Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapA Backup vault policy was modified Low Cloud
A cloud identity has modified backup vault access policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Manipulate access to a backup vault.Investigative actions: Check if the {identity_name} intended to modify the backup vault policy. Check additional activity by {identity_name}.A Cloud DB instance was exported to an unknown destination Informational Cloud
A Cloud DB instance was exported to a foreign storage destination.The destination storage has not been seen in the organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Gcp Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate sensitive database content to an external or attacker-controlled bucket.Investigative actions: Verify if the destination bucket is authorized for data export. Investigate the identity performing the action for unusual behavior or lack of authorization. Assess the sensitivity of the data within the source Cloud DB instance to determine impact.A Command Line Interface (CLI) command was executed from a GCP serverless compute service Low Cloud 4 variations
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Gcp Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service
Low overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service
Informational overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
A Command Line Interface (CLI) command was executed from a GCP Cloud Build service
Low overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service
Medium overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service
Informational overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service
Low overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
A GCP Cloud SQL DB instance was exported from a production account Informational Cloud
A GCP Cloud SQL DB instance was exported to a storage bucket.The DB instance was exported from a production account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Gcp Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source Cloud DB instance. Review further actions performed by the identity.A GCP service account was delegated domain-wide authority in Google Workspace Low Identity Threat Module 1 variation
A Google Workspace admin has enabled domain-wide delegation to a GCP service account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious Apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
A Google Workspace admin has enabled domain-wide delegation to a GCP service account and granted him access to a sensitive scope
Medium overridden
A Google Workspace admin has enabled domain-wide delegation to a GCP service account. overridden
A Google Workspace Role privilege was deleted Informational Identity Threat Module
A privilege was removed from a Google Workspace Role, This could potentially affect the access to services and data in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Gain access to sensitive data stored in the workspace. Gain elevated privileges in the workspace.Investigative actions: Investigate who was assigned the deleted role privilege. Verify if the role privilege was deleted intentionally.A Google Workspace identity created, assigned or modified a role Informational Identity Threat Module 3 variations
A Google Workspace identity created, assigned or modified a delegated admin role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An adversary may create, assign or modify a role to elevate the permissions of other user accounts and persist in their target's environment.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the identity's role designation in the organization. Follow further actions done by the account.Variations
A non-administrative Google Workspace identity created, assigned or modified a role from an unusual ASN
Low overridden
A Google Workspace identity created, assigned or modified a delegated admin role. overridden
A non-administrative Google Workspace identity created, assigned or modified a role
Low overridden
A Google Workspace identity created, assigned or modified a delegated admin role. overridden
A Google Workspace identity created, assigned or modified a role from an unusual ASN
Low overridden
A Google Workspace identity created, assigned or modified a delegated admin role. overridden
A Google Workspace identity performed an unusual admin console activity Informational Identity Threat Module 1 variation
A Google Workspace identity performed an admin console activity for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: To do.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the changes that were made look suspicious. Follow further actions done by the account.Variations
A non-administrative Google Workspace identity performed an unusual admin console activity
Informational overridden
A Google Workspace identity performed an admin console activity for the first time. overridden
A Google Workspace identity used the security investigation tool Informational Identity Threat Module 1 variation
A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Email Collection (T1114)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Access sensitive data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Determine what data was accessed using the security investigation tool.Variations
A suspicious Google Workspace identity used the security investigation tool
Low overridden
A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data. overridden
A Google Workspace service was configured as unrestricted Informational Identity Threat Module 3 variations
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
A Google Workspace service was configured as unrestricted by a suspicious identity
Low overridden
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden
A Google Workspace service was configured as unrestricted from an unusual ASN
Low overridden
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden
A Google Workspace service was configured as unrestricted by a non-administrative identity
Informational overridden
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden
A Google Workspace user was added to a group Informational Identity Threat Module
A user added another user to a Google Workspace group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may manipulate accounts and groups to maintain access to victim systems.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the user was added to a sensitive group. Follow further actions done by the account.A Google Workspace user was removed from a group Informational Identity Threat Module
A user removed another user from a Google Workspace group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may interrupt the availability of services and resources by inhibiting access to users.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the user's work can be affected by this action. Follow further actions done by the account.A Kubernetes API operation was successfully invoked by an anonymous user Medium Cloud 1 variation
An unauthenticated user successfully invoked API calls within the Kubernetes cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain initial access to a Kubernetes cluster.Investigative actions: Determine which resources were accessed anonymously. Verify whether the affected resource should be accessed by unauthenticated users.Variations
