Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

249 alerts match the current filters. tactic: TA0005 ✕

Show ATT&CK heatmap
  • A Kubernetes namespace was created or deleted Informational Cloud

    A Kubernetes namespace was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Manipulating namespace name to make it appear legitimate or benign.
    Investigative actions: Check which changes were made to the Kubernetes namespace.
  • A LOLBIN was copied to a different location Informational 2 variations

    To evade detection, attackers may copy a LOLBIN executable to a different location.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Attacker's goals: Command execution via lolbins and detection avoidance via file rename.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the lolbin and try to see if it's benign.

    Variations

    A LOLBIN was copied to a different location using a rare command line

    High overridden

    To evade detection, attackers may copy a LOLBIN executable to a different location. overridden

    A LOLBIN was copied to a different location using a rare command line via a commonly used method

    Low overridden

    To evade detection, attackers may copy a LOLBIN executable to a different location. overridden

  • A Service Principal was removed from Azure Informational Cloud

    A service principal was removed from Azure. This indicates a change in access permissions and may indicate malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)
    Required data: Azure Audit Log
    Attacker's goals: Evade defensive measures by deleting a possibly malicious service principal.
    Investigative actions: Check the Azure Active Directory audit logs for the details of the removed service principal. Check the Azure role assignments to identify which resources were impacted by the removal of the service principal.
  • A browser was opened in private mode Informational Identity Threat Module

    A browser was opened in private mode, which may indicate an attempt to cover tracks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006) Hide Artifacts (T1564)
    Required data: XDR Agent
    Attacker's goals: A browser was opened in private mode. Users might use private mode if they wish to stay anonymous online or hide their search and browsing history.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.
  • A cloud identity created or modified a security group Informational Cloud 2 variations

    A cloud identity created or modified a security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Bypass network security controls to gain access to restricted cloud resources.
    Investigative actions: Check which security rules were added or modified. Check whether the identity that modified the security group rules is permitted to perform such action. Check which cloud resources can be affected by the security group.

    Variations

    A cloud identity opened a security group to the Internet

    Medium overridden

    A cloud identity modified a security group to allow network access from the Internet. overridden

    A cloud identity opened a security group to an unknown IP

    Low overridden

    A cloud identity modified a security group to allow network access from an unknown IP. overridden

  • A cloud storage configuration was modified Informational Cloud

    A cloud storage configuration was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Public Exposure, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: An attacker may use this API to grant storage access permission.
    Investigative actions: Check if the identity intended to modify the storage configuration. Check if the identity performed additional malicious operations in the cloud environment.
  • A compiled HTML help file wrote a script file to the disk Low

    A compiled HTML help file wrote a script file to the disk. Compiled HTLM help files usually don't write script files to the disk. This behavior is often employed by malware that leverages malicious CHM files to deliver a 2nd stage payload.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Compiled HTML File (T1218.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Deliver a 2nd stage payload or to avoid detection.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check the file that was written to the disk for malicious activities.
  • A domain was added to the trusted domains list Low Identity Threat Module 2 variations

    A domain was added to the Google Workspace trusted domains list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification: Trust Modification (T1484.002)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An adversary may add a trusted domain to collect and exfiltrate data from their target's organization with less restrictive security controls.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new domain in the trusted domains list. Follow further actions done by the account.

    Variations

    A domain was added to the trusted domains list by a non Google Workspace administrative user

    Low overridden

    A domain was added to the Google Workspace trusted domains list. overridden

    A domain was added to the trusted domains list from an unusual ASN

    Low overridden

    A domain was added to the Google Workspace trusted domains list. overridden

  • A process is masquerading as a common Microsoft product Informational 5 variations

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.
    Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.

    Variations

    An unsigned actor executed masqueraded process which was downloaded from unexpected source

    High overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    An unsigned and rare actor executing masqueraded process with uncommon characteristics

    High overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    A process that was executed by remote causality actor is masquerading as a common Microsoft product

    Medium overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    A process is masquerading as a common Microsoft Lolbin

    Low overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

    A process running from a commonly abused directory is masquerading as a common Microsoft product

    Low overridden

    An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden

  • A process was executed with a command line obfuscated by Unicode character substitution Medium

    A process was executed with a command line obfuscated by Unicode character substitution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Hide its action and avoid detection.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process Informational 8 variations

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process

    Medium overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by untrusted causality actor

    Medium overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by a scheduled task

