITGC) [critical] [SOX / ITGC] - UC-22.12.9 · Production configuration drift without matching approved change (SOX ITGC) [high] [SOX / ITGC] - UC-22.12.10 · Change approval workflow evidence for financially material CIs (SOX ITGC) [medium] [SOX / ITGC] - UC-22.12.11 · CAB evidence and high-risk change documentation gaps (SOX ITGC) [low] [SOX / ITGC] - UC-22.12.12 · Production change volume during financial close windows (SOX close) [critical] [SOX / ITGC] - UC-22.12.13 · Failed change rollback and backout evidence tracking (SOX ITGC) [high] [SOX / ITGC] - UC-22.12.14 · Changes executed outside approved maintenance windows (SOX ITGC) [medium] [SOX / ITGC] - UC-22.12.15 · Financial close batch job failures and runtime SLA breaches (SOX close) [low] [SOX / ITGC] - UC-22.12.16 · General ledger database backup success within policy windows (SOX ITGC) [critical] [SOX / ITGC] - UC-22.12.17 · Unauthorized batch schedule or dependency modifications (SOX ITGC) [high] [SOX / ITGC] - UC-22.12.18 · ITSI service health for financial reporting dependency chain (SOX availability) [medium] [SOX / ITGC] - UC-22.12.19 · Close-processing cluster CPU saturation during peak windows (SOX performance) [low] [SOX / ITGC] - UC-22.12.20 · Disaster recovery test execution and evidence correlation (SOX DR) [critical] [SOX / ITGC] - UC-22.12.21 · Priority incident aging for finance-critical configuration items (SOX operations) [high] [SOX / ITGC] - UC-22.12.22 · Financial close checklist task completion by owner (SOX close) [medium] [SOX / ITGC] - UC-22.12.23 · After-hours and high-value journal entry concentration (SOX JE) [low] [SOX / ITGC] - UC-22.12.24 · Sequential ERP document number gap detection (SOX audit trail) [critical] [SOX / ITGC] - UC-22.12.25 · Duplicate disbursement pattern detection in AP subledger (SOX cash) [high] [SOX / ITGC] - UC-22.12.26 · Sensitive management financial report access and export (SOX reporting) [medium] [SOX / ITGC] - UC-22.12.27 · Subledger-to-general-ledger reconciliation variance monitoring (SOX reconciliation) [low] [SOX / ITGC] - UC-22.12.28 · Quarterly privileged ERP role population for sign-off (SOX access) [critical] [SOX / ITGC] - UC-22.12.29 · IT control testing sample evidence retrieval by control ID (SOX testing) [high] [SOX / ITGC] - UC-22.12.30 · Open IT control exception aging and escalation tiers (SOX exceptions) [medium] [SOX / ITGC] - UC-22.12.31 · Audit finding remediation milestone and due-date risk (SOX remediation) [low] [SOX / ITGC] - UC-22.12.32 · External audit IT finding closure and retest documentation (SOX audit) [critical] [SOX / ITGC] - UC-22.12.33 · IT control self-assessment questionnaire completion rates (SOX CSA) [high] [SOX / ITGC] - UC-22.12.34 · IT risk register residual score movement for financial reporting risks (SOX risk) [medium] [SOX / ITGC] - UC-22.12.35 · Monthly ITGC KPI pack for management review evidence (SOX management review) [low] [SOX / ITGC] ### 22.16 TSA Pipeline Security - UC-22.16.1 · IT/OT boundary deny vs allow ratio by zone pair (TSA Pipeline Security) [high] [TSA Pipeline Security Directive] - UC-22.16.2 · Cross-zone traffic volume spike vs baseline (TSA segmentation) [medium] [TSA Pipeline Security Directive] - UC-22.16.3 · Lateral authentication chains across OT VLANs (TSA IR readiness) [low] [TSA Pipeline Security Directive] - UC-22.16.4 · Unexpected IT-style applications in OT enclaves (TSA segmentation) [critical] [TSA Pipeline Security Directive] - UC-22.16.5 · DMZ jump host concurrent multi-segment sessions (TSA architecture) [high] [TSA Pipeline Security Directive] - UC-22.16.6 · Unauthorized MAC appearances on OT uplink ports (TSA physical/logical) [medium] [TSA Pipeline Security Directive] - UC-22.16.7 · Interactive logons to pipeline engineering workstations (TSA access) [low] [TSA Pipeline Security Directive] - UC-22.16.8 · Privileged remote maintenance with MFA and recording correlation (TSA access) [critical] [TSA Pipeline Security Directive] - UC-22.16.9 · Contractor MFA gaps to OT bastion and VPN portals (TSA access) [high] [TSA Pipeline Security Directive] - UC-22.16.10 · Vendor account usage outside approved maintenance windows (TSA vendor access) [medium] [TSA Pipeline Security Directive] - UC-22.16.11 · Shared OT maintenance account attribution via PAM (TSA access) [low] [TSA Pipeline Security Directive] - UC-22.16.12 · Break-glass vault usage correlated to active P1 incidents (TSA emergency access) [critical] [TSA Pipeline Security Directive] - UC-22.16.13 · OT alert volume by NIST CSF-style category (TSA incident response) [high] [TSA Pipeline Security Directive] - UC-22.16.14 · Cybersecurity plan milestone on-time completion (TSA SD) [medium] [TSA Pipeline Security Directive] - UC-22.16.15 · Composite severity from OT alerts and SCADA health (TSA IR) [low] [TSA Pipeline Security Directive] - UC-22.16.16 · Regulatory notification task checklist aging (TSA reporting) [critical] [TSA Pipeline Security Directive] - UC-22.16.17 · PLC mode changes during active OT incidents (TSA containment) [high] [TSA Pipeline Security Directive] - UC-22.16.18 · Post-incident recovery test evidence in problem records (TSA recovery) [medium] [TSA Pipeline Security Directive] - UC-22.16.19 · Cybersecurity implementation plan artifact versioning (TSA plan) [low] [TSA Pipeline Security Directive] - UC-22.16.20 · Documented subnets vs observed NetFlow peers (TSA architecture) [critical] [TSA Pipeline Security Directive] - UC-22.16.21 · Control-loop latency before vs after hardening window (TSA effectiveness) [high] [TSA Pipeline Security Directive] - UC-22.16.22 · PLC/RTU inventory without expected monitoring agent (TSA inventory) [medium] [TSA Pipeline Security Directive] - UC-22.16.23 · ICS advisory affected firmware still installed (TSA vulnerability) [low] [TSA Pipeline Security Directive] - UC-22.16.24 · Qualitative OT cyber risk scenario roll-up (TSA risk) [critical] [TSA Pipeline Security Directive] - UC-22.16.25 · SCADA master redundancy failover duration (TSA monitoring) [high] [TSA Pipeline Security Directive] - UC-22.16.26 · Blocked unauthorized PLC logic downloads (TSA integrity) [medium] [TSA Pipeline Security Directive] - UC-22.16.27 · OT configuration changes without ITSM change record (TSA change) [low] [TSA Pipeline Security Directive] - UC-22.16.28 · Monthly OT security posture score trend by site (TSA monitoring) [critical] [TSA Pipeline Security Directive] - UC-22.16.29 · First-seen OT patch-repository binary hashes (TSA supply chain) [high] [TSA Pipeline Security Directive] - UC-22.16.30 · Threat-intel hits on OT DNS forwarder queries (TSA threat intel) [medium] [TSA Pipeline Security Directive] ### 22.18 API 1164 Pipeline SCADA Security - UC-22.18.1 · FactoryTalk excessive operator login sessions (API RP 1164) [high] [API RP 1164] - UC-22.18.2 · FactoryTalk compressor-area role mismatch (API RP 1164) [medium] [API RP 1164] - UC-22.18.3 · OPC-UA Write method without named approver (API RP 1164) [low] [API RP 1164] - UC-22.18.4 · FactoryTalk rejected open/close commands (API RP 1164) [critical] [API RP 1164] - UC-22.18.5 · FactoryTalk operator sessions idle over 2 h (API RP 1164) [high] [API RP 1164] - UC-22.18.6 · Vendor or field-tech Windows logons outside depot hours (API RP 1164) [medium] [API RP 1164] - UC-22.18.7 · Pipeline HMI app running on jailbroken mobile (API RP 1164) [low] [API RP 1164] - UC-22.18.8 · DNP3 high-volume direct-operate commands (API RP 1164) [critical] [API RP 1164] - UC-22.18.9 · PI-AF setpoint changes beyond 15 percent (API RP 1164) [high] [API RP 1164] - UC-22.18.10 · Modbus coil writes on SIL-rated registers (API RP 1164) [medium] [API RP 1164] - UC-22.18.11 · Ignition pump actions originating from scripts (API RP 1164) [low] [API RP 1164] - UC-22.18.12 · ESD or shutdown alarm acknowledgements (API RP 1164) [critical] [API RP 1164] - UC-22.18.13 · Rockwell controller program download or upload by vendor (API RP 1164) [high] [API RP 1164] - UC-22.18.14 · OPC-UA unsigned program downloads (API RP 1164) [medium] [API RP 1164] - UC-22.18.15 · FIELD zone to SCADA-DMZ unexpected bytes (API RP 1164) [low] [API RP 1164] - UC-22.18.16 · ENTERPRISE to SCADA-DMZ flows (API RP 1164) [critical] [API RP 1164] - UC-22.18.17 · DNP3 traffic on non-standard ports (API RP 1164) [high] [API RP 1164] - UC-22.18.18 · Pipeline-field WiFi without WPA3-Enterprise (API RP 1164) [medium] [API RP 1164] - UC-22.18.19 · Edge Modbus gateway exposing over 200 unit IDs (API RP 1164) [low] [API RP 1164] - UC-22.18.20 · OT-PLC TLSv1.0 connections (API RP 1164) [critical] [API RP 1164] - UC-22.18.21 · Vendor GlobalProtect jump from non-standard image (API RP 1164) [high] [API RP 1164] - UC-22.18.22 · Field devices on firmware behind ICS-CERT required version (API RP 1164) [medium] [API RP 1164] - UC-22.18.23 · Schneider PLC logic changes by user span (API RP 1164) [low] [API RP 1164] - UC-22.18.24 · Modbus CRC success rate below 99.5 percent (API RP 1164) [critical] [API RP 1164] - UC-22.18.25 · Wonderware flow/pressure tag jumps over 50 percent (API RP 1164) [high] [API RP 1164] - UC-22.18.26 · RTU-ROW-12 off-role Genetec badge swipes (API RP 1164) [medium] [API RP 1164] - UC-22.18.27 · DNP3 sequence-number gaps (API RP 1164) [low] [API RP 1164] - UC-22.18.28 · Claroty devices with unverified integrity state (API RP 1164) [critical] [API RP 1164] - UC-22.18.29 · Pipeline cyber incident MTTR tracking (API RP 1164) [high] [API RP 1164] - UC-22.18.30 · API 1164 domain-score regression year-over-year (API RP 1164) [medium] [API RP 1164] - UC-22.18.31 · Critical SCADA vulnerabilities by Tenable plugin (API RP 1164) [low] [API RP 1164] - UC-22.18.32 · SCADA tabletop exercises missing evidence (API RP 1164) [critical] [API RP 1164] - UC-22.18.33 · Pipeline SCADA risks with open treatment (API RP 1164) [high] [API RP 1164] - UC-22.18.34 · Pipeline cyber training overdue (API RP 1164) [medium] [API RP 1164] - UC-22.18.35 · API 1164 regulatory reports past due (API RP 1164) [low] [API RP 1164] ### 22.17 FDA 21 CFR Part 11 - UC-22.17.1 · LIMS audit entries missing reason codes (21 CFR Part 11) [high] [FDA 21 CFR Part 11] - UC-22.17.2 · LIMS excessive record modifications per batch (21 CFR Part 11) [medium] [FDA 21 CFR Part 11] - UC-22.17.3 · MES batch clock-skew vs generated timestamp (21 CFR Part 11) [low] [FDA 21 CFR Part 11] - UC-22.17.4 · Veeva document hash mismatch (21 CFR Part 11) [critical] [FDA 21 CFR Part 11] - UC-22.17.5 · LIMS records past retention without disposition (21 CFR Part 11) [high] [FDA 21 CFR Part 11] - UC-22.17.6 · ELN signatures beyond delegated authority (21 CFR Part 11) [medium] [FDA 21 CFR Part 11] - UC-22.17.7 · ELN signatures missing certificate or hash binding (21 CFR Part 11) [low] [FDA 21 CFR Part 11] - UC-22.17.8 · ELN logins without FIDO2 or X.509 credential (21 CFR Part 11) [critical] [FDA 21 CFR Part 11] - UC-22.17.9 · ELN signatures missing meaning code (21 CFR Part 11) [high] [FDA 21 CFR Part 11] - UC-22.17.10 · ELN release signatures bypassing multi-step flow (21 CFR Part 11) [medium] [FDA 21 CFR Part 11] - UC-22.17.11 · CDS injections with too few audit entries (21 CFR Part 11) [low] [FDA 21 CFR Part 11] - UC-22.17.12 · LIMS sample touched by multiple actors (21 CFR Part 11) [critical] [FDA 21 CFR Part 11] - UC-22.17.13 · MES record UPDATE without change reason (21 CFR Part 11) [high] [FDA 21 CFR Part 11] - UC-22.17.14 · HPLC NTP drift over 500 ms (21 CFR Part 11) [medium] [FDA 21 CFR Part 11] - UC-22.17.15 · Veeam LIMS database backup failures (21 CFR Part 11) [low] [FDA 21 CFR Part 11] - UC-22.17.16 · MES batch entries missing ALCOA who/when/what/why fields (21 CFR Part 11) [critical] [FDA 21 CFR Part 11] - UC-22.17.17 · Commvault MES subclient backups not completed (21 CFR Part 11) [high] [FDA 21 CFR Part 11] - UC-22.17.18 · LIMS COPY action without independent witness (21 CFR Part 11) [medium] [FDA 21 CFR Part 11] - UC-22.17.19 · CDS raw vs processed chromatogram file mismatch (21 CFR Part 11) [low] [FDA 21 CFR Part 11] - UC-22.17.20 · Lab instrument integrity-check failures (21 CFR Part 11) [critical] [FDA 21 CFR Part 11] - UC-22.17.21 · LIMS-PROD PQ sign-offs incomplete (21 CFR Part 11) [high] [FDA 21 CFR Part 11] - UC-22.17.22 · LIMS change requests without CSV risk assessment (21 CFR Part 11) [medium] [FDA 21 CFR Part 11] - UC-22.17.23 · Periodic system reviews overdue (21 CFR Part 11) [low] [FDA 21 CFR Part 11] - UC-22.17.24 · GxP workstation Windows account changes (21 CFR Part 11) [critical] [FDA 21 CFR Part 11] - UC-22.17.25 · Overdue GxP computer-systems training by course (21 CFR Part 11) [high] [FDA 21 CFR Part 11] ### 22.19 FISMA / FedRAMP - UC-22.19.1 · CloudTrail high-volume mutating actions (FISMA / FedRAMP) [high] [FISMA / FedRAMP] - UC-22.19.2 · Tenable FedRAMP compliance failures (FISMA / FedRAMP) [medium] [FISMA / FedRAMP] - UC-22.19.3 · STIG file-integrity hash mismatch (FISMA / FedRAMP) [low] [FISMA / FedRAMP] - UC-22.19.4 · WSUS patch coverage below 95 percent (FISMA / FedRAMP) [critical] [FISMA / FedRAMP] - UC-22.19.5 · FedRAMP servers not discovered in 30 days (FISMA / FedRAMP) [high] [FISMA / FedRAMP] - UC-22.19.6 · GovCloud SSP sections incomplete (FISMA / FedRAMP) [medium] [FISMA / FedRAMP] - UC-22.19.7 · FedRAMP POA&M items past planned finish (FISMA / FedRAMP) [low] [FISMA / FedRAMP] - UC-22.19.8 · Risk acceptances past review date (FISMA / FedRAMP) [critical] [FISMA / FedRAMP] - UC-22.19.9 · Azure VNet peerings outside approved list (FISMA / FedRAMP) [high] [FISMA / FedRAMP] - UC-22.19.10 · AWS SG ingress opened to 0.0.0.0/0 (FISMA / FedRAMP) [medium] [FISMA / FedRAMP] - UC-22.19.11 · FedRAMP notable events unactioned over 8 h (FISMA / FedRAMP) [low] [FISMA / FedRAMP] - UC-22.19.12 · US-CERT or CISA incidents unresolved (FISMA / FedRAMP) [critical] [FISMA / FedRAMP] - UC-22.19.13 · Phantom high-severity containers off NIST DE.CM (FISMA / FedRAMP) [high] [FISMA / FedRAMP] - UC-22.19.14 · FedRAMP hosts with cleared Windows Security log (FISMA / FedRAMP) [medium] [FISMA / FedRAMP] - UC-22.19.15 · Federal IR lessons-learned not published (FISMA / FedRAMP) [low] [FISMA / FedRAMP] - UC-22.19.16 · Fed apps accepting single-factor authentication (FISMA / FedRAMP) [critical] [FISMA / FedRAMP] - UC-22.19.17 · CyberArk Fed-Admin safe checkout surge (FISMA / FedRAMP) [high] [FISMA / FedRAMP] - UC-22.19.18 · Dormant privileged accounts beyond 90 days (FISMA / FedRAMP) [medium] [FISMA / FedRAMP] - UC-22.19.19 · Fed-VDP VPN from unexpected private subnets (FISMA / FedRAMP) [low] [FISMA / FedRAMP] - UC-22.19.20 · SAP users with excessive role stacking (FISMA / FedRAMP) [critical] [FISMA / FedRAMP] - UC-22.19.21 · FedRAMP 2026 control assessments failed (FISMA / FedRAMP) [high] [FISMA / FedRAMP] - UC-22.19.22 · Open 3PAO findings by severity (FISMA / FedRAMP) [medium] [FISMA / FedRAMP] - UC-22.19.23 · CDM devices without hardware root of trust (FISMA / FedRAMP) [low] [FISMA / FedRAMP] - UC-22.19.24 · Risk score above 80 on CUI systems (FISMA / FedRAMP) [critical] [FISMA / FedRAMP] - UC-22.19.25 · FedRAMP marketplace listings not active (FISMA / FedRAMP) [high] [FISMA / FedRAMP] ### 22.20 CMMC 2.0 - UC-22.20.1 · CMMC Level 2 practice evidence — CUI control area 1 (CMMC 2.0 Level 2) [high] [CMMC 2.0] - UC-22.20.2 · CMMC Level 2 practice evidence — CUI control area 2 (CMMC 2.0 Level 2) [medium] [CMMC 2.0] - UC-22.20.3 · CMMC Level 2 practice evidence — CUI control area 3 (CMMC 2.0 Level 2) [low] [CMMC 2.0] - UC-22.20.4 · CMMC Level 2 practice evidence — CUI control area 4 (CMMC 2.0 Level 2) [critical] [CMMC 2.0] - UC-22.20.5 · CMMC Level 2 practice evidence — CUI control area 5 (CMMC 2.0 Level 2) [high] [CMMC 2.0] - UC-22.20.6 · CMMC Level 2 practice evidence — CUI control area 6 (CMMC 2.0 Level 2) [medium] [CMMC 2.0] - UC-22.20.7 · CMMC Level 2 practice evidence — CUI control area 7 (CMMC 2.0 Level 2) [low] [CMMC 2.0] - UC-22.20.8 · CMMC Level 2 practice evidence — CUI control area 8 (CMMC 2.0 Level 2) [critical] [CMMC 2.0] - UC-22.20.9 · CMMC Level 2 practice evidence — CUI control area 9 (CMMC 2.0 Level 2) [high] [CMMC 2.0] - UC-22.20.10 · CMMC Level 2 practice evidence — CUI control area 10 (CMMC 2.0 Level 2) [medium] [CMMC 2.0] - UC-22.20.11 · CMMC Level 3 enhanced practice — threat scenario 1 (CMMC 2.0 Level 3) [low] [CMMC 2.0] - UC-22.20.12 · CMMC Level 3 enhanced practice — threat scenario 2 (CMMC 2.0 Level 3) [critical] [CMMC 2.0] - UC-22.20.13 · CMMC Level 3 enhanced practice — threat scenario 3 (CMMC 2.0 Level 3) [high] [CMMC 2.0] - UC-22.20.14 · CMMC Level 3 enhanced practice — threat scenario 4 (CMMC 2.0 Level 3) [medium] [CMMC 2.0] - UC-22.20.15 · CMMC Level 3 enhanced practice — threat scenario 5 (CMMC 2.0 Level 3) [low] [CMMC 2.0] - UC-22.20.16 · CMMC assessment readiness — artifact 1 (CMMC 2.0 Assessment) [critical] [CMMC 2.0] - UC-22.20.17 · CMMC assessment readiness — artifact 2 (CMMC 2.0 Assessment) [high] [CMMC 2.0] - UC-22.20.18 · CMMC assessment readiness — artifact 3 (CMMC 2.0 Assessment) [medium] [CMMC 2.0] - UC-22.20.19 · CMMC assessment readiness — artifact 4 (CMMC 2.0 Assessment) [low] [CMMC 2.0] - UC-22.20.20 · CMMC assessment readiness — artifact 5 (CMMC 2.0 Assessment) [critical] [CMMC 2.0] ### 22.21 EU AI Act - UC-22.21.1 · Automatic Recording Events for High-Risk AI (Art. 12) (EU AI Act) [critical] [EU AI Act] - UC-22.21.2 · Model Input/Output Logging Integrity (Art. 12) (EU AI Act) [critical] [EU AI Act] - UC-22.21.3 · Automated Decision Audit Trail Reconstruction (Art. 12) (EU AI Act) [high] [EU AI Act] - UC-22.21.4 · Model Performance Degradation Detection (Art. 12) (EU AI Act) [high] [EU AI Act] - UC-22.21.5 · Bias Drift Monitoring Across Protected Attributes (Art. 12) (EU AI Act) [critical] [EU AI Act] - UC-22.21.6 · Transparency — Explainability Payload Presence (Art. 13) (EU AI Act) [high] [EU AI Act] - UC-22.21.7 · Model Version Tracking and Immutable Version IDs (Art. 13) (EU AI Act) [high] [EU AI Act] - UC-22.21.8 · Training Data Lineage Event Completeness (Art. 13) (EU AI Act) [critical] [EU AI Act] - UC-22.21.9 · Feature Importance Audit Snapshot Correlation (Art. 13) (EU AI Act) [medium] [EU AI Act] - UC-22.21.10 · Algorithm Change Documentation Linkage (Art. 13) (EU AI Act) [high] [EU AI Act] - UC-22.21.11 · Human Override Action Logging Coverage (Art. 14) (EU AI Act) [critical] [EU AI Act] - UC-22.21.12 · Escalation to Human Review Queue Latency (Art. 14) (EU AI Act) [high] [EU AI Act] - UC-22.21.13 · Autonomous Decision Threshold Breach Monitoring (Art. 14) (EU AI Act) [critical] [EU AI Act] - UC-22.21.14 · Human-in-the-Loop Intervention Effectiveness (Art. 14) (EU AI Act) [medium] [EU AI Act] - UC-22.21.15 · Operator Session Segregation for High-Risk AI Consoles (Art. 14) (EU AI Act) [high] [EU AI Act] - UC-22.21.16 · Quality Management System Control Evidence Freshness (Art. 17) (EU AI Act) [high] [EU AI Act] - UC-22.21.17 · Technical Documentation Completeness Checklist (Art. 11/Annex IV) (EU AI Act) [critical] [EU AI Act] - UC-22.21.18 · EU Database Registration Event Audit (Art. 49) (EU AI Act) [high] [EU AI Act] - UC-22.21.19 · CE Marking Evidence — Test Report Coverage (Art. 48) (EU AI Act) [high] [EU AI Act] - UC-22.21.20 · Risk Management System — Hazard Log Update SLA (Art. 9/Annex IV) (EU AI Act) [critical] [EU AI Act] - UC-22.21.21 · Post-Market Surveillance Signal Detection (Art. 72) (EU AI Act) [high] [EU AI Act] - UC-22.21.22 · Serious Incident Report Pack Timeliness (Art. 73) (EU AI Act) [critical] [EU AI Act] - UC-22.21.23 · Model Withdrawal / Recall Execution Audit (Art. 12/72) (EU AI Act) [critical] [EU AI Act] - UC-22.21.24 · User Feedback Collection Pipeline Health (Art. 72) (EU AI Act) [medium] [EU AI Act] - UC-22.21.25 · Regulatory Authority Notification Delivery Confirmation (Art. 73) (EU AI Act) [critical] [EU AI Act] ### 22.22 PSD2 / Payment Services - UC-22.22.1 · SCA Challenge Rate Monitoring (RTS on SCA & CSC) (PSD2 RTS on SCA & CSC) [high] [PSD2] - UC-22.22.2 · SCA Exemption Usage Tracking (RTS on SCA & CSC) (PSD2 RTS on SCA & CSC) [high] [PSD2] - UC-22.22.3 · Dynamic Linking Verification for Payee/Amount (RTS Art. 5) (PSD2 RTS on SCA & CSC) [high] [PSD2] - UC-22.22.4 · Authentication Factor Validation Failure Trends (PSD2 RTS on SCA & CSC) [high] [PSD2] - UC-22.22.5 · Biometric SCA Attempt and Liveness Failure Monitoring (PSD2 RTS on SCA & CSC) [high] [PSD2] - UC-22.22.6 · SCA Fallback Channel Abuse (SMS OTP / Voice OTP) (PSD2 RTS on SCA & CSC) [high] [PSD2] - UC-22.22.7 · Transaction Fraud Detection — Score and Rule Hits (PSD2 / EBA fraud guidelines) [high] [PSD2] - UC-22.22.8 · Unauthorized Transaction Claims and Dispute Intake Velocity (PSD2 / EBA fraud guidelines) [critical] [PSD2] - UC-22.22.9 · Merchant Fraud Trending by MCC and Acquirer (PSD2 / EBA fraud guidelines) [high] [PSD2] - UC-22.22.10 · Real-Time Fraud Scoring Latency and Engine Errors (PSD2 / EBA fraud guidelines) [high] [PSD2] - UC-22.22.11 · Cross-Border Payment Anomaly Detection (Corridor Concentration) (PSD2 / EBA fraud guidelines) [medium] [PSD2] - UC-22.22.12 · Account Takeover Signals Linked to Payment Instrument Changes (PSD2 / EBA fraud guidelines) [critical] [PSD2] - UC-22.22.13 · TPP Access Monitoring for AIS/PIS Traffic (RTS APIs) (PSD2 / RTS on SCA & CSC) [high] [PSD2] - UC-22.22.14 · Open Banking API Rate Limiting and Throttle Breaches (PSD2 / RTS on SCA & CSC) [high] [PSD2] - UC-22.22.15 · Consent Record Alignment to Accessed Account Scopes (PSD2) [high] [GDPR, PSD2] - UC-22.22.16 · Data Minimization Checks for TPP Response Payload Sizes (PSD2) [high] [PSD2] - UC-22.22.17 · Sandbox vs Production Traffic Separation and Leakage (PSD2) [high] [PSD2] - UC-22.22.18 · Mutual TLS and OAuth Client Certificate Authentication Audits (PSD2 / EBA guidelines) [high] [PSD2] - UC-22.22.19 · Payment Processing Integrity — Duplicate Authorization IDs (PSD2) [high] [PSD2] - UC-22.22.20 · Settlement Reconciliation Exceptions (Acquirer vs Issuer) (PSD2) [high] [PSD2] - UC-22.22.21 · High-Value Transfer Monitoring vs Internal Policy Limits (PSD2) [high] [PSD2] - UC-22.22.22 · Refund and Reversal Spike Detection by Merchant (PSD2) [high] [PSD2] - UC-22.22.23 · Dormant Account Activity After Long Inactivity (PSD2) [high] [PSD2] - UC-22.22.24 · Cross-Currency Transaction Monitoring and FX Spread Anomalies (PSD2) [high] [PSD2] - UC-22.22.25 · Major Incident Notification Readiness to NCA (Payment Service) (PSD2 / NCA operational expectations) [critical] [PSD2] - UC-22.22.26 · Operational vs Security Incident Classification Consistency (PSD2) [high] [PSD2] - UC-22.22.27 · Customer Impact Assessment Coverage for Incidents (PSD2) [high] [PSD2] - UC-22.22.28 · Payment Service Availability SLO Breach Tracking (PSD2) [high] [PSD2] - UC-22.22.29 · Fraud Loss Reporting Aggregation by Product Line (PSD2 / EBA fraud reporting) [high] [PSD2] - UC-22.22.30 · Quarterly Statistical Reporting Dataset Reconciliation (PSD2 / EBA reporting) [high] [PSD2] ### 22.23 EU Cyber Resilience Act (CRA) - UC-22.23.1 · Security-by-Default Configuration Evidence (CRA Art. 10(2)) (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.2 · Default Credential and Hardcoded Secret Detection in Releases (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.3 · Attack Surface Minimization — Exposed Admin Interfaces (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.4 · Secure Update Mechanism Integrity (Signed Update Verification) (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.5 · Data Protection in Product — Local Storage Encryption Flags (EU CRA) [high] [CCPA, EU Cyber Resilience Act (CRA), GDPR] - UC-22.23.6 · Coordinated Disclosure Process SLA (Reporter Acknowledgement) (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.7 · External Vulnerability Intelligence Correlation (KEV/EPSS) (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.8 · Patch Timeline Compliance vs Vendor SLA (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.9 · End-of-Support Notification Delivery Audit (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.10 · Vulnerability Severity Assessment Consistency (CVSS vector completeness) (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.11 · SBOM Generation Job Success and Artifact Hash Registry (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.12 · Component Vulnerability Tracking from SBOM to CVE (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.13 · Open Source License Compliance Drift in Dependencies (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.14 · Dependency Update Monitoring and Stale Component Age (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.15 · Actively Exploited Vulnerability Notification Window (24h evidence) (EU CRA) [critical] [EU Cyber Resilience Act (CRA)] - UC-22.23.16 · Incident Notification to ENISA — Delivery and Acknowledgement (EU CRA) [critical] [EU Cyber Resilience Act (CRA)] - UC-22.23.17 · User Notification for Material Product Security Issues (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.18 · Security Testing Evidence in CI Gates (SAST/DAST/SCA) (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.19 · Threat Modeling Artifact Presence by Release Train (EU CRA) [high] [EU Cyber Resilience Act (CRA)] - UC-22.23.20 · Code Review and Pull Request Approval Evidence for Security Changes (EU CRA) [high] [EU Cyber Resilience Act (CRA)] ### 22.24 eIDAS 2.0 / Trust Services - UC-22.24.1 · Qualified Certificate Issuance and Revocation Audit Trail (eIDAS / ETSI) [high] [eIDAS 2.0 / EU trust services] - UC-22.24.2 · Qualified Timestamp Integrity and Clock Synchronization Checks (eIDAS / ETSI) [high] [eIDAS 2.0 / EU trust services] - UC-22.24.3 · Trust Service Availability and Error Rate Monitoring (eIDAS) [high] [eIDAS 2.0 / EU trust services] - UC-22.24.4 · Conformity Assessment Evidence Index Freshness (eIDAS) [high] [eIDAS 2.0 / EU trust services] - UC-22.24.5 · EU Digital Identity Wallet Issuance Event Completeness (eIDAS 2.0) [high] [eIDAS 2.0 / EU trust services] - UC-22.24.6 · Wallet Credential Presentation Audit (RP relying party) (eIDAS 2.0) [high] [eIDAS 2.0 / EU trust services] - UC-22.24.7 · Selective Disclosure Attribute Set Minimization Monitoring (eIDAS 2.0) [high] [eIDAS 2.0 / EU trust services] - UC-22.24.8 · Wallet Suspension and Revocation Propagation Latency (eIDAS 2.0) [critical] [eIDAS 2.0 / EU trust services] - UC-22.24.9 · Qualified Timestamp Accuracy vs Stratum / NTP Offset (eIDAS / ETSI) [high] [eIDAS 2.0 / EU trust services] - UC-22.24.10 · Timestamp Source Diversity and Failover Evidence (eIDAS / ETSI) [high] [eIDAS 2.0 / EU trust services] - UC-22.24.11 · Long-Term Validation Evidence for Signature Time Stamps (eIDAS) [high] [eIDAS 2.0 / EU trust services] - UC-22.24.12 · Archive Timestamp Chain Continuity Checks (eIDAS) [high] [eIDAS 2.0 / EU trust services] - UC-22.24.13 · Certificate Validity Window Monitoring (Not Before / Not After) (eIDAS) [critical] [eIDAS 2.0 / EU trust services] - UC-22.24.14 · CRL and OCSP Response Freshness and HTTP Status Audits (eIDAS) [critical] [eIDAS 2.0 / EU trust services] - UC-22.24.15 · Qualified Certificate Attribute Verification Against Subscriber Records (eIDAS) [high] [eIDAS 2.0 / EU trust services] ### 22.25 AML / CFT (Anti-Money Laundering) - UC-22.25.1 · Structuring and Smurfing Pattern Detection (Just Below Thresholds) (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.2 · Rapid Movement of Funds Through Layering Accounts (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.3 · Round-Trip Transaction Detection (Circular Flows) (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.4 · Unusual Transaction Pattern Deviation vs Customer Profile (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.5 · Dormant Account Reactivation with High Outbound Velocity (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.6 · Cash-Intensive Business Monitoring vs Sector Benchmarks (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.7 · Cross-Border Transaction Threshold and Corridor Risk Scoring (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.8 · Suspicious Transaction Report (STR) Generation Workflow Audits (EU AMLD / national FIAML) [critical] [EU AML/CFT framework] - UC-22.25.9 · SAR Filing Timeline Compliance vs Regulatory Cutoffs (EU AMLD / national FIAML) [critical] [EU AML/CFT framework] - UC-22.25.10 · SAR Quality Assurance Sampling — Narrative Length and Fields (EU AMLD / national FIAML) [high] [EU AML/CFT framework] - UC-22.25.11 · SAR Feedback Loop Tracking from Supervisor to Front Office (EU AMLD / national FIAML) [high] [EU AML/CFT framework] - UC-22.25.12 · Regulatory Examination Evidence — STR/SAR Retrieval Completeness (EU AMLD / national FIAML) [high] [EU AML/CFT framework] - UC-22.25.13 · Customer Due Diligence (CDD) Completion Before Account Use (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.14 · Enhanced Due Diligence (EDD) Trigger and Approval Tracking (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.15 · Beneficial Ownership Verification Completeness (UBO) (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.16 · Customer Risk Scoring Model Output Drift Monitoring (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.17 · Periodic KYC Review Compliance and Overdue Reviews (EU AMLD / national law) [high] [EU AML/CFT framework] - UC-22.25.18 · Real-Time Sanctions Screening Hit Rate and Latency (EU AMLD / sanctions