A Kubernetes API operation was successfully invoked by an anonymous user outside the cluster
High overridden
An unauthenticated user successfully invoked API calls within the Kubernetes cluster. overridden
A Kubernetes ConfigMap was created or deleted Informational Cloud
A Kubernetes ConfigMap was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Maintain persistence using valid credentials.Investigative actions: Check which changes were made to the Kubernetes ConfigMap.A Kubernetes Cronjob was created Informational Cloud
A Kubernetes CronJob was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job: Container Orchestration Job (T1053.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Maintain persistence by scheduling deployment of containers configured to execute malicious code.Investigative actions: Check which changes were made to the Kubernetes CronJob.A Kubernetes DaemonSet was created Informational Cloud
A Kubernetes DaemonSet was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes DaemonSet.A Kubernetes Pod was created with a sidecar container Informational Cloud
A Kubernetes Pod was created with a sidecar container.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes deployment.A Kubernetes Pod was deleted Informational Cloud
A Kubernetes Pod was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Destroy data to interrupt cluster services and availability.Investigative actions: Check which Kubernetes Pods were deleted.A Kubernetes ReplicaSet was created Informational Cloud
A Kubernetes ReplicaSet was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes ReplicaSet.A Kubernetes StatefulSet was created Informational Cloud
A Kubernetes StatefulSet was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes StatefulSet.A Kubernetes cluster role binding was created or deleted Informational Cloud
A Kubernetes cluster role binding was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Escalate privileges to gain access to restricted resources in the Kubernetes cluster.Investigative actions: Check which changes were made to the Kubernetes cluster role binding.A Kubernetes cluster was created or deleted Informational Cloud
A Kubernetes cluster was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Leverage access to manipulate the Kubernetes infrastructure.Investigative actions: Check which changes were made to the Kubernetes cluster and whether they are expected.A Kubernetes dashboard service account was used outside the cluster Medium Cloud 1 variation
A Kubernetes dashboard service account was successfully used externally of the Kubernetes environment, which may indicate that the dashboard is exposed to the internet and does not require authentication.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: External Remote Services (T1133)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain initial access to the Kubernetes cluster.Investigative actions: Determine which Kubernetes resources were accessed through the dashboard. Check whether any changes were made to the Kubernetes cluster.Variations
A Kubernetes dashboard service account was unsuccessfully used outside the cluster
Low overridden
A Kubernetes dashboard service account was successfully used externally of the Kubernetes environment, which may indicate that the dashboard is exposed to the internet and does not require authentication.The operation was unsuccessful. overridden
A Kubernetes deployment was created Informational Cloud
A Kubernetes deployment was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes deployment.A Kubernetes ephemeral container was created Informational Cloud
A Kubernetes ephemeral container was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes deployment.A Kubernetes namespace was created or deleted Informational Cloud
A Kubernetes namespace was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Manipulating namespace name to make it appear legitimate or benign.Investigative actions: Check which changes were made to the Kubernetes namespace.A Kubernetes node service account activity from external IP Informational Cloud 1 variation
A Kubernetes node service account was seen operating from an external IP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the Kubernetes cluster.Investigative actions: Determine which resources were accessed by the node service account. Investigate other actions made by the node service account.Variations
A Kubernetes node service account was used outside the cluster
Low overridden
A Kubernetes node service account was seen operating from an external IP. overridden
A Kubernetes role binding was created or deleted Informational Cloud
A Kubernetes role binding was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Obtain Kubernetes secrets to access restricted information.Investigative actions: Check which changes were made to the Kubernetes secret.A Kubernetes secret was created or deleted Informational Cloud
A Kubernetes secret was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Obtain Kubernetes secrets to access restricted information.Investigative actions: Check which changes were made to the Kubernetes secret.A Kubernetes service account executed an unusual API call Informational Cloud 4 variations
A Kubernetes service account executed an unusual API call.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Abuse a service account token to gain access to the Kubernetes cluster.Investigative actions: Verify whether the service account should be executing this API. Investigate other operations that were performed by the service account within the cluster.Variations
A Kubernetes service account executed an API call on a first-seen resource
Low overridden
A Kubernetes service account executed an API call on a first-seen resource. overridden
A Kubernetes service account executed an API call on an unusual sensitive resource
Low overridden
A Kubernetes service account executed an API call on an unusual sensitive resource. overridden
A Kubernetes service account executed an unusual modification API call
Informational overridden
A Kubernetes service account executed an unusual modification API call. overridden
A Kubernetes service account executed an API call on an unusual resource
Informational overridden
A Kubernetes service account executed an API call on an unusual resource. overridden
A Kubernetes service account has enumerated its permissions Informational Cloud 2 variations
A Kubernetes service account has enumerated its permissions using the self subject review API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Discover permissions to the Kubernetes cluster.Investigative actions: Determine the scope of the Kubernetes service account permissions. Review additional activity of the Kubernetes service account.Variations
Suspicious permission enumeration by a Kubernetes service account
Low overridden
A Kubernetes service account has enumerated its permissions using the self subject review API. overridden
A Kubernetes service account attempted to enumerate its permissions
Low overridden
A Kubernetes service account has attempted to enumerate its permissions using the self subject review API. overridden
A Kubernetes service account was created or deleted Informational Cloud 1 variation
A Kubernetes service account was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Maintain persistence using a valid service account.Investigative actions: Check which changes were made to the Kubernetes service account.Variations