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

  • A suspicious executable with multiple file extensions was created Medium

    An executable file with multiple extensions was created. This technique is frequently used to disguise malware as user content.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Bypassing defenses and/or tricking the user into executing a file that seems like a trustworthy file.
    Investigative actions: Investigate the actor process and the file created to determine if it was used for legitimate purposes or malicious activity.
  • A third-party utility was copied to a different location Informational

    To evade detection, attackers may copy a third-party utility executable to a different location.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: Detection avoidance via file rename.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the third-party utility and try to see if it's benign.
  • A user added a Windows firewall rule Informational Identity Threat Module

    A user added a new Windows Firewall rule. Adding a firewall rule may indicate an attempt to bypass controls limiting network usage or to disrupt network communications.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Firewall rules determine what traffic your firewall will block or allow. A malicious insider might want to change these rules in an attempt to bypass network limitations or disrupt network communication.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Check Windows Defender Firewall with Advanced Security for a new rule that was added. Check if the new rule was added to different machines as well.
  • A user logged in at an unusual time via SSO Informational Identity Analytics 1 variation

    A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check the login of the user. Check further actions done by the account (e.g. creating files in suspicious locations, creating users, elevating permissions, etc.). Check if the user accessing remote resources or connecting to other services. Check if the user is logging in from an unusual time zone while traveling. Check if the user usually logs in from this country.

    Variations

    Google Workspace - A user logged in at an unusual time via SSO

    Informational overridden

    A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised. overridden

  • A user logged in at an unusual time via VPN Informational Identity Analytics

    A user connected to a VPN on a day and hour, which is unusual for this user. This may indicate that the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check the amount of traffic and how long it continues. Follow further actions done by the user.
  • A user modified an Okta network zone Informational Identity Threat Module 2 variations

    An Okta network zone was modified by a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker may attempt to modify an Okta network zone to weaken an organization's security controls.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other network zones have been changed or removed.

    Variations

    The user has made an unusual modification to the Okta Network zone

    Medium overridden

    An atypical modification to the Okta Network zone has been performed by the user. overridden

    A user modified an Okta network zone with suspicious characteristics

    Low overridden

    An Okta network zone was modified by a user with suspicious characteristics. overridden

  • A user modified an Okta policy rule Informational Identity Threat Module 1 variation

    An Okta policy rule was modified by a user, suggesting a potential compromise of the account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.

    Variations

    A user modified an Okta policy rule with suspicious characteristics

    Low overridden

    An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden

  • A user modified the CA audit policy Low Identity Analytics

    This may indicate that an attacker is attempting to cover their tracks before an AD CS attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable Windows Event Logging (T1562.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to cover their tracks before an AD CS attack.
    Investigative actions: Check the user account modifying the CA audit policy and verify its activity. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Examine recent activity from the user account, including logon patterns and privilege changes. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.
  • AI safeguards deletion attempt Informational Cloud 1 variation

    A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log Azure Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.
    Investigative actions: Examine which AI models were affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    AI safeguards were successfully deleted

    Low overridden

    A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden

  • AI safeguards were modified Informational Cloud 2 variations

    A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log Azure Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.
    Investigative actions: Examine changed safeguards filters and determine which AI models were affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    Unusual modification of AI safeguards

    Low overridden

    A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden

    AI safeguards were created or modified

    Informational overridden

    A cloud identity created or modified AI safeguards. overridden

  • AWS Bedrock model invocation logging deletion Low Cloud 2 variations

    A cloud identity deleted the model invocation logging.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Avoid detection by limiting collected data from models.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.

    Variations

    AWS Bedrock model invocation logging deletion by an identity with administrative activity

    Informational overridden

    A cloud identity with administrative activity deleted the model invocation logging. overridden

    AWS Bedrock model invocation logging was successfully deleted

    Low overridden

    A cloud identity successfully deleted the model invocation logging. overridden

  • AWS CloudTrail has been stopped Informational Cloud 2 variations

    A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Verify whether the identity attempted to stop trail logging. Determine if additional trails continue to log activity.

    Variations

    AWS CloudTrail has been stopped

    Medium overridden

    A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden

    AWS CloudTrail has been stopped

    Low overridden

    A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden

  • AWS CloudTrail modification Informational Cloud 2 variations

    An identity updated a CloudTrail trail configuration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Review the activity of the identity that modified the trail's configuration. Check which trail is affected by this change. Verify whether a new destination has been set for log archiving.