regulations) [critical] [EU AML/CFT framework] - UC-22.25.19 · Sanctions List Update Monitoring (OFAC/EU/UN Feeds) (EU sanctions regulations) [high] [EU AML/CFT framework] - UC-22.25.20 · False Positive Management — Analyst Override Quality (EU AMLD / internal policy) [high] [EU AML/CFT framework] - UC-22.25.21 · Secondary Sanctions and Sectoral Sanctions Exposure Mapping (EU/US sanctions policy) [high] [EU AML/CFT framework] - UC-22.25.22 · Correspondent Banking Sanctions Screening Coverage (EU AMLD / Wolfsberg) [critical] [EU AML/CFT framework] - UC-22.25.23 · Trade Embargo Compliance for Goods and Destination Checks (EU sanctions / trade controls) [critical] [EU AML/CFT framework] - UC-22.25.24 · PEP Identification and Classification Coverage at Onboarding (EU AMLD / FATF) [high] [EU AML/CFT framework] - UC-22.25.25 · PEP Transaction Monitoring — Elevated Monitoring Rules (EU AMLD / FATF) [high] [EU AML/CFT framework] - UC-22.25.26 · PEP Relationship Mapping and Network Expansion Alerts (EU AMLD / FATF) [high] [EU AML/CFT framework] - UC-22.25.27 · Source of Wealth (SoW) Verification Evidence Completeness (EU AMLD / FATF) [high] [EU AML/CFT framework] - UC-22.25.28 · Political Exposure Change Detection (Ongoing Screening) (EU AMLD / FATF) [high] [EU AML/CFT framework] - UC-22.25.29 · ML/TF National Risk Assessment Control Mapping Evidence (EU AMLD / NRA) [high] [EU AML/CFT framework] - UC-22.25.30 · Institution-Wide Risk Assessment (IWRA) Control Testing Samples (EU AMLD) [high] [EU AML/CFT framework] - UC-22.25.31 · Product and Service Risk Rating Changes and Approvals (EU AMLD) [high] [EU AML/CFT framework] - UC-22.25.32 · Geographic Risk Monitoring — High-Risk Jurisdiction Concentration (EU AMLD / FATF) [high] [EU AML/CFT framework] - UC-22.25.33 · Delivery Channel Risk — Digital Onboarding Fraud Uplift (EU AMLD) [high] [EU AML/CFT framework] - UC-22.25.34 · New Technology Risk Assessment (VA/VASP/Instant Payments) (EU AMLD / MiCA intersection) [high] [EU AML/CFT framework] - UC-22.25.35 · Regulatory Change Impact Assessment Tracking for AML Program (EU AMLD) [high] [EU AML/CFT framework] ### 22.26 Norwegian Regulatory Framework - UC-22.26.1 · Classified information system monitoring (NSM RUT) [high] [Sikkerhetsloven; NSM veiledning] - UC-22.26.2 · Security clearance tracking (Sikkerhetsloven) [medium] [Sikkerhetsloven; NSM veiledning] - UC-22.26.3 · NSM reporting compliance (NSM IKT) [low] [Sikkerhetsloven; NSM veiledning] - UC-22.26.4 · Protective security measures (NSM beskyttelse) [critical] [Sikkerhetsloven; NSM veiledning] - UC-22.26.5 · Information system accreditation evidence (NSM akkreditering) [high] [Sikkerhetsloven; NSM veiledning] - UC-22.26.6 · Power system availability monitoring (Kraftberedskap) [medium] [Kraftberedskapsforskriften; NVE] - UC-22.26.7 · Grid SCADA access control (NVE) [critical] [Kraftberedskapsforskriften; NVE] - UC-22.26.8 · Emergency preparedness evidence (Kraftberedskap) [critical] [Kraftberedskapsforskriften; NVE] - UC-22.26.9 · NVE reporting compliance (NVE) [high] [Kraftberedskapsforskriften; NVE] - UC-22.26.10 · Critical infrastructure resilience (RME/KI) [medium] [Kraftberedskapsforskriften; NVE] - UC-22.26.11 · Offshore platform system monitoring (PSA) [low] [Petroleumsforskriften; PSA] - UC-22.26.12 · Safety-critical system integrity (Petroleumsforskriften) [critical] [Petroleumsforskriften; PSA] - UC-22.26.13 · PSA compliance evidence (PSA) [high] [Petroleumsforskriften; PSA] - UC-22.26.14 · HSE system audit trails (HSE) [critical] [Petroleumsforskriften; PSA] - UC-22.26.15 · Petroleum facility access control (Petroleumsforskriften) [low] [Petroleumsforskriften; PSA] - UC-22.26.16 · Datatilsynet breach reporting (Personopplysningsloven) [critical] [Personopplysningsloven; Datatilsynet] - UC-22.26.17 · Altinn-based data handling compliance (Altinn) [high] [Personopplysningsloven; Datatilsynet] - UC-22.26.18 · National ID number protection (fødselsnummer) [medium] [Personopplysningsloven; Datatilsynet] - UC-22.26.19 · Sector-specific processing rules (Personopplysningsloven) [low] [Personopplysningsloven; Datatilsynet] - UC-22.26.20 · Cross-border transfer to non-EU/EEA (Personopplysningsloven) [critical] [Personopplysningsloven; Datatilsynet] ### 22.27 UK Regulations (NIS + FCA/PRA) - UC-22.27.1 · OES security measures monitoring (UK NIS Regulations) [high] [NIS Regulations (UK)] - UC-22.27.2 · Digital service provider compliance checks (UK NIS Regulations) [medium] [NIS Regulations (UK)] - UC-22.27.3 · NCSC CAF outcome evidence tagging (UK NIS Regulations) [low] [NIS Regulations (UK)] - UC-22.27.4 · Network and information systems incident reporting (UK NIS Regulations) [critical] [NIS Regulations (UK)] - UC-22.27.5 · Security of essential services mapping (UK NIS Regulations) [high] [NIS Regulations (UK)] - UC-22.27.6 · Threat intelligence sharing ingestion for OES (UK NIS Regulations) [medium] [NIS Regulations (UK)] - UC-22.27.7 · Supply chain security for OES dependencies (UK NIS Regulations) [critical] [NIS Regulations (UK)] - UC-22.27.8 · Capacity and resilience headroom tracking (UK NIS Regulations) [critical] [NIS Regulations (UK)] - UC-22.27.9 · Competent authority notification completeness (UK NIS Regulations) [high] [NIS Regulations (UK)] - UC-22.27.10 · NIS audit evidence correlation (UK NIS Regulations) [medium] [NIS Regulations (UK)] - UC-22.27.11 · Important business service mapping health (FCA operational resilience) [low] [FCA SS1/21 operational resilience] - UC-22.27.12 · Impact tolerance testing evidence (FCA operational resilience) [critical] [FCA SS1/21 operational resilience] - UC-22.27.13 · Third-party dependency concentration monitoring (FCA operational resilience) [high] [FCA SS1/21 operational resilience] - UC-22.27.14 · Scenario testing record capture (FCA operational resilience) [critical] [FCA SS1/21 operational resilience] - UC-22.27.15 · Communication and information systems resilience (FCA operational resilience) [low] [FCA SS1/21 operational resilience] - UC-22.27.16 · Self-assessment compliance scoring (FCA operational resilience) [critical] [FCA SS1/21 operational resilience] - UC-22.27.17 · FCA notification timeline tracking (FCA operational resilience) [high] [FCA SS1/21 operational resilience] - UC-22.27.18 · Outsourcing operational resilience oversight (FCA operational resilience) [medium] [FCA SS1/21 operational resilience] - UC-22.27.19 · Material outsourcing register drift detection (PRA outsourcing) [low] [PRA SS2/21 outsourcing] - UC-22.27.20 · Outsourcing concentration risk monitoring (PRA outsourcing) [critical] [PRA SS2/21 outsourcing] - UC-22.27.21 · Exit strategy test evidence (PRA outsourcing) [critical] [PRA SS2/21 outsourcing] - UC-22.27.22 · Sub-outsourcing chain visibility (PRA outsourcing) [medium] [PRA SS2/21 outsourcing] - UC-22.27.23 · Cloud outsourcing compliance validation (PRA outsourcing) [low] [PRA SS2/21 outsourcing] - UC-22.27.24 · Senior manager responsibility mapping (SM&CR) [critical] [FCA SM&CR] - UC-22.27.25 · Certification regime compliance monitoring (SM&CR) [high] [FCA SM&CR] - UC-22.27.26 · Conduct rule breach monitoring (SM&CR) [medium] [FCA SM&CR] - UC-22.27.27 · Reasonable steps evidence aggregation (SM&CR) [low] [FCA SM&CR] - UC-22.27.28 · Cyber Essentials boundary firewall configuration evidence (Cyber Essentials) [critical] [Cyber Essentials] - UC-22.27.29 · Cyber Essentials Plus secure configuration baseline drift (Cyber Essentials) [high] [Cyber Essentials] - UC-22.27.30 · Malware protection and update compliance for CE scope (Cyber Essentials) [medium] [Cyber Essentials] ### 22.28 German KRITIS / BSI - UC-22.28.1 · KRITIS operator reporting evidence (IT-SiG 2.0; BSI) [medium] [IT-SiG 2.0] - UC-22.28.2 · KRITIS registration and asset scope compliance (IT-SiG 2.0; BSI) [low] [IT-SiG 2.0] - UC-22.28.3 · Systems for attack detection (SzA) alert fidelity (IT-SiG 2.0; BSI) [critical] [IT-SiG 2.0] - UC-22.28.4 · BSI notification within 24 hours tracking (IT-SiG 2.0; BSI) [high] [IT-SiG 2.0] - UC-22.28.5 · Annual BSI audit evidence aggregation (IT-SiG 2.0; BSI) [medium] [IT-SiG 2.0] - UC-22.28.6 · Sector threshold and scope monitoring (BSI-KritisV) [critical] [BSI-KritisV] - UC-22.28.7 · KRITIS asset inventory completeness (BSI-KritisV) [critical] [BSI-KritisV] - UC-22.28.8 · Minimum security standard compliance (BSI-KritisV) [high] [BSI-KritisV] - UC-22.28.9 · Interface security between operators (BSI-KritisV) [medium] [BSI-KritisV] - UC-22.28.10 · Disruption impact assessment evidence (BSI-KritisV) [low] [BSI-KritisV] - UC-22.28.11 · BSI module compliance tracking (IT-Grundschutz) [critical] [IT-Grundschutz] - UC-22.28.12 · Risk analysis per BSI methodology (IT-Grundschutz) [high] [IT-Grundschutz] - UC-22.28.13 · Security concept documentation changes (IT-Grundschutz) [critical] [IT-Grundschutz] - UC-22.28.14 · Penetration test compliance and remediation (IT-Grundschutz) [low] [IT-Grundschutz] - UC-22.28.15 · Grundschutz certification evidence pack (IT-Grundschutz) [critical] [IT-Grundschutz] - UC-22.28.16 · Information risk management for financial institutions (BAIT/KAIT) [high] [BAIT/KAIT] - UC-22.28.17 · IT operations governance evidence (BAIT/KAIT) [medium] [BAIT/KAIT] - UC-22.28.18 · Outsourcing management for banks and insurers (BAIT/KAIT) [low] [BAIT/KAIT] - UC-22.28.19 · User access management for banking systems (BAIT/KAIT) [critical] [BAIT/KAIT] - UC-22.28.20 · Critical infrastructure reporting for insurance sector (BAIT/KAIT) [critical] [BAIT/KAIT] ### 22.29 APAC Data Protection - UC-22.29.1 · China PIPL Art.38 localization boundary monitoring (PIPL Art.38; ASEAN CBPR) [critical] [PIPL Art.38] - UC-22.29.2 · Cross-border transfer impact assessment logging (PIPL Art.38; ASEAN CBPR) [high] [PIPL Art.38] - UC-22.29.3 · ASEAN CBPR