T1115

Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications. On Windows, adversaries can read clipboard contents using PowerShell's Get-Clipboard cmdlet, the Win32 API functions OpenClipboard() and GetClipboardData(), or by invoking clip.exe in combination with scripting. macOS and Linux provide pbpaste and xclip/xsel utilities respectively. Clipboard content frequently contains high-value data including passwords copied from password managers, authentication tokens, cryptocurrency wallet addresses, PII, and internal URLs. Advanced malware such as Agent Tesla, RTM, Astaroth, CHIMNEYSWEEP, and DarkComet implement persistent clipboard monitoring loops that exfiltrate captured content, while crypto-clippers (a subclass) additionally replace clipboard content with attacker-controlled values to hijack cryptocurrency transactions.

Microsoft Sentinel / Defender

kusto

let ClipboardUtilities = dynamic(["clip.exe", "pbpaste", "xclip", "xsel", "xdotool"]);
let SuspiciousClipboardPatterns = dynamic([
  "Get-Clipboard", "GetClipboard", "get-clipboard",
  "OpenClipboard", "GetClipboardData", "EmptyClipboard",
  "win32clipboard", "pyperclip", "clipboard.paste",
  "xclip -o", "xclip -out", "xsel --output", "xsel -o",
  "pbpaste", "System.Windows.Forms.Clipboard",
  "[Windows.Forms.Clipboard]", "Clipboard.GetText",
  "Clipboard::GetText", "GetOpenClipboardWindow"
]);
let SuspiciousParents = dynamic([
  "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
  "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe",
  "rundll32.exe", "msiexec.exe", "cmd.exe", "wmic.exe",
  "schtasks.exe", "at.exe"
]);
// Branch 1: Script engines and known tools accessing clipboard
let ClipboardViaScript = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (SuspiciousClipboardPatterns)
| extend DetectionBranch = "ScriptClipboardAccess"
| extend ClipboardMethod = case(
    ProcessCommandLine has "Get-Clipboard", "PowerShell Get-Clipboard",
    ProcessCommandLine has "win32clipboard" or ProcessCommandLine has "pyperclip", "Python Clipboard Module",
    ProcessCommandLine has "System.Windows.Forms.Clipboard", ".NET Forms Clipboard API",
    ProcessCommandLine has "OpenClipboard" or ProcessCommandLine has "GetClipboardData", "Win32 API Direct Call",
    ProcessCommandLine has "xclip" or ProcessCommandLine has "xsel", "Linux Clipboard Utility",
    "Unknown");
// Branch 2: Clipboard utilities spawned from suspicious parent processes
let ClipboardUtilityFromSuspiciousParent = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ClipboardUtilities)
| where InitiatingProcessFileName in~ (SuspiciousParents)
    or InitiatingProcessFileName has_any ("python", "perl", "ruby", "node")
| extend DetectionBranch = "ClipboardUtilitySuspiciousParent"
| extend ClipboardMethod = strcat("Native Utility: ", FileName);
// Branch 3: PowerShell clipboard loop pattern (persistent monitoring)
let ClipboardMonitoringLoop = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "Get-Clipboard" and
        (ProcessCommandLine has "while" or ProcessCommandLine has "Start-Sleep" or ProcessCommandLine has "loop")
| extend DetectionBranch = "ClipboardMonitoringLoop"
| extend ClipboardMethod = "Persistent Clipboard Monitor";
union ClipboardViaScript, ClipboardUtilityFromSuspiciousParent, ClipboardMonitoringLoop
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch, ClipboardMethod, ProcessId, InitiatingProcessId
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Password managers (KeePass, Bitwarden, 1Password) auto-clearing clipboard after paste using scripts or scheduled tasks
Remote Desktop Protocol (RDP) and virtual desktop infrastructure (VDI) clipboard synchronization agents running as background services
Legitimate clipboard manager utilities (Ditto, ClipX, CopyQ, Paste) that monitor and log clipboard history for productivity
Accessibility software and screen readers (NVDA, JAWS, Windows Narrator) that access clipboard content for reading aloud
Development and testing automation frameworks (Selenium, AutoHotkey, PyAutoGUI) using clipboard for UI automation workflows
Help desk and IT tools that read clipboard content for ticketing or remote assistance purposes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image)
| eval CommandLine=lower(CommandLine)
| eval ParentImage=lower(ParentImage)
// Branch 1: Scripting engines invoking clipboard APIs
| eval IsScriptEngine=if(match(Image, "(powershell\.exe|pwsh\.exe|python[0-9]*\.exe|wscript\.exe|cscript\.exe|mshta\.exe|perl\.exe|ruby\.exe|node\.exe)"), 1, 0)
| eval ClipboardAPI=if(match(CommandLine, "(get-clipboard|getclipboard|openclipboard|getclipboarddata|win32clipboard|pyperclip|clipboard\.paste|system\.windows\.forms\.clipboard|clipboard::gettext|clipboard\.gettext)"), 1, 0)
// Branch 2: Native clipboard utilities
| eval NativeClipUtil=if(match(Image, "(\\\\clip\.exe$|\\\\xclip$|\\\\xsel$|\\\\xdotool$)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|python[0-9]*\.exe|perl\.exe|ruby\.exe|node\.exe)"), 1, 0)
// Branch 3: Clipboard monitoring loop pattern
| eval ClipboardLoop=if(match(CommandLine, "get-clipboard") AND match(CommandLine, "(while|start-sleep|foreach|-loop)"), 1, 0)
// Score and filter
| eval ClipboardScore=ClipboardAPI + NativeClipUtil + ClipboardLoop
| eval SuspicionScore=ClipboardScore + (if(IsScriptEngine=1 AND ClipboardAPI=1, 1, 0)) + (if(NativeClipUtil=1 AND SuspiciousParent=1, 1, 0)) + (if(ClipboardLoop=1, 2, 0))
| eval DetectionBranch=case(
    ClipboardLoop=1, "ClipboardMonitoringLoop",
    IsScriptEngine=1 AND ClipboardAPI=1, "ScriptClipboardAccess",
    NativeClipUtil=1 AND SuspiciousParent=1, "ClipboardUtilitySuspiciousParent",
    true(), "Informational")
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, ClipboardAPI, NativeClipUtil, ClipboardLoop, SuspicionScore
| sort - SuspicionScore, - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Password managers (KeePass, Bitwarden, 1Password) auto-clearing clipboard after paste using scripts or scheduled tasks
Remote Desktop Protocol (RDP) and virtual desktop infrastructure (VDI) clipboard synchronization agents running as background services
Legitimate clipboard manager utilities (Ditto, ClipX, CopyQ, Paste) that monitor and log clipboard history for productivity
Accessibility software and screen readers (NVDA, JAWS, Windows Narrator) that access clipboard content for reading aloud
Development and testing automation frameworks (Selenium, AutoHotkey, PyAutoGUI) using clipboard for UI automation workflows
Help desk and IT tools that read clipboard content for ticketing or remote assistance purposes