    Variations

    AWS CloudTrail modification

    Medium overridden

    An identity updated a CloudTrail trail configuration. overridden

    AWS CloudTrail modification

    Low overridden

    An identity updated a CloudTrail trail configuration. overridden

  • AWS CloudWatch log group deletion Informational Cloud

    An AWS CloudWatch log group was deleted, this action permanently deletes all the archives associated with this group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log group. Check what resources were affected by this change.
  • AWS CloudWatch log stream deletion Informational Cloud

    An AWS CloudWatch log stream was deleted, this action permanently deletes all the archives associated with this stream.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log stream. Check which resource is affected by this change.
  • AWS Config Recorder stopped Informational Cloud

    Configuration Recorder was stopped for a resource in AWS Config.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check the identity which stopped the configuration recording. Check what resources are affected by this change.
  • AWS Flow Logs deletion Informational Cloud

    A cloud identity has deleted one or more Flow Logs records.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate information.
    Investigative actions: Check if the Identity intended to delete the Flow Logs record/s. Check what VPC is affected by this.
  • AWS Guard-Duty detector deletion Low Cloud

    AWS Guard-Duty detector was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: This action may assist an attacker to evade detection.
    Investigative actions: Check why the identity deleted the detector. Check what resources are relevant to the deleted detector.
  • AWS S3 bucket was exposed to public access Low Cloud 2 variations

    AWS bucket was publicly shared.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the identity intended to change the state of the bucket to public. Change the bucket or ACL policy for bucket. Restrict permissions for the identity if needed.

    Variations

    AWS S3 bucket was exposed to public access by admin cloud identity

    Informational overridden

    AWS bucket was publicly shared. overridden

    AWS S3 bucket was exposed to public access containing sensitive information

    High overridden

    AWS bucket was publicly shared. overridden

  • AWS SecurityHub findings were modified Informational Cloud

    AWS SecurityHub findings were modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal (T1070)
    Required data: AWS Audit Log
    Attacker's goals: Bypass security measures implemented by AWS SecurityHub.
    Investigative actions: Check the current AWS SecurityHub settings and verify they are configured properly.
  • AWS config resource deletion Informational Cloud

    An AWS config resource deletion this includes:Config rule, organization rule, configuration recorder, remediation configuration, conformance pack, configuration aggregator, delivery channel, retention configuration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may modify Config configuration to evade detection.
    Investigative actions: Check why the identity deleted the configuration. Check what resources are relevant to the deleted config.
  • AWS data asset shared public Low Cloud

    A data asset was publicly shared.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.
  • AWS network ACL rule deletion Informational Cloud

    An AWS network ACL rule was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.
    Investigative actions: Identify which VPC and associated resources are affected. Check the rule number, as ACL rules are evaluated in order. Determine whether the rule is ingress or egress.
  • AWS web ACL deletion Informational Cloud 1 variation

    Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: To impair defense, this may assist data exfiltration.
    Investigative actions: Verify if the identity intended to delete the Web ACL. Check what resources are affected by the Web ACL deletion.

    Variations

    Successful AWS web ACL deletion by a non-admin identity

    Low overridden

    Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted. overridden

  • An AWS GuardDuty IP set was created Informational Cloud

    An AWS GuardDuty IP set has been created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check which IP set has been modified and confirm the changes.
  • An AWS S3 bucket configuration was modified Informational Cloud

    An AWS S3 bucket configuration has been modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Impair Defenses (T1562) Data Encrypted for Impact (T1486)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Modify storage configuration to detection or allow access to sensitive information.
    Investigative actions: Examine AWS S3 access to identify any suspicious activity. Check which S3 buckets were affected.
  • An AWS SAML provider was modified Informational Cloud

    An AWS SAML provider was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Trusted Relationship (T1199) Modify Authentication Process (T1556)
    Required data: AWS Audit Log
    Attacker's goals: Gain privileged access to AWS accounts.
    Investigative actions: Check what changes were made to the SAML provider.
  • An Azure Firewall policy deletion Low Cloud

    An Azure Firewall policy was deleted. An attacker might use this technique to disable network defenses.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Exfiltrate information, network persistence of a service/resource.
    Investigative actions: Check which subnets or specific IP addresses were affected by the change. Check which services were accessed after the firewall change and via which protocols or network traffic.
  • An Azure Firewall rule collection group was modified or deleted Informational Cloud

    An Azure Firewall rule collection group was modified or deleted. This could indicate a malicious actor attempting to bypass security measures.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures to gain access to cloud resources.
    Investigative actions: Check the Azure Firewall rule collection group to identify the modified or deleted rules.
  • An Azure Firewall was modified Informational Cloud

    An Azure Firewall was modified or deleted. This may indicate a security risk.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures.
    Investigative actions: Verify whether the identity should be making this action. Check what changes were made to Azure Firewall.
  • An Azure Network Security Group was modified Informational Cloud