A Kubernetes service account was created or deleted in a default namespace
Informational overridden
A Kubernetes service account was created or deleted. overridden
A Kubernetes service was created or deleted Informational Cloud
A Kubernetes service was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Attackers may attempt to perform denial-of-service attacks to make services unavailable.Investigative actions: Check which changes were made to the Kubernetes service.A LOLBIN was copied to a different location Informational 2 variations
To evade detection, attackers may copy a LOLBIN executable to a different location.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentAttacker's goals: Command execution via lolbins and detection avoidance via file rename.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the lolbin and try to see if it's benign.Variations
A LOLBIN was copied to a different location using a rare command line
High overridden
To evade detection, attackers may copy a LOLBIN executable to a different location. overridden
A LOLBIN was copied to a different location using a rare command line via a commonly used method
Low overridden
To evade detection, attackers may copy a LOLBIN executable to a different location. overridden
A Microsoft Teams application was installed Informational Identity Threat Module 1 variation
A Microsoft Teams application was installed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Cloud Application Integration (T1671)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.Investigative actions: Confirm that the application was created by a certified and trusted entity. Evaluate the permissions requested by the application to determine if they are excessive or unusual. Determine if it is within the user's role to install this type of application. Correlate the alert with the sign-in event to get additional information on the identity performing the action. Follow further actions done by the account.Variations
A Microsoft Teams application was installed with special parameters
Low overridden
A Microsoft Teams application was installed. overridden
A Microsoft Teams bot was added to a team Informational Identity Threat Module
A user added a bot to a team in Microsoft Teams.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Cloud Application Integration (T1671)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Teams bots to maintain persistent access to compromised Teams accounts.Investigative actions: Confirm that the bot was created by a certified and trusted entity. Evaluate the permissions requested by the bot to determine if they are excessive or unusual. Determine if it is within the user's role to add bots to teams. Follow further actions done by the account.A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment Informational Cloud
A new server has been added to an Azure Active Directory Hybrid Health AD FS Environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Azure Audit LogAttacker's goals: Gain access to sensitive data stored in the new server. Gain access to other servers in the Azure Active Directory Hybrid Health AD FS Environment. Gain access to user accounts in the Azure Active Directory Hybrid Health AD FS Environment.Investigative actions: Check the Azure Active Directory Hybrid Health Monitor to identify the new server. Verify that the new server is correctly configured for ADFS. Check the logs for any errors related to the new server.A Possible crypto miner was detected on a host Medium
The host produced traffic consistent with the crypto mining.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Resource Hijacking (T1496)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Abuse resources to mine crypto coins.Investigative actions: Check the host for crypto mining client software. Look for differences in the resource consumption from this host. Examine the client's network traffic for suspicious domains affiliated with mining or mining pools.A Service Principal was created in Azure Informational Cloud
A Service Principal was created in Azure. This could indicate a malicious actor attempting to gain access to a resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Azure Audit LogAttacker's goals: Access user data. Gain control of the Azure environment.Investigative actions: Check the Service Principal to ensure it has the correct access rights. Review the Azure Activity Log to determine the source of the Service Principal creation.A Service Principal was removed from Azure Informational Cloud
A service principal was removed from Azure. This indicates a change in access permissions and may indicate malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)Required data: Azure Audit LogAttacker's goals: Evade defensive measures by deleting a possibly malicious service principal.Investigative actions: Check the Azure Active Directory audit logs for the details of the removed service principal. Check the Azure role assignments to identify which resources were impacted by the removal of the service principal.A Successful VPN connection from TOR High Identity Analytics 1 variation
A successful VPN connection from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Gain initial access to organization and hiding itself.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.Variations
A Successful VPN connection from TOR via Mobile Device
Medium overridden
A successful VPN connection from a TOR exit node. overridden
A Successful login from TOR High Identity Analytics
A successful login from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Gain initial access to the organization while anonymizing the source of the activity.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.A TCP stream was created directly in a shell Medium
Attackers may create a TCP stream using the shell command line to generate a reverse shell, enabling remote access to the endpoint.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter (T1059)Required data: XDR AgentAttacker's goals: Attackers may use this device file to create sockets though shell commands as part of a reverse shell.Investigative actions: Review the command line used. Search for the corresponding network event. Check the prevalence of the target IP/domain.A Torrent client was detected on a host Informational 1 variation
The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Exfiltrate data or as a phishing entry point.Investigative actions: Check the host for torrent client software. Look at the download's folder for foreign files or Torrent files. Examine the client's network traffic for uploaded or downloaded file hashes.Variations
A Torrent client was detected on a host
Informational overridden
The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data. overridden
A WMI subscriber was created Informational
A WMI subscriber was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: Command execution and persistence on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.A browser extension was installed or loaded in an uncommon way Informational 3 variations
A browser extension was installed or loaded in an uncommon way.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Chromium Extensions AnalyticsAttacker's goals: Gain persistency on a machine and steal sensitive browsing data.Investigative actions: Investigate the extension files and the process that installed them. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.Variations
