Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • A Backup vault policy was modified Low Cloud

    A cloud identity has modified backup vault access policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Manipulate access to a backup vault.
    Investigative actions: Check if the {identity_name} intended to modify the backup vault policy. Check additional activity by {identity_name}.
  • A Cloud DB instance was exported to an unknown destination Informational Cloud

    A Cloud DB instance was exported to a foreign storage destination.The destination storage has not been seen in the organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Gcp Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate sensitive database content to an external or attacker-controlled bucket.
    Investigative actions: Verify if the destination bucket is authorized for data export. Investigate the identity performing the action for unusual behavior or lack of authorization. Assess the sensitivity of the data within the source Cloud DB instance to determine impact.
  • A Command Line Interface (CLI) command was executed from a GCP serverless compute service Low Cloud 4 variations

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Informational overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    A Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Medium overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

  • A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service

    Informational overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

    Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service

    Low overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

  • A GCP Cloud SQL DB instance was exported from a production account Informational Cloud

    A GCP Cloud SQL DB instance was exported to a storage bucket.The DB instance was exported from a production account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Gcp Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source Cloud DB instance. Review further actions performed by the identity.
  • A GCP service account was delegated domain-wide authority in Google Workspace Low Identity Threat Module 1 variation

    A Google Workspace admin has enabled domain-wide delegation to a GCP service account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious Apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    A Google Workspace admin has enabled domain-wide delegation to a GCP service account and granted him access to a sensitive scope

    Medium overridden

    A Google Workspace admin has enabled domain-wide delegation to a GCP service account. overridden

  • A Google Workspace Role privilege was deleted Informational Identity Threat Module

    A privilege was removed from a Google Workspace Role, This could potentially affect the access to services and data in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to sensitive data stored in the workspace. Gain elevated privileges in the workspace.
    Investigative actions: Investigate who was assigned the deleted role privilege. Verify if the role privilege was deleted intentionally.
  • A Google Workspace identity created, assigned or modified a role Informational Identity Threat Module 3 variations

    A Google Workspace identity created, assigned or modified a delegated admin role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An adversary may create, assign or modify a role to elevate the permissions of other user accounts and persist in their target's environment.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the identity's role designation in the organization. Follow further actions done by the account.

    Variations

    A non-administrative Google Workspace identity created, assigned or modified a role from an unusual ASN

    Low overridden

    A Google Workspace identity created, assigned or modified a delegated admin role. overridden

    A non-administrative Google Workspace identity created, assigned or modified a role

    Low overridden

    A Google Workspace identity created, assigned or modified a delegated admin role. overridden

    A Google Workspace identity created, assigned or modified a role from an unusual ASN

    Low overridden

    A Google Workspace identity created, assigned or modified a delegated admin role. overridden

  • A Google Workspace identity performed an unusual admin console activity Informational Identity Threat Module 1 variation

    A Google Workspace identity performed an admin console activity for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: To do.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the changes that were made look suspicious. Follow further actions done by the account.

    Variations

    A non-administrative Google Workspace identity performed an unusual admin console activity

    Informational overridden

    A Google Workspace identity performed an admin console activity for the first time. overridden

  • A Google Workspace identity used the security investigation tool Informational Identity Threat Module 1 variation

    A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Email Collection (T1114)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Access sensitive data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Determine what data was accessed using the security investigation tool.

    Variations

    A suspicious Google Workspace identity used the security investigation tool

    Low overridden

    A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data. overridden

  • A Google Workspace service was configured as unrestricted Informational Identity Threat Module 3 variations

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    A Google Workspace service was configured as unrestricted by a suspicious identity

    Low overridden

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden

    A Google Workspace service was configured as unrestricted from an unusual ASN

    Low overridden

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden

    A Google Workspace service was configured as unrestricted by a non-administrative identity

    Informational overridden

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden

  • A Google Workspace user was added to a group Informational Identity Threat Module

    A user added another user to a Google Workspace group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may manipulate accounts and groups to maintain access to victim systems.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the user was added to a sensitive group. Follow further actions done by the account.
  • A Google Workspace user was removed from a group Informational Identity Threat Module

    A user removed another user from a Google Workspace group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may interrupt the availability of services and resources by inhibiting access to users.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the user's work can be affected by this action. Follow further actions done by the account.
  • A Kubernetes API operation was successfully invoked by an anonymous user Medium Cloud 1 variation

    An unauthenticated user successfully invoked API calls within the Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain initial access to a Kubernetes cluster.
    Investigative actions: Determine which resources were accessed anonymously. Verify whether the affected resource should be accessed by unauthenticated users.