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   (
     (
       process.name in~ ("powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "wscript.exe", "cscript.exe", "mshta.exe") and
       process.command_line like~ ("*Get-Clipboard*", "*GetClipboard*", "*get-clipboard*", "*OpenClipboard*", "*GetClipboardData*", "*win32clipboard*", "*pyperclip*", "*clipboard.paste*", "*System.Windows.Forms.Clipboard*", "*[Windows.Forms.Clipboard]*", "*Clipboard.GetText*", "*Clipboard::GetText*", "*GetOpenClipboardWindow*")
     ) or
     (
       process.name in~ ("clip.exe", "pbpaste", "xclip", "xsel", "xdotool") and
       process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe", "cmd.exe", "wmic.exe", "schtasks.exe", "python.exe", "python3.exe", "perl.exe", "ruby.exe", "node.exe")
     ) or
     (
       process.name in~ ("powershell.exe", "pwsh.exe") and
       process.command_line like~ "*Get-Clipboard*" and
       (process.command_line like~ "*while*" or process.command_line like~ "*Start-Sleep*" or process.command_line like~ "*loop*")
     )
   )
  ] by process.entity_id

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent (endpoint integration) Auditbeat Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-*

False Positives

Legitimate password manager utilities (1Password, KeePass, Bitwarden CLI) that interface with the clipboard for copy-to-clipboard operations
IT automation scripts that use clipboard APIs for legitimate content transformation pipelines (e.g. RPA tools, AutoHotkey scripts run by business users)
Developers testing clipboard functionality in IDEs or running unit tests for clipboard-aware applications (xclip/xsel used in shell scripts for terminal utilities)