participation evidence (PIPL Art.38; ASEAN CBPR) [medium] [PIPL Art.38] - UC-22.29.4 · Transfer mechanism validation before export (PIPL Art.38; ASEAN CBPR) [critical] [PIPL Art.38] - UC-22.29.5 · Data residency monitoring for regulated datasets (PIPL Art.38; ASEAN CBPR) [critical] [PIPL Art.38] - UC-22.29.6 · Third-country adequacy decision tracking (PIPL Art.38; ASEAN CBPR) [high] [PIPL Art.38] - UC-22.29.7 · Breach discovery and severity classification (APAC breach laws) [medium] [APAC breach laws] - UC-22.29.8 · Regulator notification timeline compliance by jurisdiction (APAC breach laws) [low] [APAC breach laws] - UC-22.29.9 · Affected individual notification evidence (APAC breach laws) [critical] [APAC breach laws] - UC-22.29.10 · Authority reporting package completeness (APAC breach laws) [high] [APAC breach laws] - UC-22.29.11 · Breach register maintenance and linkage (APAC breach laws) [critical] [APAC breach laws] - UC-22.29.12 · Remediation and root-cause tracking (APAC breach laws) [low] [APAC breach laws] - UC-22.29.13 · Reasonable security measures per Singapore PDPA (PDPA SG; PIPL; K-ISMS) [critical] [PDPA SG] - UC-22.29.14 · PIPL cybersecurity protection obligations monitoring (PDPA SG; PIPL; K-ISMS) [high] [PDPA SG] - UC-22.29.15 · K-ISMS certification maintenance evidence (PDPA SG; PIPL; K-ISMS) [medium] [PDPA SG] - UC-22.29.16 · Technical measures adequacy review (PDPA SG; PIPL; K-ISMS) [low] [PDPA SG] - UC-22.29.17 · Encryption and pseudonymization control evidence (PDPA SG; PIPL; K-ISMS) [critical] [CCPA, GDPR, PDPA SG] - UC-22.29.18 · Access control validation for personal data stores (PDPA SG; PIPL; K-ISMS) [critical] [CCPA, GDPR, PDPA SG] - UC-22.29.19 · DPO appointment and coverage compliance (APPI; PDPA Thailand) [medium] [APPI] - UC-22.29.20 · DPIA completion for high-risk processing (APPI; PDPA Thailand) [low] [APPI] - UC-22.29.21 · Privacy impact assessment tracking (APPI; PDPA Thailand) [critical] [APPI] - UC-22.29.22 · DPO activity reporting metrics (APPI; PDPA Thailand) [high] [APPI] - UC-22.29.23 · Regulatory consultation trigger monitoring (APPI; PDPA Thailand) [medium] [APPI] - UC-22.29.24 · Annual privacy program assessment evidence (APPI; PDPA Thailand) [low] [APPI] - UC-22.29.25 · Separate consent for sensitive personal information (PIPL; PDPA) [critical] [GDPR, PIPL] - UC-22.29.26 · Consent withdrawal processing audit (PIPL; PDPA) [high] [GDPR, PIPL] - UC-22.29.27 · Opt-in and opt-out preference tracking (PIPL; PDPA) [medium] [PIPL] - UC-22.29.28 · Purpose limitation enforcement in APIs (PIPL; PDPA) [low] [PIPL] - UC-22.29.29 · Consent record retention compliance (PIPL; PDPA) [critical] [GDPR, PIPL] - UC-22.29.30 · Minor consent and guardian verification monitoring (PIPL; PDPA) [high] [GDPR, PIPL] ### 22.30 APAC Financial Regulation - UC-22.30.1 · Technology risk management governance metrics (MAS TRM) [high] [MAS TRM] - UC-22.30.2 · System availability monitoring against internal SLOs (MAS TRM) [medium] [MAS TRM] - UC-22.30.3 · Privileged access management review evidence (MAS TRM) [low] [MAS TRM] - UC-22.30.4 · Patch management compliance and overdue systems (MAS TRM) [critical] [MAS TRM] - UC-22.30.5 · Security testing evidence aggregation (MAS TRM) [high] [MAS TRM] - UC-22.30.6 · Incident notification to MAS timeline tracking (MAS TRM) [medium] [MAS TRM] - UC-22.30.7 · Outsourcing arrangements risk monitoring (MAS TRM) [critical] [MAS TRM] - UC-22.30.8 · Technology governance board reporting evidence (HKMA TM-G-2) [critical] [HKMA TM-G-2] - UC-22.30.9 · Cybersecurity assessment scoring and trends (HKMA TM-G-2) [high] [HKMA TM-G-2] - UC-22.30.10 · Third-party management control monitoring (HKMA TM-G-2) [medium] [HKMA TM-G-2] - UC-22.30.11 · Internet banking security event monitoring (HKMA TM-G-2) [low] [HKMA TM-G-2] - UC-22.30.12 · HKMA incident reporting timeline compliance (HKMA TM-G-2) [critical] [HKMA TM-G-2] - UC-22.30.13 · Cyber security framework compliance monitoring (RBI cyber security framework) [high] [RBI cyber security framework] - UC-22.30.14 · IT governance for banks evidence (RBI cyber security framework) [critical] [RBI cyber security framework] - UC-22.30.15 · Electronic payment channel security monitoring (RBI cyber security framework) [low] [RBI cyber security framework] - UC-22.30.16 · Outsourcing and vendor management evidence (RBI cyber security framework) [critical] [RBI cyber security framework] - UC-22.30.17 · CERT-In incident reporting tracking (RBI cyber security framework) [high] [RBI cyber security framework] - UC-22.30.18 · Business continuity management testing evidence (RBI cyber security framework) [medium] [RBI cyber security framework] - UC-22.30.19 · Information security capability assessment evidence (APRA CPS 234) [low] [APRA CPS 234] - UC-22.30.20 · Information asset classification drift detection (APRA CPS 234) [critical] [APRA CPS 234] - UC-22.30.21 · Policy framework compliance monitoring (APRA CPS 234) [critical] [APRA CPS 234] - UC-22.30.22 · Incident notification within 72 hours tracking (APRA CPS 234) [medium] [APRA CPS 234] - UC-22.30.23 · Security control testing outcomes aggregation (APRA CPS 234) [low] [APRA CPS 234] - UC-22.30.24 · Third-party information security assessment tracking (APRA CPS 234) [critical] [APRA CPS 234] - UC-22.30.25 · Board-level information security reporting pack (APRA CPS 234) [high] [APRA CPS 234] ### 22.31 Australia & New Zealand - UC-22.31.1 · Notifiable data breach assessment workflow timing (Privacy Act 1988 (Cth); NDB) [high] [Privacy Act 1988 (Cth); NDB] - UC-22.31.2 · OAIC reporting compliance for eligible breaches (Privacy Act 1988 (Cth); NDB) [medium] [Privacy Act 1988 (Cth); NDB] - UC-22.31.3 · Australian Privacy Principles compliance monitoring (Privacy Act 1988 (Cth); NDB) [low] [Privacy Act 1988 (Cth); NDB] - UC-22.31.4 · Privacy impact assessment register tracking (Privacy Act 1988 (Cth); NDB) [critical] [Privacy Act 1988 (Cth); NDB] - UC-22.31.5 · Cross-border disclosure tracking under APPs (Privacy Act 1988 (Cth); NDB) [high] [Privacy Act 1988 (Cth); NDB] - UC-22.31.6 · Application control allowlist drift monitoring (ASD Essential Eight) [medium] [ASD Essential Eight] - UC-22.31.7 · Microsoft Office macro security baseline compliance (ASD Essential Eight) [critical] [ASD Essential Eight] - UC-22.31.8 · User application hardening compliance (ASD Essential Eight) [critical] [ASD Essential Eight] - UC-22.31.9 · Administrative privilege restriction enforcement (ASD Essential Eight) [high] [ASD Essential Eight] - UC-22.31.10 · Operating system patching latency monitoring (ASD Essential Eight) [medium] [ASD Essential Eight] - UC-22.31.11 · Multi-factor authentication coverage and failures (ASD Essential Eight) [low] [ASD Essential Eight] - UC-22.31.12 · Daily backup verification and restore test evidence (ASD Essential Eight) [critical] [ASD Essential Eight] - UC-22.31.13 · Office macro execution policy violation detection (ASD Essential Eight) [high] [ASD Essential Eight] - UC-22.31.14 · Information security roles and responsibilities attestations (APRA CPS 234) [critical] [APRA CPS 234] - UC-22.31.15 · Control testing compliance evidence (APRA CPS 234) [low] [APRA CPS 234] - UC-22.31.16 · Incident notification workflow within regulatory expectations (APRA CPS 234) [critical] [APRA CPS 234] - UC-22.31.17 · Third-party information security assessment tracking (APRA CPS 234) [high] [APRA CPS 234] - UC-22.31.18 · NZ ISM control effectiveness monitoring (NZISM) [medium] [NZISM] - UC-22.31.19 · CERT NZ incident reporting timeline compliance (NZISM) [low] [NZISM] - UC-22.31.20 · Protective security requirements evidence for NZ agencies (NZISM) [critical] [NZISM] ### 22.32 Americas Regulations - UC-22.32.1 · LGPD consent management audit trail (Lei Geral de Proteção de Dados (LGPD)) [high] [GDPR, Lei Geral de Proteção de Dados (LGPD)] - UC-22.32.2 · Data subject rights fulfillment SLA monitoring (Lei Geral de Proteção de Dados (LGPD)) [medium] [CCPA, GDPR, Lei Geral de Proteção de Dados (LGPD)] - UC-22.32.3 · ANPD personal data incident notification evidence (Lei Geral de Proteção de Dados (LGPD)) [critical] [CCPA, GDPR, Lei Geral de Proteção de Dados (LGPD)] - UC-22.32.4 · DPO statutory compliance and coverage (Lei Geral de Proteção de Dados (LGPD)) [critical] [Lei Geral de Proteção de Dados (LGPD)] - UC-22.32.5 · Cross-border transfer legal basis validation (Lei Geral de Proteção de Dados (LGPD)) [high] [Lei Geral de Proteção de Dados (LGPD)] - UC-22.32.6 · Privacy impact assessment (RIPD) tracking (Lei Geral de Proteção de Dados (LGPD)) [medium] [Lei Geral de Proteção de Dados (LGPD)] - UC-22.32.7 · Legitimate interest assessment record monitoring (Lei Geral de Proteção de Dados (LGPD)) [low] [Lei Geral de Proteção de Dados (LGPD)] - UC-22.32.8 · Processing activities register synchronization (Lei Geral de Proteção de Dados (LGPD)) [critical] [Lei Geral de Proteção de Dados (LGPD)] - UC-22.32.9 · Continuous monitoring metrics for system security plans (FISMA; FedRAMP) [high] [FISMA] - UC-22.32.10 · Plan of action and milestone (POA&M) aging management (FISMA; FedRAMP) [critical] [FISMA] - UC-22.32.11 · ATO boundary enforcement for cloud workloads (FISMA; FedRAMP) [low] [FISMA] - UC-22.32.12 · Vulnerability remediation SLA tracking (FISMA; FedRAMP) [critical] [FISMA] - UC-22.32.13 · Security control assessment evidence correlation (FISMA; FedRAMP) [high] [FISMA] - UC-22.32.14 · US-CERT incident reporting completeness (FISMA; FedRAMP) [medium] [FISMA] - UC-22.32.15 · PIV and smart card authentication monitoring (FISMA; FedRAMP) [low] [FISMA] - UC-22.32.16 · Supply chain risk management telemetry (FISMA; FedRAMP) [critical] [FISMA] - UC-22.32.17 · Controlled unclassified information access control (CMMC) [critical] [CMMC] - UC-22.32.18 · CMMC practice implementation evidence collection (CMMC) [medium] [CMMC] - UC-22.32.19 · CMMC assessment readiness scoring (CMMC) [low] [CMMC] - UC-22.32.20 · CUI incident response evidence (CMMC) [critical] [CMMC] - UC-22.32.21 · Continuous monitoring for CMMC practice families (CMMC) [high] [CMMC] - UC-22.32.22 · Criminal justice information access logging (CJIS Security Policy) [medium] [CJIS Security Policy] - UC-22.32.23 · Advanced authentication for CJI sessions (CJIS Security Policy) [low] [CJIS Security Policy] - UC-22.32.24 · Personnel security screening compliance tracking (CJIS Security Policy) [critical] [CJIS Security Policy] - UC-22.32.25 · CJI media protection and transfer monitoring (CJIS Security Policy) [high] [CJIS Security Policy] ### 22.33 Middle East Cybersecurity - UC-22.33.1 · National cybersecurity standard compliance monitoring (NESA UAE IAS) [low] [NESA UAE IAS] - UC-22.33.2 · Critical infrastructure segmentation evidence (NESA UAE IAS) [critical] [NESA UAE IAS] - UC-22.33.3 · aeCERT incident reporting timeline compliance (NESA UAE IAS) [high] [NESA UAE IAS] - UC-22.33.4 · Security assessment evidence tracking (NESA UAE IAS) [medium] [NESA UAE IAS] - UC-22.33.5 · Cloud security configuration baseline monitoring (NESA UAE IAS) [critical] [NESA UAE IAS] - UC-22.33.6 · SAMA cybersecurity framework control testing (SAMA Cyber Security Framework) [critical] [SAMA Cyber Security Framework] - UC-22.33.7 · Third-party cybersecurity assessment monitoring (SAMA Cyber Security Framework) [high] [SAMA Cyber Security Framework] - UC-22.33.8 · SAMA cybersecurity incident reporting timeline (SAMA Cyber Security Framework) [medium] [SAMA Cyber Security Framework] - UC-22.33.9 · Secure system development lifecycle evidence (SAMA Cyber Security Framework) [low] [SAMA Cyber Security Framework] - UC-22.33.10 · Cybersecurity awareness program completion tracking (SAMA Cyber Security Framework) [critical] [SAMA Cyber Security Framework] - UC-22.33.11 · Personal data processing compliance monitoring (Saudi PDPL) [high] [CCPA, GDPR, Saudi PDPL] - UC-22.33.12 · Data subject rights implementation evidence (Saudi PDPL) [critical] [CCPA, GDPR, Saudi PDPL] - UC-22.33.13 · Cross-border personal data transfer controls (Saudi PDPL) [low] [CCPA, GDPR, Saudi PDPL] - UC-22.33.14 · Personal data breach notification to SDAIA tracking (Saudi PDPL) [critical] [CCPA, GDPR, Saudi PDPL] - UC-22.33.15 · Data protection impact assessment completion monitoring (Saudi PDPL) [high] [CCPA, GDPR, Saudi PDPL] - UC-22.33.16 · QCB cybersecurity framework compliance for financial institutions (Qatar Central Bank cybersecurity) [medium] [Qatar Central Bank cybersecurity] - UC-22.33.17 · QCB cybersecurity incident reporting evidence (Qatar Central Bank cybersecurity) [low] [Qatar Central Bank cybersecurity] - UC-22.33.18 · Information security governance metrics (Qatar Central Bank cybersecurity) [critical] [Qatar Central Bank cybersecurity] - UC-22.33.19 · Third-party risk management for banks (Qatar Central Bank cybersecurity) [critical] [Qatar Central Bank cybersecurity] - UC-22.33.20 · Business continuity evidence for financial services (Qatar Central Bank cybersecurity) [medium] [Qatar Central Bank cybersecurity] ### 22.34 SWIFT Customer Security Programme (CSP) - UC-22.34.1 · SWIFT secure zone logical isolation monitoring (SWIFT CSCF mandatory) [medium] [SWIFT CSP] - UC-22.34.2 · Operating system privileged account control within SWIFT zone (SWIFT CSCF mandatory) [critical] [SWIFT CSP] - UC-22.34.3 · Physical and logical access correlation for SWIFT operators (SWIFT CSCF mandatory) [critical] [SWIFT CSP] - UC-22.34.4 · Operator MFA and session integrity monitoring (SWIFT CSCF mandatory) [high] [SWIFT CSP] - UC-22.34.5 · System hardening compliance within the SWIFT secure zone (SWIFT CSCF mandatory) [medium] [SWIFT CSP] - UC-22.34.6 · Back-office to SWIFT zone data flow security (SWIFT CSCF advisory) [low] [SWIFT CSP] - UC-22.34.7 · External transmission data protection monitoring (SWIFT CSCF advisory) [critical] [CCPA, GDPR, SWIFT CSP] - UC-22.34.8 · Operator screening evidence aggregation (SWIFT CSCF advisory) [high] [SWIFT CSP] - UC-22.34.9 · Intrusion detection coverage within SWIFT environment (SWIFT CSCF advisory) [critical] [SWIFT CSP] - UC-22.34.10 · Annual KYC-SA attestation evidence pack (SWIFT KYC-SA) [low] [SWIFT CSP] - UC-22.34.11 · Independent assessment finding remediation tracking (SWIFT KYC-SA) [critical] [SWIFT CSP] - UC-22.34.12 · Counterparty CSP score monitoring for correspondent risk (SWIFT KYC-SA) [high] [SWIFT CSP] ### 22.35 Evidence continuity and log integrity - UC-22.35.1 · Audit-log continuity: detect indexing gap indicating lost evidence [critical] [GDPR, HIPAA, PCI-DSS, SOC-2, SOX-ITGC] - UC-22.35.2 · Log tamper detection via write-once-read-many chain-of-custody [critical] [GDPR, HIPAA Security, PCI DSS, SOC 2, SOX ITGC] - UC-22.35.3 · Indexer replication lag exposing evidence to single-point failure [high] [DORA, GDPR, NIST 800-53, SOC 2] ### 22.36 Data subject rights fulfillment - UC-22.36.1 · DSAR fulfillment SLA tracker with verification evidence trail [high] [CCPA/CPRA, GDPR] - UC-22.36.2 · Right-to-erasure propagation completeness across downstream systems [critical] [CCPA/CPRA, GDPR] - UC-22.36.3 · Portability export integrity — signed manifest verification [medium] [GDPR] ### 22.37 Consent lifecycle and lawful basis - UC-22.37.1 · Consent capture evidence freshness — stale-consent alerting [high] [GDPR] - UC-22.37.2 · Consent withdrawal propagation SLA — downstream stop-processing evidence [critical] [CCPA/CPRA, GDPR] - UC-22.37.3 · Global Privacy Control (GPC) signal honoring — server-side audit [high] [CCPA/CPRA] ### 22.38 Cross-border transfer controls - UC-22.38.1 · Cross-border personal-data flow anomaly — egress to unsanctioned jurisdictions [critical] [GDPR] - UC-22.38.2 · SCC / adequacy decision reference freshness — stale-safeguard detector [medium] [GDPR] - UC-22.38.3 · Data localization enforcement — regulated-data must-stay-in-region [high] [DORA, GDPR] ### 22.39 Incident notification timeliness - UC-22.39.1 · Multi-regulator breach-notification SLA tracker (24h NIS2 / 72h GDPR / 72h HIPAA) [critical] [DORA, GDPR, HIPAA Security, NIS2] - UC-22.39.2 · Regulator-portal submission evidence — one-way API acknowledgement audit [high] [GDPR, NIS2] - UC-22.39.3 · Data-subject breach communication timeline tracker (Art.34 / §164.404) [high] [GDPR, HIPAA Security] ### 22.40 Privileged access evidence - UC-22.40.1 · Privileged session recording — missing recordings for elevated sessions [critical] [NIST 800-53, PCI DSS, SOC 2, SOX ITGC] - UC-22.40.2 · Break-glass account usage review with mandatory post-use approval [critical] [ISO 27001, NIST 800-53, SOX ITGC] - UC-22.40.3 · Periodic access review SLA — stale certifications by control owner [high] [ISO 27001, NIST 800-53, SOX ITGC] ### 22.41 Encryption and key management attestation - UC-22.41.1 · Encryption-at-rest coverage gap — unencrypted storage with regulated data [critical] [GDPR, HIPAA Security, NIST 800-53, PCI DSS] - UC-22.41.2 · Certificate / TLS posture — weak cipher and expired-cert detection [high] [HIPAA Security, NIS2, NIST 800-53, PCI DSS] - UC-22.41.3 · Key rotation attestation — KMS/HSM rotation SLA tracker [high] [DORA, NIST 800-53, PCI DSS] ### 22.42 Change management and configuration baseline - UC-22.42.1 · Unauthorized production change — no approved CR matches the observed change [critical] [NIST 800-53, SOC 2, SOX ITGC] - UC-22.42.2 · Configuration baseline drift — regulated hosts deviating from CIS benchmark [high] [NIST 800-53, PCI DSS] ### 22.43 Vulnerability management and patch SLAs - UC-22.43.1 · Critical vulnerability SLA tracker — unpatched 30+ days with exploited-in-the-wild indicator [critical] [ISO 27001, NIS2, NIST 800-53, PCI DSS] - UC-22.43.2 · Vulnerability rediscovery after patch — regressed exposures [high] [NIST 800-53, PCI DSS] ### 22.44 Third-party and supply-chain risk - UC-22.44.1 · Supplier attestation currency — stale SOC 2 / ISO 27001 reports for critical vendors [high] [DORA, NIS2, NIST 800-53] - UC-22.44.2 · Subprocessor inventory change — notification SLA to data controllers [high] [DORA, GDPR] - UC-22.44.3 · Fourth-party concentration risk — shared critical dependencies across vendors [medium] [DORA] ### 22.45 Backup integrity and recovery testing - UC-22.45.1 · Backup restore test evidence — RPO/RTO SLA compliance per tier [critical] [DORA, NIST 800-53, SOC 2] - UC-22.45.2 · Backup encryption and air-gap integrity — tamper detection on immutable storage [critical] [HIPAA Security, NIST 800-53] - UC-22.45.3 · Backup completeness — unprotected workloads with regulated data [high] [DORA, NIST 800-53, SOX ITGC] ### 22.46 Training and awareness - UC-22.46.1 · Mandatory security training — completion SLA by role [medium] [HIPAA Security, NIS2, PCI DSS] - UC-22.46.2 · Phishing simulation efficacy — click-rate trend and repeat-clicker detection [medium] [NIS2, PCI DSS] ### 22.47 Control testing evidence freshness - UC-22.47.1 · Control test freshness — evidence older than policy cadence [medium] [ISO 27001, NIST 800-53, SOC 2] - UC-22.47.2 · Repeat audit findings — same control deficiency across consecutive audit cycles [high] [SOC 2, SOX ITGC] ### 22.48 Segregation of duties enforcement - UC-22.48.1 · Segregation of duties — toxic role combinations in IAM [critical] [ISO 27001, PCI DSS, SOX, SOX ITGC] - UC-22.48.2 · SoD violations via break-glass usage — emergency role abuse [critical] [SOX ITGC] ### 22.49 Retention and disposal automation - UC-22.49.1 · Retention execution evidence — records past retention still present [high] [CCPA/CPRA, GDPR, HIPAA Security] - UC-22.49.2 · Disposal workflow completion — failed disposals requiring manual