    Variations

    A Kubernetes API operation was successfully invoked by an anonymous user outside the cluster

    High overridden

    An unauthenticated user successfully invoked API calls within the Kubernetes cluster. overridden

  • A Kubernetes ConfigMap was created or deleted Informational Cloud

    A Kubernetes ConfigMap was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Maintain persistence using valid credentials.
    Investigative actions: Check which changes were made to the Kubernetes ConfigMap.
  • A Kubernetes Cronjob was created Informational Cloud

    A Kubernetes CronJob was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Maintain persistence by scheduling deployment of containers configured to execute malicious code.
    Investigative actions: Check which changes were made to the Kubernetes CronJob.
  • A Kubernetes DaemonSet was created Informational Cloud

    A Kubernetes DaemonSet was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes DaemonSet.
  • A Kubernetes Pod was created with a sidecar container Informational Cloud

    A Kubernetes Pod was created with a sidecar container.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes deployment.
  • A Kubernetes Pod was deleted Informational Cloud

    A Kubernetes Pod was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Destroy data to interrupt cluster services and availability.
    Investigative actions: Check which Kubernetes Pods were deleted.
  • A Kubernetes ReplicaSet was created Informational Cloud

    A Kubernetes ReplicaSet was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes ReplicaSet.
  • A Kubernetes StatefulSet was created Informational Cloud

    A Kubernetes StatefulSet was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes StatefulSet.
  • A Kubernetes cluster role binding was created or deleted Informational Cloud

    A Kubernetes cluster role binding was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Escalate privileges to gain access to restricted resources in the Kubernetes cluster.
    Investigative actions: Check which changes were made to the Kubernetes cluster role binding.
  • A Kubernetes cluster was created or deleted Informational Cloud

    A Kubernetes cluster was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Leverage access to manipulate the Kubernetes infrastructure.
    Investigative actions: Check which changes were made to the Kubernetes cluster and whether they are expected.
  • A Kubernetes dashboard service account was used outside the cluster Medium Cloud 1 variation

    A Kubernetes dashboard service account was successfully used externally of the Kubernetes environment, which may indicate that the dashboard is exposed to the internet and does not require authentication.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain initial access to the Kubernetes cluster.
    Investigative actions: Determine which Kubernetes resources were accessed through the dashboard. Check whether any changes were made to the Kubernetes cluster.

    Variations

    A Kubernetes dashboard service account was unsuccessfully used outside the cluster

    Low overridden

    A Kubernetes dashboard service account was successfully used externally of the Kubernetes environment, which may indicate that the dashboard is exposed to the internet and does not require authentication.The operation was unsuccessful. overridden

  • A Kubernetes deployment was created Informational Cloud

    A Kubernetes deployment was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes deployment.
  • A Kubernetes ephemeral container was created Informational Cloud

    A Kubernetes ephemeral container was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes deployment.
  • A Kubernetes namespace was created or deleted Informational Cloud

    A Kubernetes namespace was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Manipulating namespace name to make it appear legitimate or benign.
    Investigative actions: Check which changes were made to the Kubernetes namespace.
  • A Kubernetes node service account activity from external IP Informational Cloud 1 variation

    A Kubernetes node service account was seen operating from an external IP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the Kubernetes cluster.
    Investigative actions: Determine which resources were accessed by the node service account. Investigate other actions made by the node service account.

    Variations

    A Kubernetes node service account was used outside the cluster

    Low overridden

    A Kubernetes node service account was seen operating from an external IP. overridden

  • A Kubernetes role binding was created or deleted Informational Cloud

    A Kubernetes role binding was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Obtain Kubernetes secrets to access restricted information.
    Investigative actions: Check which changes were made to the Kubernetes secret.
  • A Kubernetes secret was created or deleted Informational Cloud

    A Kubernetes secret was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Obtain Kubernetes secrets to access restricted information.
    Investigative actions: Check which changes were made to the Kubernetes secret.
  • A Kubernetes service account executed an unusual API call Informational Cloud 4 variations

    A Kubernetes service account executed an unusual API call.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Abuse a service account token to gain access to the Kubernetes cluster.
    Investigative actions: Verify whether the service account should be executing this API. Investigate other operations that were performed by the service account within the cluster.

    Variations

    A Kubernetes service account executed an API call on a first-seen resource

    Low overridden

    A Kubernetes service account executed an API call on a first-seen resource. overridden

    A Kubernetes service account executed an API call on an unusual sensitive resource

    Low overridden

    A Kubernetes service account executed an API call on an unusual sensitive resource. overridden

    A Kubernetes service account executed an unusual modification API call

    Informational overridden

    A Kubernetes service account executed an unusual modification API call. overridden

    A Kubernetes service account executed an API call on an unusual resource

    Informational overridden

    A Kubernetes service account executed an API call on an unusual resource. overridden

  • A Kubernetes service account has enumerated its permissions Informational Cloud 2 variations

    A Kubernetes service account has enumerated its permissions using the self subject review API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Discover permissions to the Kubernetes cluster.
    Investigative actions: Determine the scope of the Kubernetes service account permissions. Review additional activity of the Kubernetes service account.

    Variations

    Suspicious permission enumeration by a Kubernetes service account

    Low overridden

    A Kubernetes service account has enumerated its permissions using the self subject review API. overridden

    A Kubernetes service account attempted to enumerate its permissions

    Low overridden

    A Kubernetes service account has attempted to enumerate its permissions using the self subject review API. overridden

  • A Kubernetes service account was created or deleted Informational Cloud 1 variation

    A Kubernetes service account was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Maintain persistence using a valid service account.
    Investigative actions: Check which changes were made to the Kubernetes service account.

