Threats disabled by default in Cayosoft Guardian
Some threat detection rules in Cayosoft Guardian are disabled by default due to their potential to introduce high system load or generate large volumes of data. These detections can impact server performance if not used carefully, especially in large or busy Active Directory environments.
This article outlines:
- Which threats are disabled by default
- Why they are disabled
- What to consider before enabling them
Threats disabled by default
| Threat ID | Name | Description |
|---|---|---|
| CTD-000026 | Regular Microsoft Entra user with Exchange Online PowerShell enabled | Detects standard (non-admin) Entra ID accounts that have Exchange Online PowerShell access enabled, which could increase the risk surface if such accounts are compromised. |
| CTD-000106 | AD domain with multiple failed authentication attempts via process | Detects brute force behavior by monitoring failed authentication attempts initiated by specific processes. |
| CTD-000107 | AD domain with multiple failed remote authentication attempts | Monitors remote login failures across the domain. |
| CTD-000108 | AD domain with multiple failed authentication attempts by non-existing users using Kerberos | Flags authentication attempts to non-existent users, which may indicate enumeration or brute force activity. |
| CTD-000110 | AD domain with multiple failed authentication attempts via Kerberos | Detects repeated failed Kerberos login attempts, often a sign of password guessing. |
| CTD-000118 | AD domain with multiple failed authentication attempts from invalid users via NTLM | Detects failed NTLM login attempts from unrecognized users. |
| CTD-000124 | Privileged AD user with failed logon attempts | Detects login failures for accounts with elevated privileges. |
| CTD-000183 | Honey account targeted with Kerberos pre-authentication attempts | Detects Kerberos pre-authentication failures against honey accounts. |
| CTD-000185 | Failed logon attempts targeting honey account | Detects a series of failed logon attempts targeting honey accounts. |
Enable these detections if you:
- Are actively monitoring for brute force, password spraying, or account enumeration attacks
- Have the capacity to investigate failed logon events
- Have tuned your environment (e.g., thresholds, exclusions) to reduce noise
To enable disabled threats see How to enable threat alerts in Threat Detection: How to triage threat alerts.
Comments
0 comments
Please sign in to leave a comment.