    An Azure Network Security Group was modified or deleted. This could indicate malicious activity or a misconfiguration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures to gain access to cloud resources.
    Investigative actions: Check the network security settings of the Azure account to identify any recent changes.
  • An Azure Point-to-Site VPN was modified Informational Cloud

    An Azure Point-to-Site VPN was modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security controls.
    Investigative actions: Determine how the Azure Point-to-Site VPN was modified or deleted. Verify whether the identity performing this action is authorized to make such changes.
  • An Azure Suppression Rule was created Informational Cloud

    An Azure Suppression Rule was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures.
    Investigative actions: Investigate the user's activity to determine the cause of the alert.
  • An Azure VPN Connection was modified Informational Cloud

    Modification or removal of an Azure VPN connection was detected. This alert indicates a change to an existing VPN connection or the deletion of an existing connection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures.
    Investigative actions: Check how Azure VPN Connection was modified. Verify whether the identity should be making this action.
  • An Azure firewall rule group was modified Informational Cloud

    An Azure firewall rule group was modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security controls to gain access to restricted resources within the Azure cloud environment.
    Investigative actions: Check the Azure Firewall rule configuration to identify the changes made. Verify whether the identity should be making this action.
  • An app was added to the Google Workspace trusted OAuth apps list Informational Identity Threat Module 2 variations

    An identity added an OAuth app to the Google Workspace trusted OAuth apps list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious OAuth apps can be used to request elevated permissions or to impersonate another user.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was added to the trusted apps list looks suspicious. Follow further actions done by the account.

    Variations

    An unusual app was added to the Google Workspace trusted OAuth apps list

    Low overridden

    An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden

    An app was added to the Google Workspace trusted OAuth apps list by a non-administrative identity

    Low overridden

    An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden

  • An app was removed from a blocked list in Google Workspace Informational Identity Threat Module 3 variations

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious OAuth Apps can be used to request elevated permissions or to impersonate another user.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was removed from the trusted apps list looks suspicious. Follow further actions done by the account.

    Variations

    An app was removed from a blocked list in Google Workspace by a suspicious identity

    Low overridden

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden

    An app was removed from a blocked list in Google Workspace by a non Google Workspace administrative user

    Low overridden

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden

    An app was removed from a blocked list in Google Workspace from an unusual ASN

    Low overridden

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden

  • An identity disabled bucket logging Informational Cloud

    An identity disabled bucket logging.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Avoid detection by disabling cloud logging capabilities.
    Investigative actions: Determine whether this activity was done on purpose. Examine additional API calls made by the identity.
  • An unsigned process created scheduled task and performed an injection Medium 1 variation

    An unsigned process created scheduled task and performed an injection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    4 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005) Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: To ensure they have persistence on the system, the threat actor may use scheduled tasks to set persistence, Then, to avoid detection and carry out stealth execution, they may inject a malicious payload into a remote process.
    Investigative actions: Investigate the injection payload and the injection process. Check if the scheduled task trigger payload is malicious.

    Variations

    Possible an unsigned installer created scheduled task and performed an injection

    Low overridden

    Possible an unsigned installer created scheduled task and performed an injection. overridden

  • An unusual cloud identity was granted permissions to a BigQuery resource Informational Cloud 1 variation

    An unusual cloud identity was granted permissions to a BigQuery table or dataset.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578)
    Required data: Gcp Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides inside BigQuery tables or datasets.
    Investigative actions: Check if {cloud_best_identity_match} intended to change BigQuery resource policy. Verify if the affected tables or datasets did not contain any sensitive information.

    Variations

    Cloud admin granted an unknown identity permissions to a BigQuery resource

    Informational overridden

    An unusual cloud identity was granted permissions to a BigQuery table or dataset. overridden

  • Authentication Attempt From a Dormant Account Informational 1 variation

    A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    31 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Use a compromised user account that has not been used in a long time and therefore less likely to be noticed.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user returned from a long leave of absence). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.

    Variations

    Authentication Attempt From a Dormant Account to a sensitive server

    Low overridden

    A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker on a sensitive server. overridden

  • Azure AD PIM alert disabled Medium Identity Threat Module

    An identity disabled an Azure AD PIM alert.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker might want to disable alerts associated with authentication requirements for privileged access. This may allow malicious activities to go unnoticed.
    Investigative actions: Check what alert was disabled. Check whether the user that disabled the alert is permitted to perform such actions.
  • Azure AD PIM role settings change Low Identity Threat Module 1 variation

    An identity changed the PIM role settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.
    Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.