    Variations

    A Kubernetes service account was created or deleted in a default namespace

    Informational overridden

    A Kubernetes service account was created or deleted. overridden

  • A Kubernetes service was created or deleted Informational Cloud

    A Kubernetes service was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Attackers may attempt to perform denial-of-service attacks to make services unavailable.
    Investigative actions: Check which changes were made to the Kubernetes service.
  • A LOLBIN was copied to a different location Informational 2 variations

    To evade detection, attackers may copy a LOLBIN executable to a different location.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Attacker's goals: Command execution via lolbins and detection avoidance via file rename.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the lolbin and try to see if it's benign.

    Variations

    A LOLBIN was copied to a different location using a rare command line

    High overridden

    To evade detection, attackers may copy a LOLBIN executable to a different location. overridden

    A LOLBIN was copied to a different location using a rare command line via a commonly used method

    Low overridden

    To evade detection, attackers may copy a LOLBIN executable to a different location. overridden

  • A Microsoft Teams application was installed Informational Identity Threat Module 1 variation

    A Microsoft Teams application was installed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Cloud Application Integration (T1671)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.
    Investigative actions: Confirm that the application was created by a certified and trusted entity. Evaluate the permissions requested by the application to determine if they are excessive or unusual. Determine if it is within the user's role to install this type of application. Correlate the alert with the sign-in event to get additional information on the identity performing the action. Follow further actions done by the account.

    Variations

    A Microsoft Teams application was installed with special parameters

    Low overridden

    A Microsoft Teams application was installed. overridden

  • A Microsoft Teams bot was added to a team Informational Identity Threat Module

    A user added a bot to a team in Microsoft Teams.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Cloud Application Integration (T1671)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Teams bots to maintain persistent access to compromised Teams accounts.
    Investigative actions: Confirm that the bot was created by a certified and trusted entity. Evaluate the permissions requested by the bot to determine if they are excessive or unusual. Determine if it is within the user's role to add bots to teams. Follow further actions done by the account.
  • A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment Informational Cloud

    A new server has been added to an Azure Active Directory Hybrid Health AD FS Environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to sensitive data stored in the new server. Gain access to other servers in the Azure Active Directory Hybrid Health AD FS Environment. Gain access to user accounts in the Azure Active Directory Hybrid Health AD FS Environment.
    Investigative actions: Check the Azure Active Directory Hybrid Health Monitor to identify the new server. Verify that the new server is correctly configured for ADFS. Check the logs for any errors related to the new server.
  • A Possible crypto miner was detected on a host Medium

    The host produced traffic consistent with the crypto mining.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Resource Hijacking (T1496)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Abuse resources to mine crypto coins.
    Investigative actions: Check the host for crypto mining client software. Look for differences in the resource consumption from this host. Examine the client's network traffic for suspicious domains affiliated with mining or mining pools.
  • A Service Principal was created in Azure Informational Cloud

    A Service Principal was created in Azure. This could indicate a malicious actor attempting to gain access to a resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Access user data. Gain control of the Azure environment.
    Investigative actions: Check the Service Principal to ensure it has the correct access rights. Review the Azure Activity Log to determine the source of the Service Principal creation.
  • A Service Principal was removed from Azure Informational Cloud

    A service principal was removed from Azure. This indicates a change in access permissions and may indicate malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)
    Required data: Azure Audit Log
    Attacker's goals: Evade defensive measures by deleting a possibly malicious service principal.
    Investigative actions: Check the Azure Active Directory audit logs for the details of the removed service principal. Check the Azure role assignments to identify which resources were impacted by the removal of the service principal.
  • A Successful VPN connection from TOR High Identity Analytics 1 variation

    A successful VPN connection from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Gain initial access to organization and hiding itself.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.

    Variations

    A Successful VPN connection from TOR via Mobile Device

    Medium overridden

    A successful VPN connection from a TOR exit node. overridden

  • A Successful login from TOR High Identity Analytics

    A successful login from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Gain initial access to the organization while anonymizing the source of the activity.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.
  • A TCP stream was created directly in a shell Medium

    Attackers may create a TCP stream using the shell command line to generate a reverse shell, enabling remote access to the endpoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Attacker's goals: Attackers may use this device file to create sockets though shell commands as part of a reverse shell.
    Investigative actions: Review the command line used. Search for the corresponding network event. Check the prevalence of the target IP/domain.
  • A Torrent client was detected on a host Informational 1 variation

    The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Exfiltrate data or as a phishing entry point.
    Investigative actions: Check the host for torrent client software. Look at the download's folder for foreign files or Torrent files. Examine the client's network traffic for uploaded or downloaded file hashes.

    Variations

    A Torrent client was detected on a host

    Informational overridden

    The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data. overridden

  • A WMI subscriber was created Informational

    A WMI subscriber was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: Command execution and persistence on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • A browser extension was installed or loaded in an uncommon way Informational 3 variations

    A browser extension was installed or loaded in an uncommon way.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Chromium Extensions Analytics
    Attacker's goals: Gain persistency on a machine and steal sensitive browsing data.
    Investigative actions: Investigate the extension files and the process that installed them. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.