A browser was forced to load an extension using a special command line argument
Low overridden
A browser was forced to load an extension using a special command line argument, an uncommon method. overridden
A browser extension was installed or loaded in an uncommon way by a LOLBIN process
Low overridden
A browser extension was installed or loaded in an uncommon way. overridden
A browser extension was installed or loaded in an uncommon way by an uncommon process
Low overridden
A browser extension was installed or loaded in an uncommon way. overridden
A browser was opened in private mode Informational Identity Threat Module
A browser was opened in private mode, which may indicate an attempt to cover tracks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006) Hide Artifacts (T1564)Required data: XDR AgentAttacker's goals: A browser was opened in private mode. Users might use private mode if they wish to stay anonymous online or hide their search and browsing history.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.A cloud function was created with an unusual runtime Low Cloud 3 variations
A cloud function was created with an unusual runtime.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Serverless Execution (T1648)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Execute arbitrary code in cloud environments.Investigative actions: Examine the cloud function's code implementation and look for any unusual invocations. Check for any unusual activities within the same project.Variations
A cloud function was created with an unusual runtime by a known cloud identity
Informational overridden
A cloud function was created with an unusual runtime. overridden
A cloud function was created with a runtime that was not seen in the organization
Low overridden
A cloud function was created with an unusual runtime. overridden
A cloud function was created with a custom runtime
Medium overridden
A cloud function was created with an unusual runtime. overridden
A cloud identity created or modified a security group Informational Cloud 2 variations
A cloud identity created or modified a security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Bypass network security controls to gain access to restricted cloud resources.Investigative actions: Check which security rules were added or modified. Check whether the identity that modified the security group rules is permitted to perform such action. Check which cloud resources can be affected by the security group.Variations
A cloud identity opened a security group to the Internet
Medium overridden
A cloud identity modified a security group to allow network access from the Internet. overridden
A cloud identity opened a security group to an unknown IP
Low overridden
A cloud identity modified a security group to allow network access from an unknown IP. overridden
A cloud identity executed an API call from an unusual country Informational Cloud 7 variations
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Access sensitive resources and gain high privileges.Investigative actions: Check if the identity routed their traffic via a VPN or shared their credentials with a remote employee.Variations
A suspicious cloud identity executed an API call from an unusual country
Medium overridden
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A Kubernetes identity executed an API call from a country that was not seen in the organization
Medium overridden
A Kubernetes identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A cloud identity executed an API call from a country that was not seen in the organization
Medium overridden
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A cloud identity executed an API call from an unusual country
Informational overridden
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A Kubernetes API call was executed from an unusual country
Low overridden
A Kubernetes identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A cloud API call was executed from an unusual country
Low overridden
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A cloud identity executed an API call from an unusual country using a compromised AWS access key
High overridden
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A cloud identity had escalated its permissions Informational Cloud 4 variations
A cloud identity had updated its permissions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation (T1098)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Escalate privileges.Investigative actions: Verify which permissions were granted to the identity.Variations
A cloud identity with high administrative activity had escalated its permissions
Informational overridden
A cloud identity with high administrative activity had updated its permissions. overridden
A cloud compute service had escalated its permissions
Medium overridden
A cloud compute service had updated its permissions. overridden
A cloud non-human identity had escalated its permissions
Low overridden
A cloud non-human identity had updated its permissions. overridden
A cloud identity escalated its permissions to a high privilege role/policy
Low overridden
A cloud identity escalated its permissions by adding itself to a high privileged policy/role/group. overridden
A cloud identity invoked IAM related persistence operations Informational Cloud 2 variations
A cloud identity invoked IAM related persistence operations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Create Account: Cloud Account (T1136.003) Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Maintain persistence in cloud environments.Investigative actions: Check what API calls were executed by the identity. Check what cloud resources were affected. Look for signs that the identity is compromised.Variations
A cloud identity invoked compute instance related persistence operations
Informational overridden
A cloud identity invoked compute instance related persistence operations. overridden
A cloud identity invoked compute function related persistence operations
Informational overridden
A cloud identity invoked compute function related persistence operations. overridden
A cloud identity performed multiple unusual activities Medium Cloud 1 variation
A cloud identity performed multiple unusual activities across various cloud services.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Adversaries may manipulate accounts to pivot to their next point in the environment, and eventually to access or manipulate data.Investigative actions: Check if the identity intended to preform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).Variations
A cloud identity performed multiple suspicious activities
Low overridden
A cloud identity performed multiple unusual activities across various cloud services. overridden
A cloud identity started a Cloud Shell session Informational Cloud
A cloud identity started a Cloud Shell session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogAttacker's goals: Abuse cloud APIs to execute malicious commands.Investigative actions: Investigate any unusual activity originating from the suspected identity.A cloud instance was stopped Informational Cloud
