This document provides a comprehensive overview of all Human Risk Management (HRM) alerts and behaviors that can be ingested via the Right-Hand HRM platform, organized by each product integration.
Abnormal Security
Email Security Threats:
Employee Received an Extortion Email
Employee Received a phishing email asking for sensitive data
Employee received a Business Email Compromise Email
Employee Received a Scam email
Employee Received a Reconnaissance email
Employee received an email with a link hosting malware
Employee Received a Malware via Email
Employee Received a Malware as a via Email
Employee Received an Invoice Payment Fraud
Employee received a credential Phishing Email
Cloudflare Area 1 Email Security
Email Threat Detection:
Suspicious Email
Spoofed Domain Email
BEC Alert
Spam Email
Malicious Email Detected
Cloudflare ZTNA
Web Access Security:
User visited a website with illegal child abuse content
User visited a dating website
User visited a drug website
User visited an adult website
User visited a website that spoofs clicks, impressions, or conversions for ads
User visited a gambling website
User visited a website known to be part of botnet or command-and-control activities
User visited a website involved in cryptomining activities
User visited a website hosting potential malicious content
User visited a website that may contain security risks
User visited a website known for phishing
Malware download attempt detected on a user's device
Crowdstrike
Endpoint Security:
Accidental Tool Download
Spearphishing Attack
Ransomware
Suspicious Login
Suspicious Credentials File
Data Theft Bluetooth Cellular
Adware File
C2 Server Alert
Malware
Malicious Document
Suspicious Remote Access
Unintended Java Download
Unintended Malicious Download via Browser
Unintended Malicious Download
Microsoft Defender for Cloud Apps
Cloud Security & Data Protection:
Malware detected in employee's cloud storage
Access to a S3 bucket made public
Employee shared source code to an external domain
Unused files made publically available by an employee
Employee shared a file externally that has a sensitive file extension
Employee potentially shared data to or with unsanctioned apps
Account Compromise: Suspicious file access detected
Brute-force attack detected in relation to an employee
Account Compromise: Unusual region for cloud resource
Account Compromise: Unusual multiple storage deletion activities
Account Compromise: Unusual multiple VM creation activities
Account Compromise: Unusual Power BI report sharing done by an employee
Account Compromise: Unusual impersonation activities detected in relation to an employee
Account Compromise: Unusual file deletions done by employee
Unusual file share activities detected from an employee
Unusual multiple file download activities detected from an employee
Suspicious downloads from Connected apps used by employee
Suspicious email manipulation rules were created in employee's email account
Suspicious email forwarding rules were created in employee's email account
Employee might be accessing their system via a proxy
Employee account might be compromised due to a CNC, password spray attack
Ransomware activity detected in relation to employee
Microsoft Defender for O365
Office 365 Security:
Atypical Travel
Unfamiliar Sign-In Properties
Employee Clicked a potentially malicious URL
Employee Clicked a potentially malicious URL and overrode the safelinks warning
An email with a malicious file was directed to the employee
A malicious email campaign was directed at the workforce
Scam, BEC, Spearphishing attack directed at the employee
Employee reported a email as a Phish or Malware
Account Compromise: Employee sent bulk outbound emails
Account Compromise: Employee used MS forms to phish others
A Malicious attack directed at employees via MS forms
Campaign with emails containing malware directed at employees
Account Compromise: Potential nation-state attack directed at employee
Account Compromise: Suspicious email forwarding rules create by employees
Campaign with emails containing malware blocked
Account Compromise: Suspicious emails forwarded by employee
Account Compromise: Employee restricted from sending emails due to suspicious activity
Account Compromise: Employee restricted from sharing forms and collecting responses
Attempt to get credential access for an Employee's Account
Spearphishing attack directed at an Employee
Potential ransomware attack directed at an employee
Employee used an add-in that showcases suspicious behavior
Malicious sign-in from an unusual user agent
Connection to a suspicious domain related to credential phishing
Phishing document detected on a user device
Sign-in from an anonymous IP address
Microsoft Sentinel
SIEM & Security Analytics:
Note: Microsoft Sentinel aggregates alerts from other Microsoft security tools. The following alerts are sourced from various integrated platforms:
From Office 365:
Account Compromise: Employee sent bulk outbound emails
Campaign with emails containing malware blocked
Campaign with emails containing malware directed at employees
A Malicious attack directed at employees via MS forms
Account Compromise: Employee used MS forms to phish others
Employee reported a email as a Phish or Malware
Potential ransomware attack directed at an employee
Account Compromise: Suspicious email forwarding rules create by employees
Scam, BEC, Spearphishing attack directed at the employee
A malicious email campaign was directed at the workforce
An email with a malicious file was directed to the employee
Account Compromise: Potential nation-state attack directed at employee
Account Compromise: Suspicious emails forwarded by employee
Account Compromise: Employee restricted from sending emails due to suspicious activity
Account Compromise: Employee restricted from sharing forms and collecting responses
Attempt to get credential access for an Employee's Account
Spearphishing attack directed at an Employee