    Variations

    A browser was forced to load an extension using a special command line argument

    Low overridden

    A browser was forced to load an extension using a special command line argument, an uncommon method. overridden

    A browser extension was installed or loaded in an uncommon way by a LOLBIN process

    Low overridden

    A browser extension was installed or loaded in an uncommon way. overridden

    A browser extension was installed or loaded in an uncommon way by an uncommon process

    Low overridden

    A browser extension was installed or loaded in an uncommon way. overridden

  • A browser was opened in private mode Informational Identity Threat Module

    A browser was opened in private mode, which may indicate an attempt to cover tracks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006) Hide Artifacts (T1564)
    Required data: XDR Agent
    Attacker's goals: A browser was opened in private mode. Users might use private mode if they wish to stay anonymous online or hide their search and browsing history.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.
  • A cloud function was created with an unusual runtime Low Cloud 3 variations

    A cloud function was created with an unusual runtime.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Serverless Execution (T1648)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Execute arbitrary code in cloud environments.
    Investigative actions: Examine the cloud function's code implementation and look for any unusual invocations. Check for any unusual activities within the same project.

    Variations

    A cloud function was created with an unusual runtime by a known cloud identity

    Informational overridden

    A cloud function was created with an unusual runtime. overridden

    A cloud function was created with a runtime that was not seen in the organization

    Low overridden

    A cloud function was created with an unusual runtime. overridden

    A cloud function was created with a custom runtime

    Medium overridden

    A cloud function was created with an unusual runtime. overridden

  • A cloud identity created or modified a security group Informational Cloud 2 variations

    A cloud identity created or modified a security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Bypass network security controls to gain access to restricted cloud resources.
    Investigative actions: Check which security rules were added or modified. Check whether the identity that modified the security group rules is permitted to perform such action. Check which cloud resources can be affected by the security group.

    Variations

    A cloud identity opened a security group to the Internet

    Medium overridden

    A cloud identity modified a security group to allow network access from the Internet. overridden

    A cloud identity opened a security group to an unknown IP

    Low overridden

    A cloud identity modified a security group to allow network access from an unknown IP. overridden

  • A cloud identity executed an API call from an unusual country Informational Cloud 7 variations

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access sensitive resources and gain high privileges.
    Investigative actions: Check if the identity routed their traffic via a VPN or shared their credentials with a remote employee.

    Variations

    A suspicious cloud identity executed an API call from an unusual country

    Medium overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A Kubernetes identity executed an API call from a country that was not seen in the organization

    Medium overridden

    A Kubernetes identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud identity executed an API call from a country that was not seen in the organization

    Medium overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud identity executed an API call from an unusual country

    Informational overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A Kubernetes API call was executed from an unusual country

    Low overridden

    A Kubernetes identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud API call was executed from an unusual country

    Low overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud identity executed an API call from an unusual country using a compromised AWS access key

    High overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

  • A cloud identity had escalated its permissions Informational Cloud 4 variations

    A cloud identity had updated its permissions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation (T1098)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    A cloud identity with high administrative activity had escalated its permissions

    Informational overridden

    A cloud identity with high administrative activity had updated its permissions. overridden

    A cloud compute service had escalated its permissions

    Medium overridden

    A cloud compute service had updated its permissions. overridden

    A cloud non-human identity had escalated its permissions

    Low overridden

    A cloud non-human identity had updated its permissions. overridden

    A cloud identity escalated its permissions to a high privilege role/policy

    Low overridden

    A cloud identity escalated its permissions by adding itself to a high privileged policy/role/group. overridden

  • A cloud identity invoked IAM related persistence operations Informational Cloud 2 variations

    A cloud identity invoked IAM related persistence operations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Create Account: Cloud Account (T1136.003) Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Maintain persistence in cloud environments.
    Investigative actions: Check what API calls were executed by the identity. Check what cloud resources were affected. Look for signs that the identity is compromised.

    Variations

    A cloud identity invoked compute instance related persistence operations

    Informational overridden

    A cloud identity invoked compute instance related persistence operations. overridden

    A cloud identity invoked compute function related persistence operations

    Informational overridden

    A cloud identity invoked compute function related persistence operations. overridden

  • A cloud identity performed multiple unusual activities Medium Cloud 1 variation

    A cloud identity performed multiple unusual activities across various cloud services.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Adversaries may manipulate accounts to pivot to their next point in the environment, and eventually to access or manipulate data.
    Investigative actions: Check if the identity intended to preform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

    Variations

    A cloud identity performed multiple suspicious activities

    Low overridden

    A cloud identity performed multiple unusual activities across various cloud services. overridden

  • A cloud identity started a Cloud Shell session Informational Cloud

    A cloud identity started a Cloud Shell session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Attacker's goals: Abuse cloud APIs to execute malicious commands.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • A cloud instance was stopped Informational Cloud

    A cloud compute instance was stopped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: System Shutdown/Reboot (T1529)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Interrupt business services.
    Investigative actions: Review recent activity related to the identity and the affected cloud instance.
  • A cloud snapshot of AWS database or storage was modified or shared Informational Cloud 2 variations

    A cloud identity has shared a snapshot of an AWS database or storage instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the snapshot.
    Investigative actions: Check if the identity intended to modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.