A cloud compute instance was stopped.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: System Shutdown/Reboot (T1529)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Interrupt business services.Investigative actions: Review recent activity related to the identity and the affected cloud instance.A cloud snapshot of AWS database or storage was modified or shared Informational Cloud 2 variations
A cloud identity has shared a snapshot of an AWS database or storage instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.Variations
Cloud snapshot of a database or storage instance was shared public
Low overridden
A cloud identity has shared a snapshot of an AWS database or storage instance. overridden
Cloud snapshot of a database or storage instance was shared with an unknown AWS account
Low overridden
A cloud identity has shared a snapshot of an AWS database or storage instance. overridden
A cloud storage configuration was modified Informational Cloud
A cloud storage configuration was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Public Exposure, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: An attacker may use this API to grant storage access permission.Investigative actions: Check if the identity intended to modify the storage configuration. Check if the identity performed additional malicious operations in the cloud environment.A cloud storage object was copied to a foreign cloud account Medium Cloud 2 variations
A cloud storage object was copied or moved to a foreign cloud storage account.The destination account was either not monitored or not seen within your tenant for the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit Log Azure Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate data to a foreign account.Investigative actions: Check the legitimacy of the copy operation. Review further actions performed by the identity.Variations
A cloud storage object from a sensitive bucket was copied to a foreign cloud account from a production account
High overridden
A cloud storage object was copied or moved to a foreign cloud storage account from a production account.The destination account was either not monitored or not seen within your tenant for the last 30 days. overridden
A cloud storage object was copied to a foreign cloud account from a production account
Medium overridden
A cloud storage object was copied or moved to a foreign cloud storage account from a production account.The destination account was either not monitored or not seen within your tenant for the last 30 days. overridden
A commonly abused process connected to a rare cloud resource Low 3 variations
A commonly abused process connected to a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Investigate the actor process connected to the cloud resource. Is this use case usually takes place within the org? Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.Variations
A commonly abused software develop tool connected to a rare cloud resource
Informational overridden
A commonly abused software develop tool connected to a rare cloud resource. overridden
A commonly abused rare process connected to a rare cloud resource
Low overridden
A commonly abused rare process connected to a rare cloud resource. overridden
A commonly abused renamed process connected to a rare cloud resource
Medium overridden
A commonly abused renamed process connected to a rare cloud resource. overridden
A commonly abused process connected to a rare external host Low 3 variations
A commonly abused process connected to a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Investigate the actor process connected to the external host. Get further details about the uncommon external destination. Assess whether this communication pattern is expected or not.Variations
A commonly abused renamed process connected to a rare external host
Medium overridden
A commonly abused renamed process connected to a rare external host. overridden
A commonly abused process connected to a globally rare external host
Low overridden
A commonly abused process connected to a globally rare external host. overridden
A commonly abused rare process connected to a rare external host
Low overridden
A commonly abused rare process connected to a rare external host. overridden
A compiled HTML help file wrote a script file to the disk Low
A compiled HTML help file wrote a script file to the disk. Compiled HTLM help files usually don't write script files to the disk. This behavior is often employed by malware that leverages malicious CHM files to deliver a 2nd stage payload.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Compiled HTML File (T1218.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Deliver a 2nd stage payload or to avoid detection.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check the file that was written to the disk for malicious activities.A compressed file was exfiltrated over SSH Informational 1 variation
Exfiltration of a compressed file over SSH.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to exfiltrate data over encrypted network protocol.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
A compressed file was exfiltrated over SSH from a Kubernetes pod
Informational overridden
Exfiltration of a compressed file over SSH. overridden
A compromised process accessed a rare cloud resource Informational 3 variations
A compromised process accessed a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.Investigative actions: Investigate the compromised process. Identify the rare cloud resource accessed, is it managed by your organization?Variations
A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters
Medium overridden
A process compromised by DLL sideloading accessed a rare cloud resource and demonstrated abnormal communication patters. overridden
A process compromised by DLL sideloading accessed a rare cloud resource
Informational overridden
A process compromised by DLL sideloading accessed a rare cloud resource. overridden
An injected process accessed a rare cloud resource
Informational overridden
An injected process accessed a rare cloud resource. overridden
A compromised process accessed a rare external host Low 3 variations
A compromised process accessed a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Detector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure while leveraging a compromised process to evade detection.Investigative actions: Investigate the compromised process. Check the rare remote host.Variations
A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data
High overridden
A process compromised by DLL sideloading accessed a rare external host and transferred a large amount of data. overridden
A process compromised by DLL sideloading accessed a rare external host
Medium overridden
A process compromised by DLL sideloading accessed a rare external host. overridden
An injected process accessed a rare external host
Medium overridden
An injected process accessed a rare external host. overridden
A compute-attached identity executed API calls outside the instance's region Informational Cloud 6 variations
A compute-attached identity performed actions outside the compute instance region.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Verify whether the compute-attached identity's credentials were intentionally used remotely. Check what API calls were executed using instance's attached role. Check if the suspected instance is compromised.Variations
A compute-attached identity executed API calls outside the Lambda function's region