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name",
  "Command" AS command_line,
  "Parent Process Name",
  CASE
    WHEN LOWER("Command") MATCHES '.*get-clipboard.*' AND (LOWER("Command") MATCHES '.*(while|start-sleep|loop).*') THEN 'ClipboardMonitoringLoop'
    WHEN LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe|python[0-9]*\.exe|wscript\.exe|cscript\.exe|mshta\.exe)' AND LOWER("Command") MATCHES '.*(get-clipboard|getclipboard|openclipboard|getclipboarddata|win32clipboard|pyperclip|clipboard\.paste|system\.windows\.forms\.clipboard|clipboard::gettext|clipboard\.gettext).*' THEN 'ScriptClipboardAccess'
    WHEN LOWER("Process Name") MATCHES '.*(clip\.exe|xclip|xsel|xdotool|pbpaste)' AND LOWER("Parent Process Name") MATCHES '.*(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|python[0-9]*\.exe|perl\.exe|ruby\.exe|node\.exe)' THEN 'ClipboardUtilitySuspiciousParent'
    ELSE 'Informational'
  END AS detection_branch,
  CASE
    WHEN LOWER("Command") MATCHES '.*get-clipboard.*' AND (LOWER("Command") MATCHES '.*(while|start-sleep|loop).*') THEN 3
    WHEN LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe|python[0-9]*\.exe|wscript\.exe|cscript\.exe|mshta\.exe)' AND LOWER("Command") MATCHES '.*(get-clipboard|openclipboard|win32clipboard|pyperclip).*' THEN 2
    WHEN LOWER("Process Name") MATCHES '.*(clip\.exe|xclip|xsel|pbpaste)' AND LOWER("Parent Process Name") MATCHES '.*(wscript|cscript|mshta|regsvr32|rundll32|python|perl|ruby|node).*' THEN 2
    ELSE 1
  END AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 352)
  AND QIDNAME(qid) IN ('Process Create', 'Windows Process Creation')
  AND (
    (
      LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe|python[0-9]*\.exe|wscript\.exe|cscript\.exe|mshta\.exe)'
      AND LOWER("Command") MATCHES '.*(get-clipboard|openclipboard|getclipboarddata|win32clipboard|pyperclip|clipboard\.paste|system\.windows\.forms\.clipboard|clipboard::gettext).*'
    ) OR (
      LOWER("Process Name") MATCHES '.*(\\\\clip\.exe|\\\\xclip|\\\\xsel|\\\\xdotool|\\\\pbpaste)'
      AND LOWER("Parent Process Name") MATCHES '.*(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec|python|perl|ruby|node).*'
    ) OR (
      LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe)'
      AND LOWER("Command") MATCHES '.*get-clipboard.*'
      AND LOWER("Command") MATCHES '.*(while|start-sleep|loop).*'
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY suspicion_score DESC, starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Sysmon DSM QRadar Microsoft Windows DSM

Required Tables

events

False Positives

Enterprise RPA (Robotic Process Automation) platforms such as UiPath or Automation Anywhere that spawn script engines for clipboard-based automation workflows
Helpdesk and remote support tools (e.g., TeamViewer, AnyDesk scripts) that copy diagnostic data to clipboard via scripting
Developer build pipelines or CI agents that use Python clipboard modules during test harness execution on developer workstations

Sumo Logic CSE

sql

_sourceCategory="*windows*sysmon*" OR _sourceCategory="*endpoint*process*"
| json auto
| where EventID = "1" OR event_id = "1"
| eval image = lower(Image)
| eval cmdline = lower(CommandLine)
| eval parent = lower(ParentImage)
// Branch 1: Script engines using clipboard APIs
| eval is_script_engine = if(image matches "/(powershell\.exe|pwsh\.exe|python[0-9]*\.exe|wscript\.exe|cscript\.exe|mshta\.exe|perl\.exe|ruby\.exe|node\.exe)$/", 1, 0)
| eval has_clipboard_api = if(cmdline matches "/(get-clipboard|getclipboard|openclipboard|getclipboarddata|win32clipboard|pyperclip|clipboard\.paste|system\.windows\.forms\.clipboard|clipboard::gettext|clipboard\.gettext|getopencl ipboardwindow)/", 1, 0)
// Branch 2: Native clipboard utilities from suspicious parents
| eval is_clip_util = if(image matches "/(clip\.exe|xclip|xsel|xdotool|pbpaste)$/", 1, 0)
| eval suspicious_parent = if(parent matches "/(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|python[0-9]*\.exe|perl\.exe|ruby\.exe|node\.exe)/", 1, 0)
// Branch 3: Clipboard monitoring loop
| eval is_clipboard_loop = if((cmdline matches "/get-clipboard/") AND (cmdline matches "/(while|start-sleep|foreach|-loop)/"), 1, 0)
// Scoring
| eval clipboard_score = has_clipboard_api + is_clip_util + is_clipboard_loop
| eval suspicion_score = clipboard_score
  + if(is_script_engine = 1 AND has_clipboard_api = 1, 1, 0)
  + if(is_clip_util = 1 AND suspicious_parent = 1, 1, 0)
  + if(is_clipboard_loop = 1, 2, 0)
| where suspicion_score > 0
| eval detection_branch = if(is_clipboard_loop = 1, "ClipboardMonitoringLoop",
    if(is_script_engine = 1 AND has_clipboard_api = 1, "ScriptClipboardAccess",
    if(is_clip_util = 1 AND suspicious_parent = 1, "ClipboardUtilitySuspiciousParent",
    "Informational")))
| fields _messageTime, ComputerName, User, Image, CommandLine, ParentImage, ParentCommandLine, detection_branch, has_clipboard_api, is_clip_util, is_clipboard_loop, suspicion_score
| sort by suspicion_score desc, _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon for Windows via Sumo Logic Source Sumo Logic Cloud SIEM Enterprise (CSE)