    Variations

    Cloud snapshot of a database or storage instance was shared public

    Low overridden

    A cloud identity has shared a snapshot of an AWS database or storage instance. overridden

    Cloud snapshot of a database or storage instance was shared with an unknown AWS account

    Low overridden

    A cloud identity has shared a snapshot of an AWS database or storage instance. overridden

  • A cloud storage configuration was modified Informational Cloud

    A cloud storage configuration was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Public Exposure, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: An attacker may use this API to grant storage access permission.
    Investigative actions: Check if the identity intended to modify the storage configuration. Check if the identity performed additional malicious operations in the cloud environment.
  • A cloud storage object was copied to a foreign cloud account Medium Cloud 2 variations

    A cloud storage object was copied or moved to a foreign cloud storage account.The destination account was either not monitored or not seen within your tenant for the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log Azure Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate data to a foreign account.
    Investigative actions: Check the legitimacy of the copy operation. Review further actions performed by the identity.

    Variations

    A cloud storage object from a sensitive bucket was copied to a foreign cloud account from a production account

    High overridden

    A cloud storage object was copied or moved to a foreign cloud storage account from a production account.The destination account was either not monitored or not seen within your tenant for the last 30 days. overridden

    A cloud storage object was copied to a foreign cloud account from a production account

    Medium overridden

    A cloud storage object was copied or moved to a foreign cloud storage account from a production account.The destination account was either not monitored or not seen within your tenant for the last 30 days. overridden

  • A commonly abused process connected to a rare cloud resource Low 3 variations

    A commonly abused process connected to a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Investigate the actor process connected to the cloud resource. Is this use case usually takes place within the org? Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.

    Variations

    A commonly abused software develop tool connected to a rare cloud resource

    Informational overridden

    A commonly abused software develop tool connected to a rare cloud resource. overridden

    A commonly abused rare process connected to a rare cloud resource

    Low overridden

    A commonly abused rare process connected to a rare cloud resource. overridden

    A commonly abused renamed process connected to a rare cloud resource

    Medium overridden

    A commonly abused renamed process connected to a rare cloud resource. overridden

  • A commonly abused process connected to a rare external host Low 3 variations

    A commonly abused process connected to a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Investigate the actor process connected to the external host. Get further details about the uncommon external destination. Assess whether this communication pattern is expected or not.

    Variations

    A commonly abused renamed process connected to a rare external host

    Medium overridden

    A commonly abused renamed process connected to a rare external host. overridden

    A commonly abused process connected to a globally rare external host

    Low overridden

    A commonly abused process connected to a globally rare external host. overridden

    A commonly abused rare process connected to a rare external host

    Low overridden

    A commonly abused rare process connected to a rare external host. overridden

  • A compiled HTML help file wrote a script file to the disk Low

    A compiled HTML help file wrote a script file to the disk. Compiled HTLM help files usually don't write script files to the disk. This behavior is often employed by malware that leverages malicious CHM files to deliver a 2nd stage payload.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Compiled HTML File (T1218.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Deliver a 2nd stage payload or to avoid detection.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check the file that was written to the disk for malicious activities.
  • A compressed file was exfiltrated over SSH Informational 1 variation

    Exfiltration of a compressed file over SSH.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to exfiltrate data over encrypted network protocol.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    A compressed file was exfiltrated over SSH from a Kubernetes pod

    Informational overridden

    Exfiltration of a compressed file over SSH. overridden

  • A compromised process accessed a rare cloud resource Informational 3 variations

    A compromised process accessed a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.
    Investigative actions: Investigate the compromised process. Identify the rare cloud resource accessed, is it managed by your organization?

    Variations

    A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters

    Medium overridden

    A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters. overridden

    A process compromised by DLL sideloading accessed a rare cloud resource

    Informational overridden

    A process compromised by DLL sideloading accessed a rare cloud resource. overridden

    An injected process accessed a rare cloud resource

    Informational overridden

    An injected process accessed a rare cloud resource. overridden

  • A compromised process accessed a rare external host Low 3 variations

    A compromised process accessed a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.
    Investigative actions: Investigate the compromised process. Check the rare remote host.

    Variations

    A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data

    High overridden

    A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data. overridden

    A process compromised by DLL sideloading accessed a rare external host

    Medium overridden

    A process compromised by DLL sideloading accessed a rare external host. overridden

    An injected process accessed a rare external host

    Medium overridden

    An injected process accessed a rare external host. overridden

  • A compute-attached identity executed API calls outside the instance's region Informational Cloud 6 variations

    A compute-attached identity performed actions outside the compute instance region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Verify whether the compute-attached identity's credentials were intentionally used remotely. Check what API calls were executed using instance's attached role. Check if the suspected instance is compromised.