    Variations

    Suspicious Azure AD PIM role settings change

    Medium overridden

    An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden

  • Azure Automation Runbook Deletion Informational Cloud

    An Azure Automation runbook was deleted. This could disrupt business automation processes or remove a malicious runbook that was part of an attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Impair Defenses (T1562) Service Stop (T1489)
    Required data: Azure Audit Log
    Attacker's goals: Stop business services.
    Investigative actions: Check which runbook was deleted and whether it is malicious or valid.
  • Azure Blob Container Access Level Modification Informational Cloud

    Access level modification for a blob container, this action might be dangerous as sensitive data can be exposed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: File and Directory Permissions Modification (T1222)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Access restricted data.
    Investigative actions: Check if and which data was exposed after the access level modification.
  • Azure Event Hub Deletion Low Cloud

    An Azure event hub was deleted. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check what actions were taken by the identity that deleted the event hub.
  • Azure Kubernetes events were deleted Informational Cloud

    Events have been deleted in Azure Kubernetes. This could indicate malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Remove evidence or hinder defenses.
    Investigative actions: Look for any suspicious activity initiated by the identity.
  • Azure Network Watcher Deletion Low Cloud

    Azure Network Watchers are used for monitoring and diagnosing Azure resources. An attacker might use this technique to avoid security mitigations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Avoid security mitigations and detections.
    Investigative actions: Check which devices are monitored by the deleted Network Watcher.
  • Azure Resource Group Deletion Informational Cloud

    Resource group deletion permanently deletes all resources within the group, An attacker might use this technique to avoid detection or destroy procedures/data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check which resource group was deleted.
  • Azure Temporary Access Pass (TAP) registered to an account Informational Identity Threat Module 2 variations

    An identity registered an Azure Temporary Access Pass (TAP) to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: A TAP can allow setting of other authentication methods and can be used as an initial replacement of a multifactor authentication.
    Investigative actions: Check if the account that got the TAP should get it. Check whether the account that registered the TAP is supposed to perform such actions. Check if the TAP was registered to a privileged account. Follow further actions done by the initiator and the account with the TAP.

    Variations

    Azure Temporary Access Pass (TAP) registered to a privileged account

    Medium overridden

    An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden

    Abnormal Azure Temporary Access Pass (TAP) account registration

    Low overridden

    An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden

  • Azure application URI modification Informational Identity Threat Module 1 variation

    An identity added or updated an Azure application's URI.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.
    Investigative actions: Check whether the account that modified the URI is supposed to perform such actions. Check for possible logins from the application modified. Check for possible account consents or credential changes regarding the application. Follow further actions done by the application.

    Variations

    Suspicious Azure application URI modification

    Low overridden

    An identity added or updated an Azure application's URI. overridden

  • Azure application credentials added Informational Identity Threat Module 2 variations

    An identity added credentials to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.
    Investigative actions: Check if the modified application is new to the organization. Check whether the account that modified the credentials is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.

    Variations

    Suspicious credential operation on an Azure application

    Medium overridden

    An identity added a certificate to an Azure application in a suspicious way. overridden

    Unusual certificate operation on an Azure application

    Low overridden

    An identity added a certificate to an Azure application with some unusual parameters. overridden

  • Azure application removed Informational Cloud

    An Azure application has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts (T1564)
    Required data: Azure Audit Log
    Attacker's goals: Delete apps used for malicious activities. Delete evidence of activity.
    Investigative actions: Check the Azure Portal for any changes in applications. Review the activities performed by the application.
  • Azure conditional access policy creation or modification Informational Cloud

    An Azure conditional access policy was created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Bypass authentication controls.
    Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Azure device code authentication flow used Informational Identity Analytics 3 variations

    An Azure AD login was performed with device code flow.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: Azure Audit Log
    Attacker's goals: An attacker may use a device to access resources in the tenant using an access token from device code authentication flows.
    Investigative actions: Check what devices are listed with the logged-in user. Check if the account is authorized to use such devices to access resources. Check for possible logins from the device. Follow further actions done by the account and device.

    Variations

    Suspicious Azure device code authentication flow used by an Azure AD privileged user

    Medium overridden

    An Azure AD login was performed with device code flow. overridden

    Suspicious Azure device code authentication flow used

    Low overridden

    An Azure AD login was performed with device code flow. overridden

    Azure device code authentication flow used by an Azure AD privileged user

    Low overridden

    An Azure AD login was performed with device code flow. overridden

  • Azure diagnostic configuration deletion Informational Cloud

    An attacker might delete the Azure diagnostic settings to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check the identity and its actions after the deletion action.
  • Azure mailbox rule creation Informational Cloud 1 variation

    A Mailbox rule in Azure was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009) Defense Evasion (TA0005)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Indicator Removal: Clear Mailbox Data (T1070.008)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Intercept or exfiltrate sensitive information.
    Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.