Informational overridden
A compute-attached identity performed actions outside the Lambda function region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN
High overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual geolocation
Medium overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual ASN
Low overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region
Low overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity failed to execute API calls outside the instance's region
Informational overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A computer account was promoted to DC Low Identity Analytics
A computer account was promoted to a domain controller via a User Account Control (UAC) change.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain domain administrator privileges.Investigative actions: Verify if the domain controller promotion is expected. Check if the computer account is a new account. Confirm this action with the user who performed the change. Follow actions by the account and if it performed a DCSync.A contained executable from a mounted share initiated a suspicious outbound network connection Medium 1 variation
A contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR AgentAttacker's goals: Gain high privileged command execution on the host machine via one of its running containers.Investigative actions: Check if the requested IP address is known or malicious. Investigate the contained process and its process tree.Variations
A contained executable from a mounted share initiated a suspicious outbound network connection
Medium overridden
A cloud machine contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical. overridden
A contained executable was executed by an unusual process Medium 3 variations
A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)Required data: XDR AgentAttacker's goals: Gain high privileged command execution on the host machine via one of its running containers.Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.Variations
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by an unusual process
Medium overridden
A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden
A contained process attempted to escape using the 'notify on release' feature Medium 1 variation
A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Execute arbitrary commands on the host and gain a larger foothold.Investigative actions: Check which commands were executed on the host afterward. Look for the root cause of the execution within the container. Examine the release_agent script content on the container.Variations
A contained process attempted to escape using the 'notify on release' feature
Medium overridden
A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the cloud host. overridden
A container registry was created or deleted Informational Cloud
A container registry was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to sensitive data stored in the container registry. Modify or delete existing data in the container registry.Investigative actions: Check the activity logs to determine what was created or removed.A disabled user attempted to authenticate via SSO Informational Identity Analytics
A disabled user attempted to authenticate via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.A disabled user attempted to log in Informational Identity Analytics 1 variation
A disabled user attempted to log in.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: XDR AgentAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user was recently enabled by an authorized entity). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory. Monitor services that may be running with a disabled user's credentials.Variations
Cached interactive login attempt by a disabled user
Informational overridden
A disabled user attempted to log in. overridden
A disabled user attempted to log in to a VPN Low Identity Analytics 1 variation
A disabled user attempted to log in suspiciously to a VPN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. a contractor user). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.Variations
Possible VPN login attempt by disabled user
Informational overridden
A disabled user attempted to log in suspiciously to a VPN. overridden
A domain was added to the trusted domains list Low Identity Threat Module 2 variations
A domain was added to the Google Workspace trusted domains list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification: Trust Modification (T1484.002)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An adversary may add a trusted domain to collect and exfiltrate data from their target's organization with less restrictive security controls.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new domain in the trusted domains list. Follow further actions done by the account.Variations
A domain was added to the trusted domains list by a non Google Workspace administrative user
Low overridden
A domain was added to the Google Workspace trusted domains list. overridden
A domain was added to the trusted domains list from an unusual ASN
Low overridden
A domain was added to the Google Workspace trusted domains list. overridden
A machine certificate was issued with a mismatch Medium Identity Analytics
A machine certificate was issued with a mismatch between the requester and the subject.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker may attempt to exploit the Active Directory Certificate Services to escalate privileges to a domain controller machine account.Investigative actions: Check who owns the certificate requester account. Check if the requester DNS name attribute was changed recently. Investigate actions done by the requester and its owner. Check for possible DCSync alerts.A mail forwarding rule was configured in Google Workspace Medium Identity Threat Module 1 variation
A rule was set up to forward emails outside the Google Workspace domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.Investigative actions: Check if the identity intended to preform this action, and look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Follow further actions done by the account.Variations
A mail forwarding rule was configured in Google Workspace to an uncommon domain
High overridden
A rule was set up to forward emails outside the Google Workspace domain. overridden
A new Azure email domain verification was requested Informational Cloud 1 variation
A new Azure email domain verification was requested.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Compromise Accounts: Email Accounts (T1586.002)Required data: Azure Audit LogAttacker's goals: Use an existing domain to launch phishing attacks from your environment.Investigative actions: Check if you recognize the added email domain.Variations
A new Azure email domain verification was requested by an unusual identity
Low overridden
A new Azure email domain verification was requested.The identity was not seen performing operations on this resource type in the last 30 days. overridden
A new machine attempted Kerberos delegation Medium Identity Analytics
A newly created machine attempted to perform a Kerberos delegation. This suspicious activity might indicate a Kerberos relay attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to system.Investigative actions: Check for any other suspicious activity related to the machine involved in the alert. Look for a new machine that was added to the domain.A non-browser process accessed a website UI Informational 3 variations