    Variations

    A compute-attached identity executed API calls outside the Lambda function's region

    Informational overridden

    A compute-attached identity performed actions outside the Lambda function region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN

    High overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation

    Medium overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual ASN

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity failed to execute API calls outside the instance's region

    Informational overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

  • A computer account was promoted to DC Low Identity Analytics

    A computer account was promoted to a domain controller via a User Account Control (UAC) change.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain domain administrator privileges.
    Investigative actions: Verify if the domain controller promotion is expected. Check if the computer account is a new account. Confirm this action with the user who performed the change. Follow actions by the account and if it performed a DCSync.
  • A contained executable from a mounted share initiated a suspicious outbound network connection Medium 1 variation

    A contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent
    Attacker's goals: Gain high privileged command execution on the host machine via one of its running containers.
    Investigative actions: Check if the requested IP address is known or malicious. Investigate the contained process and its process tree.

    Variations

    A contained executable from a mounted share initiated a suspicious outbound network connection

    Medium overridden

    A cloud machine contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical. overridden

  • A contained executable was executed by an unusual process Medium 3 variations

    A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)
    Required data: XDR Agent
    Attacker's goals: Gain high privileged command execution on the host machine via one of its running containers.
    Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.

    Variations

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by an unusual process

    Medium overridden

    A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden

  • A contained process attempted to escape using the 'notify on release' feature Medium 1 variation

    A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Execute arbitrary commands on the host and gain a larger foothold.
    Investigative actions: Check which commands were executed on the host afterward. Look for the root cause of the execution within the container. Examine the release_agent script content on the container.

    Variations

    A contained process attempted to escape using the 'notify on release' feature

    Medium overridden

    A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the cloud host. overridden

  • A container registry was created or deleted Informational Cloud

    A container registry was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to sensitive data stored in the container registry. Modify or delete existing data in the container registry.
    Investigative actions: Check the activity logs to determine what was created or removed.
  • A disabled user attempted to authenticate via SSO Informational Identity Analytics

    A disabled user attempted to authenticate via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.
  • A disabled user attempted to log in Informational Identity Analytics 1 variation

    A disabled user attempted to log in.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user was recently enabled by an authorized entity). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory. Monitor services that may be running with a disabled user's credentials.

    Variations

    Cached interactive login attempt by a disabled user

    Informational overridden

    A disabled user attempted to log in. overridden

  • A disabled user attempted to log in to a VPN Low Identity Analytics 1 variation

    A disabled user attempted to log in suspiciously to a VPN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. a contractor user). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.

    Variations

    Possible VPN login attempt by disabled user

    Informational overridden

    A disabled user attempted to log in suspiciously to a VPN. overridden

  • A domain was added to the trusted domains list Low Identity Threat Module 2 variations

    A domain was added to the Google Workspace trusted domains list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification: Trust Modification (T1484.002)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An adversary may add a trusted domain to collect and exfiltrate data from their target's organization with less restrictive security controls.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new domain in the trusted domains list. Follow further actions done by the account.

    Variations

    A domain was added to the trusted domains list by a non Google Workspace administrative user

    Low overridden

    A domain was added to the Google Workspace trusted domains list. overridden

    A domain was added to the trusted domains list from an unusual ASN

    Low overridden

    A domain was added to the Google Workspace trusted domains list. overridden

  • A machine certificate was issued with a mismatch Medium Identity Analytics

    A machine certificate was issued with a mismatch between the requester and the subject.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker may attempt to exploit the Active Directory Certificate Services to escalate privileges to a domain controller machine account.
    Investigative actions: Check who owns the certificate requester account. Check if the requester DNS name attribute was changed recently. Investigate actions done by the requester and its owner. Check for possible DCSync alerts.
  • A mail forwarding rule was configured in Google Workspace Medium Identity Threat Module 1 variation

    A rule was set up to forward emails outside the Google Workspace domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.
    Investigative actions: Check if the identity intended to preform this action, and look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Follow further actions done by the account.

    Variations

    A mail forwarding rule was configured in Google Workspace to an uncommon domain

    High overridden

    A rule was set up to forward emails outside the Google Workspace domain. overridden

  • A new Azure email domain verification was requested Informational Cloud 1 variation

    A new Azure email domain verification was requested.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts: Email Accounts (T1586.002)
    Required data: Azure Audit Log
    Attacker's goals: Use an existing domain to launch phishing attacks from your environment.
    Investigative actions: Check if you recognize the added email domain.

    Variations

    A new Azure email domain verification was requested by an unusual identity

    Low overridden

    A new Azure email domain verification was requested.The identity was not seen performing operations on this resource type in the last 30 days. overridden

  • A new machine attempted Kerberos delegation Medium Identity Analytics

    A newly created machine attempted to perform a Kerberos delegation. This suspicious activity might indicate a Kerberos relay attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to system.
    Investigative actions: Check for any other suspicious activity related to the machine involved in the alert. Look for a new machine that was added to the domain.
  • A non-browser process accessed a website UI Informational 3 variations

    An uncommon network communication between a non-browser process and a website UI.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Web Service (T1102)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Data exfiltration or attack tool staging.
    Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.