    Variations

    Unusual Azure mailbox rule creation

    Low overridden

    A Mailbox rule in Azure was created. overridden

  • Azure storage account blob anonymous access is enabled Informational Cloud

    It is possible to configure anonymous access to blobs within the storage account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the blobs within the storage account should be accessed from all networks. Disable public network access or disable blob anonymous access to storage account if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.
  • Azure storage account was publicly shared Informational Cloud

    Azure Storage Account network permissions modified to public, exposing data to any network and unauthorized identities.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: Attackers want to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the storage account should be accessed from all networks. Disable public network access if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.
  • BitLocker key retrieval Informational Identity Threat Module

    An identity retrieved a BitLocker Key.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: BitLocker keys are used for mitigating unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive. An attacker that retrieves this key, can potentially access the data that should be encrypted.
    Investigative actions: Check what key was retrieved. Check for a possible compromised device. Check whether the user is permitted to perform such actions.
  • Change of sudo caching configuration Low 1 variation

    Change of sudo caching configuration may have been intended to enable privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may use the sudoers file to elevate privileges.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Change of sudo caching configuration in a Kubernetes pod

    Low overridden

    Change of sudo caching configuration may have been intended to enable privilege escalation. overridden

  • Chrome OS Remote Access policy was modified in Google Workspace Informational Identity Threat Module 1 variation

    A user modified Chrome OS Remote Access configuration in Google Workspace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Lateral Movement (TA0008)
    ATT&CK techniques: Impair Defenses (T1562) Remote Services (T1021)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may modify remote access settings to maintain persistent access and bypass security controls.
    Investigative actions: Verify if the configuration change was authorized. Investigate the source IP address and account involved for malicious activity. Follow further actions performed by the account and Remote Access connections performed.

    Variations

    Suspicious Chrome OS Remote Access policy was modified in Google Workspace

    Low overridden

    This is the first time the user performs this operation in the last 30 days. overridden

  • Cloud AI agent was modified Informational Cloud 1 variation

    A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Modify AI agents to evade certain restrictions and potentially access sensitive data.
    Investigative actions: Examine changed AI agent and determine how it was affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    Unusual modification of AI agent

    Low overridden

    A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden

  • Cloud Organizational policy was created or modified Informational Cloud 1 variation

    Cloud organizational policy was created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484)
    Required data: Gcp Audit Log
    Attacker's goals: Gain elevated privileges, disable security measures, misuse resources or cause disruption.
    Investigative actions: Check which services were affected by the policy creation. Check The cloud identity activity prior/after the policy creation.

    Variations

    Cloud Organizational policy was created or modified

    Low overridden

    Cloud organizational policy was created or modified. overridden

  • Cloud Watch alarm deletion Informational Cloud

    A Cloud Watch alarm was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Delete alarm to evade detection.
    Investigative actions: Check the identity that deleted the alarm. Check the which resource were related to the deleted alarm.
  • Cloud compute volume creation attempt Informational Cloud 1 variation

    An attempt was made to create an EBS volume.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive data stored on snapshots.
    Investigative actions: Review recent activity related to the identity, the created volume and the cloud snapshot.

    Variations

    Cloud compute volume creation attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to create an EBS volume. overridden

  • Cloud instance creation attempt Informational Cloud

    An attempt was made to create a cloud compute instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure: Create Cloud Instance (T1578.002)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Create a new cloud instance to evade detection or leverage it for further malicious activity.
    Investigative actions: Review recent activity related to the identity and the created cloud instance.
  • Cloud instance deletion attempt Informational Cloud 1 variation

    An attempt was made to delete a cloud compute instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: To remove evidence or disrupt operations.
    Investigative actions: Review recent activity associated with the identity and the deleted instance.

    Variations

    Cloud instance deletion attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to delete a cloud compute instance. overridden

  • Cloud resource logging was disabled Informational Cloud 3 variations

    Cloud resource logging was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Avoiding detection of their activities by limiting the amount of data collected. This action may be preliminary to resource deletion or data exhilaration from the resource. Setting the stage for further attacks, like a Ransomware Attack.
    Investigative actions: Confirm that the identity intended to disable logging on this resource. Follow further actions done by the identity. Monitor other (non-disabled) activity logs related to this resource.