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*endpoint*process*

False Positives

Legitimate clipboard manager applications (e.g., Ditto, ClipboardFusion) that use system APIs to monitor and persist clipboard history on user workstations
Accessibility software and screen readers that access clipboard content as part of assistive technology workflows
Enterprise endpoint management agents or MDM tools that run PowerShell clipboard operations during provisioning or configuration management tasks

Google Chronicle / SecOps

yaral

rule t1115_clipboard_data_collection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects clipboard data collection via scripting engine API abuse, native clipboard utilities launched from suspicious parent processes, and persistent clipboard monitoring loops (MITRE ATT&CK T1115)"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1115"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-18"

  events:
    (
      // Branch 1: Script engines invoking clipboard APIs
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|python[0-9]*\.exe|wscript\.exe|cscript\.exe|mshta\.exe|perl\.exe|ruby\.exe|node\.exe)$`)
        )
        and (
          re.regex($e.principal.process.command_line, `(?i)(get-clipboard|getclipboard|openclipboard|getclipboarddata|win32clipboard|pyperclip|clipboard\.paste|system\.windows\.forms\.clipboard|clipboard::gettext|clipboard\.gettext|getopencl ipboardwindow)`)
        )
      )
      or
      // Branch 2: Native clipboard utilities from suspicious parents
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.principal.process.file.full_path, `(?i)(clip\.exe|xclip|xsel|xdotool|pbpaste)$`)
        and re.regex($e.principal.process.parent_process.file.full_path, `(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|python[0-9]*\.exe|perl\.exe|ruby\.exe|node\.exe)$`)
      )
      or
      // Branch 3: Clipboard monitoring loop pattern
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
        and re.regex($e.principal.process.command_line, `(?i)get-clipboard`)
        and re.regex($e.principal.process.command_line, `(?i)(while|start-sleep|foreach|-loop)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Chronicle Endpoint telemetry (CrowdStrike, Carbon Black, SentinelOne forwarders) Chronicle Windows Event Log ingestion

Required Tables

UDM events (PROCESS_LAUNCH type)

False Positives

Security awareness training tools that demonstrate clipboard hijacking by reading/writing clipboard content during controlled educational exercises on employee workstations
Custom internal tooling that wraps clip.exe or xclip for log collection or report generation pipelines launched from document macros in controlled environments
Browser automation frameworks (Selenium, Playwright) used in QA environments that interact with clipboard during end-to-end test execution

CrowdStrike LogScale (CQL)

cql

// T1115 - Clipboard Data Collection Detection
// Branch 1: Script engines invoking clipboard APIs
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|python[0-9]*\.exe|wscript\.exe|cscript\.exe|mshta\.exe|perl\.exe|ruby\.exe|node\.exe)$/
| CommandLine = /(?i)(get-clipboard|getclipboard|openclipboard|getclipboarddata|win32clipboard|pyperclip|clipboard\.paste|system\.windows\.forms\.clipboard|clipboard::gettext|clipboard\.gettext|getopencl ipboardwindow)/
| eval DetectionBranch="ScriptClipboardAccess"
| eval SuspicionScore=2

| union [
  // Branch 2: Native clipboard utilities from suspicious parents
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)(clip\.exe|xclip|xsel|xdotool|pbpaste)$/
  | ParentBaseFileName = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|python[0-9]*\.exe|perl\.exe|ruby\.exe|node\.exe)$/
  | eval DetectionBranch="ClipboardUtilitySuspiciousParent"
  | eval SuspicionScore=2
]

| union [
  // Branch 3: Persistent clipboard monitoring loop
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/
  | CommandLine = /(?i)get-clipboard/
  | CommandLine = /(?i)(while|start-sleep|foreach|-loop)/
  | eval DetectionBranch="ClipboardMonitoringLoop"
  | eval SuspicionScore=4
]

| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, SuspicionScore, TargetProcessId, ContextProcessId])
| sort(SuspicionScore, order=desc)
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) CrowdStrike Falcon LogScale (Humio) Falcon Data Replicator (FDR)

Required Tables

ProcessRollup2

False Positives

Falcon sensor false positives from legitimate PowerShell administration scripts that check clipboard state as part of session cleanup or remote desktop session management
Software deployment tools (SCCM, PDQ Deploy) that run Python or PowerShell scripts leveraging clipboard APIs during automated software installation workflows
Penetration testing toolkits run by authorized red team members during scheduled assessments — coordinate with red team calendar before escalating alerts

Last updated: 2026-04-18 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1115 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Clipboard Data

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Collection

Popular Detections