    Variations

    Suspicious content upload to a known text share website by Non browser process

    High overridden

    Uncommon data upload to a known text share website through a Non-browser process. overridden

    Uncommon data upload to a website through a Non-browser process

    Low overridden

    Uncommon data upload to a website through a Non browser process. overridden

    Uncommon data download from a known text share website through a Non-browser process

    Medium overridden

    Uncommon content download from a known text share website through a Non browser process. overridden

  • A possible risky login to Azure Informational Identity Analytics 2 variations

    A risky sign-in attempt was observed in Azure.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)
    Required data: AzureAD
    Attacker's goals: An attacker is attempting to compromise an Azure account by exploiting weak or guessed passwords for initial access.
    Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

    Variations

    Azure Risky Login with Suspicious Characteristics

    Low overridden

    A risky sign-in attempt was observed in Azure. overridden

    Azure-Defined High-Risk Login Attempt

    Low overridden

    A risky sign-in attempt was observed in Azure. overridden

  • A process connected to a rare cloud resource Informational 3 variations

    A process connected to a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Investigate the actor process connected to the cloud resource. Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.

    Variations

    A browser process connected to a rare cloud resource

    Informational overridden

    A browser process connected to a rare cloud resource. overridden

    A process connected to an atypical rare cloud resource

    Informational overridden

    A process connected to an atypical rare cloud resource. overridden

    A process connected to a rare cloud resource atypical to this agent

    Informational overridden

    A process connected to a rare cloud resource atypical to this agent. overridden

  • A process connected to a rare external host Informational 6 variations

    A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Attacker's goals: Beacon to C2 server and/or exfiltrate data.
    Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.

    Variations

    MSBuild process connected to a rare external host

    High overridden

    MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden

    MSBuild process connected to a rare external host

    Medium overridden

    MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden

    LOLBIN spawned by an Office executable connected to a rare external host

    High overridden

    A LOLBIN run by an Office process connected to an external IP address or host, which is rarely connected to from the organization. overridden

    A curl process connected to a rare external host

    Informational overridden

    A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization. overridden

    VSCode extension process connected to a rare external host

    Low overridden

    A VSCode extension connected to an external IP address or host, which is rarely connected to from the organization. overridden

    UNIX LOLBIN process connected to a rare external host

    Low overridden

    A UNIX LOLBIN connected to an external IP address or host, which is rarely connected to from the organization. overridden

  • A process connected to rare external host Informational 1 variation

    A process connected to a rare external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Get further details about the uncommon external destination and the actor process.

    Variations

    A process connected to globally rare external host

    Informational overridden

    A process connected to a globally rare external host. overridden

  • A process is masquerading as a common Microsoft product Informational 5 variations

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.
    Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.

    Variations

    An unsigned actor executed masqueraded process which was downloaded from unexpected source

    High overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    An unsigned and rare actor executing masqueraded process with uncommon characteristics

    High overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    A process that was executed by remote causality actor is masquerading as a common Microsoft product

    Medium overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    A process is masquerading as a common Microsoft Lolbin

    Low overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    A process running from a commonly abused directory is masquerading as a common Microsoft product

    Low overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

  • A process modified an SSH authorized_keys file Informational 3 variations

    A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers, Generic Persistence Analytics
    Attacker's goals: Adversaries use this to ensure that they possess the corresponding private key and may log in as an existing user via SSH.
    Investigative actions: Check the file modification, try to understand the impact of the related processes and network connections.

    Variations

    A process modified an SSH authorized_keys2 file

    Low overridden

    A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden

    A process modified an SSH authorized_keys file from within a Kubernetes Pod

    Low overridden

    A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden

    Unpopular process modified the SSH authorized_keys file

    Low overridden

    An unpopular process modified the SSH authorized_keys file. overridden

  • A process queried the ADFS database decryption key via LDAP Low Identity Analytics 3 variations

    A process queried the ADFS database decryption key (DKM key) via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Federation Services Analytics
    Attacker's goals: An attacker wanting to perform a golden SAML attack will want to steal the ADFS token-signing certificates. To steal the token-signing certificates, the attacker will need to access the ADFS database To access the encrypted ADFS database, an attacker will attempt to retrieve the decryption key via an LDAP query.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Check for unusual ADFS logins. Check the process that initiated the query. Investigate the LDAP search query for any suspicious indicators.

    Variations

    LDAP query explicitly queried the ADFS database decryption key (DKM key)

    Medium overridden

    A process queried the ADFS database decryption key (DKM key) via LDAP. overridden

    A process explicitly queried the ADFS database decryption key (DKM key) via LDAP

    Medium overridden

    A process queried the ADFS database decryption key (DKM key) via LDAP. overridden

    LDAP query queried the ADFS database decryption key (DKM key)

    Low overridden

    A process queried the ADFS database decryption key (DKM key) via LDAP. overridden

  • A process was executed with a command line obfuscated by Unicode character substitution Medium

    A process was executed with a command line obfuscated by Unicode character substitution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Hide its action and avoid detection.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process Informational 8 variations

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process

    Medium overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by untrusted causality actor

    Medium overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by a scheduled task

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

  • A rare FTP user has been detected on an existing FTP server Low 1 variation

    A rare or new FTP user has been detected on an existing FTP server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.
    Investigative actions: Verify that the new username is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application. Check the logs on the FTP server for a new user creation.