    Variations

    Cloud resource logging was disabled - failed attempt

    Informational overridden

    A failed attempt to disable cloud resource logging. overridden

    Cloud resource logging was disabled on an Azure DB/storage resource

    Informational overridden

    Cloud resource logging was disabled on a DB/storage resource. overridden

    Cloud resource logging was disabled on a GCP DB/storage resource

    Low overridden

    Cloud resource logging was disabled on a DB/storage resource. overridden

  • Cloud snapshot created or modified Informational Cloud 3 variations

    A cloud identity has created or modified a cloud snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the snapshot.
    Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.

    Variations

    Cloud snapshot was configured for public access

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Cloud snapshot was shared with an unusual AWS account(s)

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Previously unseen GCP principal was bound to cloud snapshot

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

  • CloudTrail logging deletion Informational Cloud 2 variations

    CloudTrail logging trail deletion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Verify whether the identity attempted to delete the trail. Determine whether an additional trail needs to be enabled.

    Variations

    Successful CloudTrail logging deletion by a non-admin identity

    Medium overridden

    CloudTrail logging trail deletion. overridden

    Successful CloudTrail logging deletion by an unusual identity

    Low overridden

    CloudTrail logging trail deletion. overridden

  • Common third-party software name masquerading Informational 2 variations

    An attacker might leverage common third-party software image names to run malicious processes without being caught.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: An attacker is attempting to masquerade as a common third-party software image to execute malicious code.
    Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.

    Variations

    Common third-party software name masquerading which was downloaded from an unexpected source

    Low overridden

    An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden

    Common third-party software name masquerading with uncommon characteristics by actor with uncommon characteristics

    Low overridden

    An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden

  • Compute activity in dormant cloud region Informational Cloud 3 variations

    A compute resource was created or updated in a cloud region that has been dormant for this project.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Unused/Unsupported Cloud Regions (T1535)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Create compute resources in unmonitored regions to evade detection for purposes such as hijacking resources or establishing persistence.
    Investigative actions: Verify if compute resources are authorized in this region. Terminate unauthorized compute resources and disable unused regions.

    Variations

    Compute activity in dormant cloud region from a non-VPN IP address

    Informational overridden

    A compute resource was created or updated in a cloud region that has been dormant for this project. overridden

    A cloud compute instance was created in a dormant region

    Medium overridden

    A compute resource was created or updated in a cloud region that has been dormant for this project. overridden

    Compute activity in dormant cloud region by a compromised AWS access key

    High overridden

    A compute resource was created or updated in a cloud region that has been dormant for this project. overridden

  • Conditional Access policy removed Low Identity Threat Module

    An identity removed a Conditional Access policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. Without a Conditional Access policy, an attacker would be able to access the tenant without possible blockage for later access.
    Investigative actions: Check implications of the policy being removed. Check whether the user changing the configuration is permitted to perform such actions.
  • Conhost.exe spawned a suspicious cmd process Low 3 variations

    Attackers may abuse the conhost process to execute malicious files and evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: Investigate the processes being spawned on the host for malicious activities.
    Investigative actions: An adversary may use the conhost process to evade detection.

    Variations

    Conhost.exe spawned a suspicious powershell encoded command

    High overridden

    Attackers may abuse the conhost process to execute malicious files and evade detection. overridden

    Conhost.exe spawned a suspicious scripting process with long command line

    Medium overridden

    Attackers may abuse the conhost process to execute malicious files and evade detection. overridden

    Conhost.exe spawned a suspicious child process

    Medium overridden

    Attackers may abuse the conhost process to execute malicious files and evade detection. overridden

  • Data Sharing between GCP and Google Workspace was disabled Informational Identity Threat Module 3 variations

    An identity has modified data sharing settings between GCP and Google Workspace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Indicator Removal (T1070) Impair Defenses (T1562) Data Manipulation (T1565) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check whether Google Workspace audit log events were configured to be sent to Google Cloud. Follow further actions done by the account.