An uncommon network communication between a non-browser process and a website UI.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Web Service (T1102)Required data: Palo Alto Networks Url LogsAttacker's goals: Data exfiltration or attack tool staging.Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.Variations
Suspicious content upload to a known text share website by Non browser process
High overridden
Uncommon data upload to a known text share website through a Non-browser process. overridden
Uncommon data upload to a website through a Non-browser process
Low overridden
Uncommon data upload to a website through a Non browser process. overridden
Uncommon data download from a known text share website through a Non-browser process
Medium overridden
Uncommon content download from a known text share website through a Non browser process. overridden
A possible risky login to Azure Informational Identity Analytics 2 variations
A risky sign-in attempt was observed in Azure.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)Required data: AzureADAttacker's goals: An attacker is attempting to compromise an Azure account by exploiting weak or guessed passwords for initial access.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Azure Risky Login with Suspicious Characteristics
Low overridden
A risky sign-in attempt was observed in Azure. overridden
Azure-Defined High-Risk Login Attempt
Low overridden
A risky sign-in attempt was observed in Azure. overridden
A process connected to a rare cloud resource Informational 3 variations
A process connected to a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Investigate the actor process connected to the cloud resource. Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.Variations
A browser process connected to a rare cloud resource
Informational overridden
A browser process connected to a rare cloud resource. overridden
A process connected to an atypical rare cloud resource
Informational overridden
A process connected to an atypical rare cloud resource. overridden
A process connected to a rare cloud resource atypical to this agent
Informational overridden
A process connected to a rare cloud resource atypical to this agent. overridden
A process connected to a rare external host Informational 6 variations
A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentAttacker's goals: Beacon to C2 server and/or exfiltrate data.Investigative actions: Check whether the process was injected or otherwise subverted for malicious use.Variations
MSBuild process connected to a rare external host
High overridden
MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden
MSBuild process connected to a rare external host
Medium overridden
MSBuild normally does not make any network connections. This unusual activity may be malicious since attackers can leverage MSBuild for code execution. overridden
LOLBIN spawned by an Office executable connected to a rare external host
High overridden
A LOLBIN run by an Office process connected to an external IP address or host, which is rarely connected to from the organization. overridden
A curl process connected to a rare external host
Informational overridden
A process connected to an external host name or directly to an IP address, which is rarely connected to from the organization. overridden
VSCode extension process connected to a rare external host
Low overridden
A VSCode extension connected to an external IP address or host, which is rarely connected to from the organization. overridden
UNIX LOLBIN process connected to a rare external host
Low overridden
A UNIX LOLBIN connected to an external IP address or host, which is rarely connected to from the organization. overridden
A process connected to rare external host Informational 1 variation
A process connected to a rare external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Get further details about the uncommon external destination and the actor process.Variations
A process connected to globally rare external host
Informational overridden
A process connected to a globally rare external host. overridden
A process is masquerading as a common Microsoft product Informational 5 variations
An attacker might leverage common Microsoft software image names to run malicious processes without being caught.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.Variations
An unsigned actor executed masqueraded process which was downloaded from unexpected source
High overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
An unsigned and rare actor executing masqueraded process with uncommon characteristics
High overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A process that was executed by remote causality actor is masquerading as a common Microsoft product
Medium overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A process is masquerading as a common Microsoft Lolbin
Low overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A process running from a commonly abused directory is masquerading as a common Microsoft product
Low overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A process modified an SSH authorized_keys file Informational 3 variations
A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Containers, Generic Persistence AnalyticsAttacker's goals: Adversaries use this to ensure that they possess the corresponding private key and may log in as an existing user via SSH.Investigative actions: Check the file modification, try to understand the impact of the related processes and network connections.Variations
A process modified an SSH authorized_keys2 file
Low overridden
A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden
A process modified an SSH authorized_keys file from within a Kubernetes Pod
Low overridden
A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden
Unpopular process modified the SSH authorized_keys file
Low overridden
An unpopular process modified the SSH authorized_keys file. overridden
A process queried the ADFS database decryption key via LDAP Low Identity Analytics 3 variations
A process queried the ADFS database decryption key (DKM key) via LDAP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Federation Services AnalyticsAttacker's goals: An attacker wanting to perform a golden SAML attack will want to steal the ADFS token-signing certificates. To steal the token-signing certificates, the attacker will need to access the ADFS database To access the encrypted ADFS database, an attacker will attempt to retrieve the decryption key via an LDAP query.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Check for unusual ADFS logins. Check the process that initiated the query. Investigate the LDAP search query for any suspicious indicators.Variations
LDAP query explicitly queried the ADFS database decryption key (DKM key)
Medium overridden
A process queried the ADFS database decryption key (DKM key) via LDAP. overridden
A process explicitly queried the ADFS database decryption key (DKM key) via LDAP
Medium overridden
A process queried the ADFS database decryption key (DKM key) via LDAP. overridden
LDAP query queried the ADFS database decryption key (DKM key)
Low overridden
A process queried the ADFS database decryption key (DKM key) via LDAP. overridden
A process was executed with a command line obfuscated by Unicode character substitution Medium