    Variations

    Possible FTP User Scanning Detected

    Low overridden

    A rare or new FTP user has been detected on an existing FTP server. overridden

  • A rare file path was added to the AppInit_DLLs registry value Low 2 variations

    A rare file path was added to AppInit_DLLs registry value.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Event Triggered Execution (T1546)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Injection Analytics
    Attacker's goals: Establish persistence and/or elevate privileges by injecting malicious content triggered by AppInit DLLs loaded into processes.
    Investigative actions: Investigate the path of the modified value. Investigate the causality actor process which initiated the activity.

    Variations

    A rare file path was added to the AppInit_DLLs registry valueusing a manual registry tool

    Medium overridden

    A rare file path was added to AppInit_DLLs registry value. overridden

    A rare file path was added to the AppInit_DLLs registry valuewith a commonly abused path

    Medium overridden

    A rare file path was added to AppInit_DLLs registry value. overridden

  • A rare local administrator login Informational Identity Analytics 1 variation

    A rare local administrator login was observed. This may indicate an attempt to change sensitive settings on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to change sensitive settings on the host.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.

    Variations

    Suspicious local administrator login

    Low overridden

    A rare local administrator login was observed. This may indicate an attempt to change sensitive settings on the host. overridden

  • A remote service was created via RPC over SMB Low 1 variation

    A remote service was created via RPC over SMB.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: Process creation on a remote host.
    Investigative actions: Check whether the new process is benign and that the new process is not doing suspicious activity.

    Variations

    A remote service with an uncommon name was created via RPC over SMB

    Medium overridden

    A remote service was created via RPC over SMB. overridden

  • A service was disabled Informational 3 variations

    A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: XDR Agent
    Attacker's goals: Evade detection by certain programs. Limit the functionality and availability of systems, services, and network resources.
    Investigative actions: Check if the disabled service could potentially threaten a malicious actor, or if holds a critical role. Investigate the disabling process to understand if it performed other suspicious actions.

    Variations

    A service was disabled without using the ServiceControlManager RPC interface

    Informational overridden

    A service was disabled abnormally through the registry. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden

    An injected process performed an uncommon service deactivation

    Informational overridden

    A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden

    An unsigned process performed an uncommon service deactivation

    Low overridden

    A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden

  • A successful SSO sign-in from TOR High Identity Analytics 1 variation

    A successful sign-in from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain initial access to organization and hiding itself.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.

    Variations

    A successful SSO sign-in from TOR via Mobile Device

    Medium overridden

    A successful sign-in from a TOR exit node. overridden

  • A suspicious direct syscall was executed Low 2 variations

    A suspicious direct syscall was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Native API (T1106)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Direct Syscall Analytics
    Attacker's goals: An attacker might try to use direct syscalls to evade detection from a legitimate program.
    Investigative actions: Investigate the direct syscall-mapped image to verify if it is malicious. Check if this direct syscall is part of the process execution flow.

    Variations

    A suspicious direct syscall was executed by unsigned process from a user folder

    High overridden

    A suspicious direct syscall was executed by unsigned process from a user folder. overridden

    A suspicious direct syscall was executed by a DLL host application

    Medium overridden

    A suspicious direct syscall was executed by a DLL host application. overridden

  • A suspicious executable with multiple file extensions was created Medium

    An executable file with multiple extensions was created. This technique is frequently used to disguise malware as user content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Bypassing defenses and/or tricking the user into executing a file that seems like a trustworthy file.
    Investigative actions: Investigate the actor process and the file created to determine if it was used for legitimate purposes or malicious activity.
  • A suspicious process enrolled for a certificate Low 1 variation

    A suspicious process enrolled for a certificate.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may authenticate as users using a certificate. If a policy is configured with permissive options, the attacker can authenticate as a user with high privileges.
    Investigative actions: See whether this was a legitimate action. Follow process/user activities. Check for suspicious certificate authentications.

    Variations

    An unsigned suspicious process enrolled for a certificate

    Medium overridden

    An unsigned suspicious process enrolled for a certificate. overridden

  • A suspicious process queried AD CS objects via LDAP Informational Identity Analytics 1 variation

    A suspicious process queried AD CS objects via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.

    Variations

    A user suspiciously queried AD CS objects via LDAP

    Low overridden

    A user suspiciously queried AD CS objects via LDAP. overridden

  • A third-party application was authorized to access the Google Workspace APIs Informational Identity Threat Module

    A domain administrator authorized a third-party application to access the Google Workspace APIs. This allows the application to interact with the domain user's data within the authorized scope, as specified in the API call.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to Google Workspace data and services. Collect confidential information from Google Workspace. Compromise user accounts and data.
    Investigative actions: Check which account was granted access to the Domain API. Identify the source IP address of the request. Verify the legitimacy of the request.