    Variations

    Data Sharing between GCP and Google Workspace was disabled by a suspicious identity

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled from an unusual ASN

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

  • Data encryption was disabled Informational Cloud

    A cloud identity has disabled data encryption.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Weaken Encryption (T1600) Impair Defenses (T1562)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: An attacker is trying to access sensitive data in plaintext. An attacker might try to exfiltrate plaintext data to an endpoint controlled by the attacker and avoid detection. An attacker can re-encrypt the data with a key that is available only to the attacker.
    Investigative actions: Check if the identity intended to disable data encryption. Check which cloud assets were affected by manipulating the above-mentioned configuration file. Check if the identity performed additional suspicious actions to affected assets.
  • Delayed Deletion of Files Low

    A command line deleting files used the time-out or ping commands to delay the file deletion. This is suspicious, as malware sometimes uses these techniques to cover their tracks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal: File Deletion (T1070.004)
    Required data: XDR Agent
    Attacker's goals: Evade security controls and possibly cover their tracks.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Deletion of AD CS certificate database entries Informational Identity Analytics 1 variation

    A user has deleted rows from the certificate database of an AD CS server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal (T1070)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to cover their tracks after issuing certificates.
    Investigative actions: Check the user account deleting the certificate database entries and verify its activity. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Examine recent activity from the user account, including logon patterns and privilege changes.

    Variations

    Abnormal deletion of AD CS certificate database entries

    Low overridden

    A user has deleted rows from the certificate database of an AD CS server. overridden

  • Device Registration Policy modification Informational Identity Threat Module 1 variation

    An identity changed the Device Registration policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Device Registration policy, an attacker might be able to access the tenant without possible blockage for later access.
    Investigative actions: Check what policy has been changed. Check whether the user changing the configuration is permitted to perform such actions.

    Variations

    A user modified the Device Registration Policy for the first time

    Low overridden

    An identity changed the Device Registration policy. overridden

  • Disable Microsoft Defender Antivirus via registry Low

    Disable Microsoft Defender Antivirus via registry.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to disable defender antivirus to execute malicious tools and move through the network without triggering alarms.
    Investigative actions: Investigate the process that set or create the registry key.
  • EBS volume attachment attempt Informational Cloud 2 variations

    An attempt was made to attach an EBS volume to an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)
    Required data: AWS Audit Log
    Attacker's goals: Attach a volume to a cloud instance to exfiltrate sensitive data stored on EBS volumes.
    Investigative actions: Review recent activity related to the identity, the attached volume and the cloud instance.

    Variations

    EBS volume attachment attempt for volume with sensitive data

    Informational overridden

    An attempt was made to attach an EBS volume with sensitive data to an EC2 instance. overridden

    EBS volume attachment attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to attach an EBS volume to an EC2 instance. overridden

  • EBS volume detachment attempt Informational Cloud 1 variation

    An attempt was made to detach an AWS EBS volume from an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive data stored on the detached volume.
    Investigative actions: Review recent activity related to the identity and the detached volume.

    Variations

    EBS volume detachment attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to detach an AWS EBS volume from an EC2 instance. overridden

  • Email attachment with Right-to-Left Override Unicode character Low Email

    The email message contains an attachment with a hidden Right-to-Left Override Unicode character.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Bypass security filters and deliver malicious content to users Mislead recipients into opening a malicious file by obscuring its true nature Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.
  • Email attachment with multiple extensions Informational Email 2 variations

    This may indicate an attempt at masquerading the true file type through the misuse of multiple extensions in the attachment name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems or gain unauthorized access.
    Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings or missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address.

    Variations

    Email executable attachment with multiple extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

    Email executable attachment with multiple executable extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

  • Email attachment(s) with potentially malicious MIME type Informational Email 2 variations

    The email message contains an attachment(s) with a potentially malicious MIME type.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.

    Variations

    Attachment(s) with potentially malicious MIME type unusual for the organization

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time within the organization in the past 30 days. overridden

    Attachment(s) with a potentially malicious MIME type that is unusual for the recipient

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time for the recipient in the past 30 days. overridden

  • Email containing a link with an IP address convention was detected Informational Email

    A link with IP address convention was detected within the email body.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into clicking the link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email containing a redirected link Informational Email 1 variation

    An email with a redirected link has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Hide Artifacts (T1564) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Attackers can use link redirection to disguise malicious URLs.
    Investigative actions: Carefully analyze the full redirection chain. Be cautious with this process, as clicking on links can pose security risks. Use URL reputation services to check if the final destination or any of the intermediate URLs are known to be malicious or associated with phishing. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Email containing a redirected link with multiple redirections

    Informational overridden

    An email with a redirected link has been detected.The email contains at least one redirected link with multiple redirection patterns, which is concerning as it can obscure malicious URLs and evade security filters. overridden

  • Email with URL shortener detected Informational Email

    A URL shortener was detected in the email body.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts (T1564)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Attackers use URL shorteners to hide the true destination of a link, making it easier to trick recipients into clicking on it.
    Investigative actions: Examine the sender's IP ֿֿaddress and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.