review [high] [GDPR, HIPAA Security] - UC-22.49.3 · Litigation-hold override audit — holds applied/released without ticket [high] [ISO 27001, SOX ITGC] ### 22.35 — additional UCs (Evidence continuity and log integrity) - UC-22.35.4 · Log signing chain integrity — cryptographic signature drift on evidence archive [critical] [GDPR, HIPAA, PCI-DSS, SOX-ITGC] - UC-22.35.5 · Search-head audit-trail completeness — deleted or rewritten search jobs [high] [HIPAA, PCI-DSS, SOC-2] ### 22.36 — additional UCs (Data subject rights fulfillment) - UC-22.36.4 · DSAR identity-verification friction — failed-verification anomaly [high] [CCPA, GDPR] - UC-22.36.5 · DSAR request-type mix anomaly — zero-deletion skew indicating broken workflow [medium] [CCPA, GDPR] ### 22.37 — additional UCs (Consent lifecycle and lawful basis) - UC-22.37.4 · Purpose-limitation enforcement — processing not matching declared purpose [high] [CCPA, GDPR, LGPD] - UC-22.37.5 · IAB TCF consent string mutation without user interaction [high] [CCPA, GDPR] ### 22.38 — additional UCs (Cross-border transfer controls) - UC-22.38.4 · Transfer Impact Assessment currency — stale Schrems II assessments [medium] [GDPR, UK-GDPR] - UC-22.38.5 · Bulk regulated-data export targeting non-adequate jurisdiction [critical] [DORA, GDPR] ### 22.39 — additional UCs (Incident notification timeliness) - UC-22.39.4 · Cross-regulator consistency — divergent material facts across submissions [high] [DORA, GDPR, NIS2] - UC-22.39.5 · Regulator-portal authentication failure during submission window [high] [GDPR, NIS2] ### 22.40 — additional UCs (Privileged access evidence) - UC-22.40.4 · Standing-privilege credential vaulting drift — admin accounts outside PAM [critical] [NIST-800-53, PCI-DSS, SOX-ITGC] - UC-22.40.5 · High-risk privileged-session command without JIT approval [critical] [NIST-800-53, PCI-DSS, SOX-ITGC] ### 22.41 — additional UCs (Encryption and key management attestation) - UC-22.41.4 · TLS downgrade / legacy-cipher handshake spike [high] [HIPAA, NIST-800-53, PCI-DSS] - UC-22.41.5 · Key custodian SoD — same identity creates AND approves a key [high] [NIST-800-53, PCI-DSS, SOX-ITGC] ### 22.42 — additional UCs (Change management and configuration baseline) - UC-22.42.3 · Change rollback execution evidence — declared rollback vs actual [medium] [NIST-800-53, SOC-2, SOX-ITGC] - UC-22.42.4 · CAB approval bypass — change pushed before scheduled window [high] [NIST-800-53, SOC-2, SOX-ITGC] - UC-22.42.5 · Infrastructure-as-code drift — applied state diverges from merged plan [high] [ISO-27001, NIST-800-53, SOC-2] ### 22.43 — additional UCs (Vulnerability management and patch SLAs) - UC-22.43.3 · Internet-facing asset × unpatched critical CVE [critical] [NIS2, NIST-800-53, PCI-DSS] - UC-22.43.4 · Scanner coverage gap — regulated hosts without a recent scan [high] [ISO-27001, NIST-800-53, PCI-DSS] - UC-22.43.5 · SBOM vendor-component CVE exposure [high] [EU-CRA, NIS2, NIST-800-53] ### 22.44 — additional UCs (Third-party and supply-chain risk) - UC-22.44.4 · Vendor access telemetry — principals active outside contracted hours/geos [high] [DORA, NIS2, NIST-800-53] - UC-22.44.5 · SBOM attestation completeness — critical vendors without signed SBOM [high] [EU-CRA, NIS2, NIST-800-53] ### 22.45 — additional UCs (Backup integrity and recovery testing) - UC-22.45.4 · Backup repository TLS posture — aged or weak-cipher endpoints [medium] [DORA, HIPAA, NIST-800-53] - UC-22.45.5 · Business-continuity rehearsal evidence — BCP/DR exercise execution logged [medium] [DORA, NIS2, NIST-800-53] ### 22.46 — additional UCs (Training and awareness) - UC-22.46.3 · Privileged-role specialist training — admins lacking annual deep-training [medium] [HIPAA, NIST-800-53, PCI-DSS] - UC-22.46.4 · Tabletop rehearsal evidence — IR plan exercise frequency [medium] [DORA, NIS2, NIST-800-53] - UC-22.46.5 · Developer data-handling training — prod-access engineers lacking training [high] [GDPR, HIPAA, ISO-27001] ### 22.47 — additional UCs (Control testing evidence freshness) - UC-22.47.3 · Control owner attestation freshness [medium] [ISO-27001, NIST-800-53, SOC-2] - UC-22.47.4 · Evidence-pack drift — auditor-facing vs pre-production evidence [high] [SOC-2, SOX-ITGC] - UC-22.47.5 · Continuous control monitoring anomaly — failure-rate trending up [high] [ISO-27001, NIST-800-53, SOC-2] ### 22.48 — additional UCs (Segregation of duties enforcement) - UC-22.48.3 · Developer-to-production SoD — same developer submits AND approves merge [high] [ISO-27001, SOC-2, SOX-ITGC] - UC-22.48.4 · Financial SoD — same identity posts AND approves a journal entry [critical] [SOC-2, SOX-ITGC] - UC-22.48.5 · Vendor-master SoD — same identity creates vendor AND approves payment [critical] [PCI-DSS, SOX-ITGC] ### 22.49 — additional UCs (Retention and disposal automation) - UC-22.49.4 · Retention policy drift — system config vs policy catalogue [high] [CCPA, GDPR, HIPAA] - UC-22.49.5 · Cryptographic erasure attestation — per-asset destruction evidence [high] [GDPR, HIPAA, NIST-800-53] ### 22.3 — DORA (extended clauses) - UC-22.3.41 · DORA Art.6 — ICT risk-management framework evidence: control catalogue drift detection [high] [DORA, ISO/IEC 27001, NIST 800-53] - UC-22.3.42 · DORA Art.7 — ICT systems inventory completeness: unmanaged endpoints attached to financial services [high] [DORA, ISO/IEC 27001, NIS2] - UC-22.3.43 · DORA Art.8 — ICT risk identification: newly discovered high-severity exposure on critical financial services [critical] [DORA, ISO/IEC 27001, NIST 800-53, PCI-DSS] - UC-22.3.44 · DORA Art.17 — ICT incident classification timeliness: major-incident clock evidence [critical] [DORA, ISO/IEC 27001, NIS2] - UC-22.3.45 · DORA Art.24 — Digital operational-resilience testing: test-plan execution attestation [high] [DORA, ISO/IEC 27001, NIST 800-53] ### 22.6 — ISO/IEC 27001 (extended clauses) - UC-22.6.46 · ISO/IEC 27001:2022 Clause 6.1 — Risk-assessment evidence: live risk register decay [high] [DORA, ISO/IEC 27001, NIST 800-53] - UC-22.6.47 · ISO/IEC 27001:2022 Clause 6.2 — Information-security objectives: measurable-target attainment [medium] [ISO/IEC 27001, NIST 800-53] - UC-22.6.48 · ISO/IEC 27001:2022 Clause 8.2 — Operational risk-assessment: per-change risk-score recalculation [high] [ISO/IEC 27001, NIST 800-53] - UC-22.6.49 · ISO/IEC 27001:2022 Clause 9.1 — Monitoring programme coverage: KPI telemetry uptime [high] [ISO/IEC 27001, NIST 800-53, SOC-2] - UC-22.6.50 · ISO/IEC 27001:2022 Clause 9.2 — Internal audit coverage: control sample rotation [medium] [ISO/IEC 27001, NIST 800-53, SOC-2] - UC-22.6.51 · ISO/IEC 27001:2022 Annex A.5.24 — Incident-management planning: runbook currency attestation [medium] [DORA, ISO/IEC 27001, NIST 800-53] - UC-22.6.52 · ISO/IEC 27001:2022 Annex A.5.25 — Event classification decisions: SIEM-to-incident triage traceability [high] [DORA, ISO/IEC 27001, NIST 800-53, SOC-2] - UC-22.6.53 · ISO/IEC 27001:2022 Clause 7.2 — Competence evidence: role-based training completion [medium] [HIPAA Security Rule, ISO/IEC 27001, PCI-DSS] - UC-22.6.54 · ISO/IEC 27001:2022 Clause 7.5 — Documented information control: policy register approval trail [medium] [ISO/IEC 27001, NIST 800-53, SOC-2] - UC-22.6.55 · ISO/IEC 27001:2022 Clause 8.1 — Operational planning: change advisory board (CAB) approval evidence [medium] [ISO/IEC 27001, SOC-2, SOX-ITGC] ### 22.8 — SOC 2 (extended clauses) - UC-22.8.31 · SOC 2 CC6.6 — Encryption-in-transit validation: cleartext protocols crossing the trust boundary [high] [HIPAA Security Rule, ISO/IEC 27001, PCI-DSS, SOC-2] - UC-22.8.32 · SOC 2 CC6.7 — System boundary & data-transmission control: unapproved egress destinations [high] [DORA, ISO/IEC 27001, PCI-DSS, SOC-2] - UC-22.8.33 · SOC 2 CC7.1 — System-operations monitoring: uptime attestation and alert-noise governance [high] [DORA, ISO/IEC 27001, NIST 800-53, SOC-2] - UC-22.8.34 · SOC 2 CC7.3 — Evaluated events: threshold breaches without documented rationale [medium] [DORA, ISO/IEC 27001, SOC-2] - UC-22.8.35 · SOC 2 CC7.4 — Incident response: post-incident review completion SLA [high] [DORA, ISO/IEC 27001, SOC-2] - UC-22.8.36 · SOC 2 CC1.1 — Integrity and ethical values: code-of-conduct acknowledgement trail [medium] [ISO/IEC 27001, SOC-2] - UC-22.8.37 · SOC 2 CC9.1 — Risk-mitigation activity: vendor-risk action closure SLA [medium] [DORA, ISO/IEC 27001, SOC-2] - UC-22.8.38 · SOC 2 C1.1 — Confidentiality: sensitive-data exposure at the egress boundary [high] [HIPAA Security Rule, ISO/IEC 27001, PCI-DSS, SOC-2] - UC-22.8.39 · SOC 2 P1.1 — Privacy notice: consent-record freshness for privacy-notice version changes [medium] [GDPR, SOC-2] ### 22.11 — PCI DSS v4.0 (extended clauses) - UC-22.11.91 · PCI-DSS 1.3 — CDE network boundary: unauthorised flows between CDE and untrusted networks [critical] [ISO/IEC 27001, PCI DSS, PCI-DSS, SOC-2] - UC-22.11.92 · PCI-DSS 2.2 — Secure configuration baseline: drift from approved hardening template [high] [ISO/IEC 27001, NIST 800-53, PCI DSS, PCI-DSS, SOC-2] - UC-22.11.93 · PCI-DSS 3.3 — Sensitive authentication data: cleartext PAN/CVV detection in logs [critical] [ISO/IEC 27001, PCI DSS, PCI-DSS, SOC-2] - UC-22.11.94 · PCI-DSS 5.2 — Anti-malware: EDR coverage + detection-queue attestation [high] [ISO/IEC 27001, NIST 800-53, PCI DSS, PCI-DSS] - UC-22.11.95 · PCI-DSS 6.2 — Bespoke-software SDLC: code-review + SAST completion before CDE deploy [high] [ISO/IEC 27001, PCI DSS, PCI-DSS, SOC-2, SOX-ITGC] - UC-22.11.96 · PCI-DSS 8.3 — Strong authentication: password-only logins against privileged accounts [critical] [ISO/IEC 27001, NIST 800-53, PCI DSS, PCI-DSS, SOC-2] - UC-22.11.97 · PCI-DSS 8.4 — MFA coverage: administrative access to CDE without MFA [critical] [DORA, ISO/IEC 27001, NIST 800-53, PCI DSS, PCI-DSS] - UC-22.11.98 · PCI-DSS 8.6 — Application and system accounts: interactive use of a service account [high] [ISO/IEC 27001, NIST 800-53, PCI DSS, PCI-DSS] - UC-22.11.99 · PCI-DSS 10.3 — Audit log integrity: tampering/deletion detection on CDE log source [critical] [ISO/IEC 27001, PCI DSS, PCI-DSS, SOC-2, SOX-ITGC] - UC-22.11.100 · PCI-DSS 10.4 — Time synchronisation: NTP drift on CDE hosts [high] [ISO/IEC 27001, NIST 800-53, PCI DSS, PCI-DSS] - UC-22.11.101 · PCI-DSS 10.6 — Log review: daily-review evidence for CDE data sources [high] [ISO/IEC 27001, PCI DSS, PCI-DSS, SOC-2] - UC-22.11.102 · PCI-DSS 10.7 — Log retention: CDE data-source retention + immutability attestation [high] [ISO/IEC 27001, NIST 800-53, PCI DSS, PCI-DSS, SOX-ITGC] - UC-22.11.103 · PCI-DSS 11.3 — Vulnerability programme: overdue scan cadence and unremediated high-severity [high] [DORA, ISO/IEC 27001, NIST 800-53, PCI DSS, PCI-DSS] - UC-22.11.104 · PCI-DSS 11.4 — Intrusion detection: IDS signature/health attestation + untuned alert monitoring [high] [ISO/IEC 27001, PCI DSS, PCI-DSS, SOC-2] - UC-22.11.105 · PCI-DSS 12.10 — Incident response: IR readiness — playbook exercise evidence [high] [DORA, ISO/IEC 27001, PCI DSS, PCI-DSS, SOC-2] - UC-22.11.106 · PCI-DSS 12.3 — Targeted risk analysis: frequency adherence for per-requirement TRAs [medium] [DORA, ISO/IEC 27001, PCI DSS, PCI-DSS] ### 22.12 — SOX / ITGC (extended clauses) - UC-22.12.36 · SOX-ITGC AccessMgmt.Provisioning — Financial-system user provisioning SLA & workflow adherence [high] [ISO/IEC 27001, PCI-DSS, SOC-2, SOX-ITGC] - UC-22.12.37 · SOX-ITGC AccessMgmt.Termination — Deprovisioning SLA after HR termination event [critical] [ISO/IEC 27001, PCI-DSS, SOC-2, SOX-ITGC] - UC-22.12.38 · SOX-ITGC ChangeMgmt.Testing — Financial-system change test-evidence completeness [high] [ISO/IEC 27001, PCI-DSS, SOC-2, SOX-ITGC] - UC-22.12.39 · SOX-ITGC ChangeMgmt.Approval — Segregation of duties in financial-system change approval [critical] [ISO/IEC 27001, PCI-DSS, SOC-2, SOX, SOX-ITGC] - UC-22.12.40 · SOX-ITGC Operations.JobSchedule — Batch-schedule monitoring: financial-job exception visibility [medium] [ISO/IEC 27001, SOC-2, SOX-ITGC] ### 22.50 — Tier-2 framework clause coverage - UC-22.50.1 · APP 11 personal-information security — continuous evidence of protective controls [high] [AU Privacy Act] - UC-22.50.2 · CJIS §5.13.3 incident response — detection, tracking, and reporting evidence [high] [CJIS] - UC-22.50.3 · SYSC 3.2 internal-controls evidence — exceptions, approvals and audit trail [high] [FCA SM&CR] - UC-22.50.4 · §164.504(e) Business Associate activity — PHI access by BA principals [high] [HIPAA Privacy] - UC-22.50.5 · MAS TRM §11.1.1 system resilience — RTO/RPO burn-rate evidence [high] [MAS TRM] - UC-22.50.6 · NERC CIP-008-6 R1 incident response plan — evidence of activation and review [high] [NERC CIP] - UC-22.50.7 · Petroleumsforskriften §11 — emergency preparedness drill evidence [high] [NO Petroleumsforskriften] - UC-22.50.8 · Sikkerhetsloven §6-1 — preventive control effectiveness across classified systems [high] [NO Sikkerhetsloven] - UC-22.50.9 · NZISM §16.1.32 — user authentication strength & MFA coverage [high] [NZISM] - UC-22.50.10 · PIPL Art.51 — information-security measures across PRC personal-data systems [high] [PIPL] - UC-22.50.11 · QCB §4.1 — cyber-risk register evidence with treatment progress [high] [QCB Cyber] - UC-22.50.12 · SA PDPL Art. 6 — processing-purpose and lawful-basis evidence [high] [SA PDPL] - UC-22.50.13 · SWIFT CSCF 6.1 — malware protection across the SWIFT secure zone [high] [SWIFT CSP] - UC-22.50.14 · Swiss nFADP Art.7 — privacy-by-design checkpoints in the SDLC [high] [Swiss nFADP] - UC-22.50.15 · SYSC 4.1 organisational requirements — role-population and responsibilities map [medium] [FCA SM&CR] - UC-22.50.16 · §164.528 accounting-of-disclosures — retention and responsiveness [medium] [HIPAA Privacy] - UC-22.50.17 · NESA T3.5 cryptographic controls — key-age & HSM inventory evidence [medium] [NESA IAS] - UC-22.50.18 · Personopplysningsloven §14 — automated-decision inventory and human-review evidence [medium] [NO Personopplysningsloven] - UC-22.50.19 · Personopplysningsloven §2 — territorial/material scope tagging of data flows [medium] [NO Personopplysningsloven] - UC-22.50.20 · Petroleumsforskriften §3 — operator safety/security obligation register [medium] [NO Petroleumsforskriften] - UC-22.50.21 · Sikkerhetsloven §5-2 — annual internal security review activity [medium] [NO Sikkerhetsloven] - UC-22.50.22 · NZISM §12.4 — policy documentation freshness and approval state [medium] [NZISM] - UC-22.50.23 · SA PDPL Art. 29 — cross-border transfer inventory and legal-basis evidence [medium] [SA PDPL] ## 23. Business Analytics & Executive Intelligence Business-aligned analytics for non-technical stakeholders — customer experience, revenue & sales, marketing ROI, HR & people, supply chain, finance, customer support, executive KPIs, and ESG sustainability reporting. **Quick tip:** Use DB Connect to ingest CRM, ERP, and HRIS data alongside web logs and app telemetry for unified business intelligence in Splunk. Full details: https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-23-business-analytics.md Raw GitHub: https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-23-business-analytics.md ### 23.1 Customer Experience & Digital Analytics - UC-23.1.1 · Website Conversion Funnel Analysis [high] - UC-23.1.2 · Shopping Cart Abandonment Rate and Recovery [high] - UC-23.1.3 · Real-Time Page Load Performance Impact on Revenue [high] - UC-23.1.4 · Customer Satisfaction Score (CSAT/NPS) Trend Dashboard [medium] - UC-23.1.5 · Customer Journey Cross-Channel Attribution [high] - UC-23.1.6 · Mobile App Crash Rate and User Impact [high] - UC-23.1.7 · Site Search Effectiveness and Zero-Result Rate [medium] - UC-23.1.8 · Form Abandonment and Field-Level Drop-Off [high] - UC-23.1.9 · Third-Party Tag and API Latency Impact on Engagement [medium] ### 23.2 Revenue & Sales Operations - UC-23.2.1 · Sales Pipeline Velocity and Forecast Accuracy [critical] - UC-23.2.2 · Revenue Recognition and Booking Trend [critical] - UC-23.2.3 · Customer Churn Prediction and Early Warning [critical] - UC-23.2.4 · Subscription Renewal and Expansion Pipeline [high] - UC-23.2.5 · Pricing and Discount Effectiveness Analysis [medium] - UC-23.2.6 · Quota Attainment and Capacity Coverage [critical] - UC-23.2.7 · Average Contract Value and Deal Size Mix [medium] - UC-23.2.8 · Win–Loss Reason Coding and Competitive Rate [high] ### 23.3 Marketing Performance & Attribution - UC-23.3.1 · Marketing Campaign ROI by Channel [high] - UC-23.3.2 · Lead-to-Revenue Funnel Conversion Rates [high] - UC-23.3.3 · Email Campaign Performance and Engagement [medium] - UC-23.3.4 · Website Traffic Source and SEO Performance [medium] - UC-23.3.5 · Paid Media Cost Per Acquisition and Quality Score [high] - UC-23.3.6 · Content Engagement and Lead Conversion Lift [medium] - UC-23.3.7 · Webinar and Event Pipeline Contribution [medium] ### 23.4 HR & People Analytics - UC-23.4.1 · Employee Attrition Analysis and Flight Risk [high] - UC-23.4.2 · Time-to-Hire and Recruiting Pipeline Health [medium] - UC-23.4.3 · Diversity and Inclusion Metrics Dashboard [medium] - UC-23.4.4 · Training Completion and Compliance Tracking [high] - UC-23.4.5 · Absence and Leave Pattern Monitoring [medium] - UC-23.4.6 · Internal Mobility and Promotion Velocity [medium] - UC-23.4.7 · Overtime Cost and Burnout Risk Indicator [high] ### 23.5 Supply Chain & Operations - UC-23.5.1 · Order-to-Cash Cycle Time and Bottleneck Analysis [high] - UC-23.5.2 · Inventory Level Monitoring and Stockout Risk [critical] - UC-23.5.3 · Supplier On-Time Delivery Performance [high] - UC-23.5.4 · Delivery SLA Compliance and Last-Mile Performance [high] - UC-23.5.5 · Perfect Order Rate and Customer Impact [high] - UC-23.5.6 · Capacity Utilisation vs Demand Forecast [high] - UC-23.5.7 · Returns Rate and Reverse Logistics Cost [medium] ### 23.6 Financial Operations & Procurement - UC-23.6.1 · Accounts Receivable Aging and Cash Collection [high] - UC-23.6.2 · Expense Report Anomaly Detection [high] - UC-23.6.3 · Budget vs Actual Variance Tracking [high] - UC-23.6.4 · Payment Processing Success Rate and Revenue Leakage [critical] - UC-23.6.5 · Purchase Order Cycle Time and Maverick Spend [high] - UC-23.6.6 · Intercompany Reconciliation Exception Queue [high] ### 23.7 Customer Support & Service Excellence - UC-23.7.1 · Support Ticket Volume and Resolution SLA Dashboard [high] - UC-23.7.2 · First Contact Resolution Rate and Escalation Patterns [medium] - UC-23.7.3 · Customer Effort Score and Support Channel Effectiveness [medium] - UC-23.7.4 · Backlog Age and Breach Risk Forecast [high] - UC-23.7.5 · Agent Occupancy and Schedule Adherence [medium] - UC-23.7.6 · Knowledge Base Deflection and Self-Service ROI [medium] ### 23.8 Executive Dashboards & Business KPIs - UC-23.8.1 · CEO/CFO Business Health Scorecard [critical] - UC-23.8.2 · Operational Efficiency and Productivity Metrics [high] - UC-23.8.3 · Business Risk Heatmap and Early Warning System [high] - UC-23.8.4 · Rule-of-40 and SaaS Unit Economics [high] - UC-23.8.5 · Customer Acquisition Cost and Payback Period [high] - UC-23.8.6 · Working Capital and Cash Conversion Cycle [critical] ### 23.9 ESG & Sustainability Reporting - UC-23.9.1 · Carbon Footprint Tracking and Reduction Progress [high] - UC-23.9.2 · Energy Consumption and Efficiency by Facility [medium] - UC-23.9.3 · Waste Diversion and Recycling Rate Tracking [medium] - UC-23.9.4 · Water Consumption Monitoring and Conservation [medium] - UC-23.9.5 · ESG Disclosure Readiness and Data Completeness [high] - UC-23.9.6 · Renewable Energy Share and Green Tariff Attribution [medium] - UC-23.9.7 · Scope 3 Commuting and Hybrid Work Emissions [low]