A process was executed with a command line obfuscated by Unicode character substitution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Hide its action and avoid detection.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process Informational 8 variations
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by untrusted causality actor
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by a scheduled task
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare FTP user has been detected on an existing FTP server Low 1 variation
A rare or new FTP user has been detected on an existing FTP server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.Investigative actions: Verify that the new username is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application. Check the logs on the FTP server for a new user creation.Variations
Possible FTP User Scanning Detected
Low overridden
A rare or new FTP user has been detected on an existing FTP server. overridden
A rare file path was added to the AppInit_DLLs registry value Low 2 variations
A rare file path was added to AppInit_DLLs registry value.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Event Triggered Execution (T1546)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Injection AnalyticsAttacker's goals: Establish persistence and/or elevate privileges by injecting malicious content triggered by AppInit DLLs loaded into processes.Investigative actions: Investigate the path of the modified value. Investigate the causality actor process which initiated the activity.Variations
A rare file path was added to the AppInit_DLLs registry valueusing a manual registry tool
Medium overridden
A rare file path was added to AppInit_DLLs registry value. overridden
A rare file path was added to the AppInit_DLLs registry valuewith a commonly abused path
Medium overridden
A rare file path was added to AppInit_DLLs registry value. overridden
A rare local administrator login Informational Identity Analytics 1 variation
A rare local administrator login was observed. This may indicate an attempt to change sensitive settings on the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: The attacker attempts to change sensitive settings on the host.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Variations
Suspicious local administrator login
Low overridden
A rare local administrator login was observed. This may indicate an attempt to change sensitive settings on the host. overridden
A remote service was created via RPC over SMB Low 1 variation
A remote service was created via RPC over SMB.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: Process creation on a remote host.Investigative actions: Check whether the new process is benign and that the new process is not doing suspicious activity.Variations
A remote service with an uncommon name was created via RPC over SMB
Medium overridden
A remote service was created via RPC over SMB. overridden
A service was disabled Informational 3 variations
A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Service Stop (T1489)Required data: XDR AgentAttacker's goals: Evade detection by certain programs. Limit the functionality and availability of systems, services, and network resources.Investigative actions: Check if the disabled service could potentially threaten a malicious actor, or if holds a critical role. Investigate the disabling process to understand if it performed other suspicious actions.Variations
A service was disabled without using the ServiceControlManager RPC interface
Informational overridden
A service was disabled abnormally through the registry. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden
An injected process performed an uncommon service deactivation
Informational overridden
A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden
An unsigned process performed an uncommon service deactivation
Low overridden
A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden
A successful SSO sign-in from TOR High Identity Analytics 1 variation
A successful sign-in from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain initial access to organization and hiding itself.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.Variations
A successful SSO sign-in from TOR via Mobile Device
Medium overridden
A successful sign-in from a TOR exit node. overridden
A suspicious direct syscall was executed Low 2 variations
A suspicious direct syscall was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Native API (T1106)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Direct Syscall AnalyticsAttacker's goals: An attacker might try to use direct syscalls to evade detection from a legitimate program.Investigative actions: Investigate the direct syscall-mapped image to verify if it is malicious. Check if this direct syscall is part of the process execution flow.Variations
A suspicious direct syscall was executed by unsigned process from a user folder
High overridden
A suspicious direct syscall was executed by unsigned process from a user folder. overridden
A suspicious direct syscall was executed by a DLL host application
Medium overridden
A suspicious direct syscall was executed by a DLL host application. overridden
A suspicious executable with multiple file extensions was created Medium
An executable file with multiple extensions was created. This technique is frequently used to disguise malware as user content.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Bypassing defenses and/or tricking the user into executing a file that seems like a trustworthy file.Investigative actions: Investigate the actor process and the file created to determine if it was used for legitimate purposes or malicious activity.A suspicious process enrolled for a certificate Low 1 variation
A suspicious process enrolled for a certificate.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may authenticate as users using a certificate. If a policy is configured with permissive options, the attacker can authenticate as a user with high privileges.Investigative actions: See whether this was a legitimate action. Follow process/user activities. Check for suspicious certificate authentications.Variations
An unsigned suspicious process enrolled for a certificate
Medium overridden
An unsigned suspicious process enrolled for a certificate. overridden
A suspicious process queried AD CS objects via LDAP Informational Identity Analytics 1 variation
A suspicious process queried AD CS objects via LDAP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.Variations
A user suspiciously queried AD CS objects via LDAP
Low overridden
A user suspiciously queried AD CS objects via LDAP. overridden
A third-party application was authorized to access the Google Workspace APIs Informational Identity Threat Module
A domain administrator authorized a third-party application to access the Google Workspace APIs. This allows the application to interact with the domain user's data within the authorized scope, as specified in the API call.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Gain access to Google Workspace data and services. Collect confidential information from Google Workspace. Compromise user accounts and data.Investigative actions: Check which account was granted access to the Domain API. Identify the source IP address of the request. Verify the legitimacy of the request.