Employee used an add-in that showcases suspicious behavior
Employee Clicked a potentially malicious URL and overrode the safelinks warning
Employee Clicked a potentially malicious URL
From Cloud Apps:
Account Compromise: Unusual impersonation activities detected in relation to an employee
Access to a S3 bucket made public
Employee shared source code to an external domain
Unused files made publically available by an employee
Employee shared a file externally that has a sensitive file extension
Employee potentially shared data to or with unsanctioned apps
Brute-force attack detected in relation to an employee
Account Compromise: Suspicious file access detected
Account Compromise: Unusual region for cloud resource
Account Compromise: Unusual multiple storage deletion activities
Account Compromise: Unusual multiple VM creation activities
Account Compromise: Unusual Power BI report sharing done by an employee
Malware detected in employee's cloud storage
Employee account might be compromised due to a CNC, password spray attack
Employee might be accessing their system via a proxy
Suspicious email manipulation rules were created in employee's email account
Suspicious downloads from Connected apps used by employee
Unusual multiple file download activities detected from an employee
Unusual file share activities detected from an employee
Account Compromise: Unusual file deletions done by employee
Mimecast
Email Security:
Employee Sent a Malicious File via email
Sensitive Data Exposure
Employee Received a malicious file via email
Employee Sent a Malicious File to a coworker
Employee received a spoof email
Employee received a targeted impersonation email
Employee received a Impersonation email attack
Employee clicked on a Malicious Link (Category: Compromised Website)
Employee clicked on a Malicious Link (Category: Phishing & Fraud)
Employee clicked on a Malicious Link (Category: Spam Sites)
Employee clicked on a Malicious Link (Category: Suspicious)
Employee clicked on a Malicious Link (Category: Malware)
Employee clicked on a Malicious Link (Category: Botnets)
Netskope
Cloud Security & Web Protection:
Employee tried to visit a prohibited Website (Category: Botnets)
Employee tried to visit a prohibited Website (Category: Spam)
Employee tried to visit a prohibited Website (Category: Cryptocurrency Mining)
Employee tried to visit a prohibited Website (Category: Malware Distribution Point)
Employee tried to visit a prohibited Website (Category: Hacking)
Employee tried to visit a prohibited Website (Category: Spyware & Questionable Software)
Employee tried to visit a prohibited Website (Category: Compromised/Malicious Sites)
Employee tried to visit a prohibited Website (Category: Command and Control Server)
Employee tried to visit a prohibited Website (Category: Ad Fraud)
Employee tried to visit a prohibited Website (Category: Phishing/Fraud)
Password-Protected Files Uploaded to External Domain or App
Employee used an unmanaged device
Employee shared financial information
Password Breach Detected
Employee shared PII externally
Proofpoint
Email Security & Threat Protection:
Spam Email directed at an employee
Unsafe Attachments in Email Detected
Malware sent via URL in an email sent to employee
Spam Containing Unsafe Attachment Detected
Employee clicked on a URL containing Malware sent via an email
Employee clicked on a URL containing Phishing Link sent via an email
Employee clicked on a URL in a spam email
Imposter Threat directed at employee
Malware attached to an email sent to employee
Phishing Email directed at an employee
SentinelOne
Endpoint Detection & Response:
Potentially Unwanted Application found on employee's device
Adware found on employee's device
Virus found on employee's device
Cryptomining detected on employee's device
Malicious PDF found on employee's device
Malicious Office Document found on employee's device
Malware found on employee's device
Ransomware found on employee's device
Trojan found on employee's device
Splunk
Security Information & Event Management:
Authentication & Access:
MFA Method Changed
Sign-in from New Location
Sign-in from New Device
Multiple Failed MFA Attempts
Password Changed
New MFA Method Added
General Security:
Malicious Website
Blocked Site
Blocked File Upload
Data Loss Prevention (DLP)
Malicious Email Attachement
Impersonation Email
Malicious URL in Email
Credential Theft
BEC Email Alert
HTTP Policy Blocked Content
Malicious File
Integrated Alerts from Other Platforms:
From Crowdstrike:
Adware File
C2 Server Alert
Malicious Document
Spearphishing Attack
Ransomware
Suspicious Login
Suspicious Credentials File
Malware
Suspicious Remote Access
Unintended Java Download
Unintended Malicious Download via Browser
Unintended Malicious Download
Accidental Tool Download
Data Theft Bluetooth Cellular
From Proofpoint:
Spam Containing Unsafe Attachment Detected
Employee clicked on a URL containing Malware sent via an email
Employee clicked on a URL containing Phishing Link sent via an email
Employee clicked on a URL in a spam email
Imposter Threat directed at employee
Malware attached to an email sent to employee
Spam Email directed at an employee
Phishing Email directed at an employee
Unsafe Attachments in Email Detected
Malware sent via URL in an email sent to employee
From SentinelOne:
Malware found on employee's device
Ransomware found on employee's device
Trojan found on employee's device
Potentially Unwanted Application found on employee's device
Adware found on employee's device
Virus found on employee's device
Cryptomining detected on employee's device
Malicious PDF found on employee's device
Malicious Office Document found on employee's device
This documentation covers all available alert types that can be ingested and processed through the Right-Hand HRM platform. Each integration provides specific security monitoring capabilities that contribute to comprehensive human risk visibility and management.