Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

194 alerts match the current filters. tactic: TA0006 ✕

Show ATT&CK heatmap
  • A Command Line Interface (CLI) command was executed from a GCP serverless compute service Low Cloud 4 variations

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Informational overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    A Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Medium overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

  • A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service

    Informational overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

    Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service

    Low overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

  • A Kubernetes secret was created or deleted Informational Cloud

    A Kubernetes secret was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Obtain Kubernetes secrets to access restricted information.
    Investigative actions: Check which changes were made to the Kubernetes secret.
  • A compute-attached identity executed API calls outside the instance's region Informational Cloud 6 variations

    A compute-attached identity performed actions outside the compute instance region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Verify whether the compute-attached identity's credentials were intentionally used remotely. Check what API calls were executed using instance's attached role. Check if the suspected instance is compromised.

    Variations

    A compute-attached identity executed API calls outside the Lambda function's region

    Informational overridden

    A compute-attached identity performed actions outside the Lambda function region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN

    High overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation

    Medium overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual ASN

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity failed to execute API calls outside the instance's region

    Informational overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

  • A process queried the ADFS database decryption key via LDAP Low Identity Analytics 3 variations

    A process queried the ADFS database decryption key (DKM key) via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Federation Services Analytics
    Attacker's goals: An attacker wanting to perform a golden SAML attack will want to steal the ADFS token-signing certificates. To steal the token-signing certificates, the attacker will need to access the ADFS database To access the encrypted ADFS database, an attacker will attempt to retrieve the decryption key via an LDAP query.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Check for unusual ADFS logins. Check the process that initiated the query. Investigate the LDAP search query for any suspicious indicators.

    Variations

    LDAP query explicitly queried the ADFS database decryption key (DKM key)

    Medium overridden

    A process queried the ADFS database decryption key (DKM key) via LDAP. overridden

    A process explicitly queried the ADFS database decryption key (DKM key) via LDAP

    Medium overridden

    A process queried the ADFS database decryption key (DKM key) via LDAP. overridden

    LDAP query queried the ADFS database decryption key (DKM key)

    Low overridden

    A process queried the ADFS database decryption key (DKM key) via LDAP. overridden

  • A suspicious process enrolled for a certificate Low 1 variation

    A suspicious process enrolled for a certificate.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may authenticate as users using a certificate. If a policy is configured with permissive options, the attacker can authenticate as a user with high privileges.
    Investigative actions: See whether this was a legitimate action. Follow process/user activities. Check for suspicious certificate authentications.

    Variations

    An unsigned suspicious process enrolled for a certificate

    Medium overridden

    An unsigned suspicious process enrolled for a certificate. overridden

  • A suspicious process queried AD CS objects via LDAP Informational Identity Analytics 1 variation

    A suspicious process queried AD CS objects via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.

    Variations

    A user suspiciously queried AD CS objects via LDAP

    Low overridden

    A user suspiciously queried AD CS objects via LDAP. overridden

  • A user attempted to bypass Okta MFA Low Identity Threat Module 1 variation

    A user may have attempted to bypass Okta MFA.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process (T1556) Multi-Factor Authentication Request Generation (T1621)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Contact the user who attempted to bypass MFA and ensure the request was legitimate. Check if the user successfully authenticated after the event.

    Variations

    A successful bypass of Okta MFA

    Low overridden

    Suspicious MFA bypass attempt in Okta. overridden

  • A user certificate was issued with a mismatch Informational Identity Analytics 1 variation

    A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.
    Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.

    Variations

    Suspicious certificate issuance with a mismatch

    Low overridden

    A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden

  • A user connected from a new country Informational Identity Analytics 1 variation

    A user connected from an unusual country that the user has not connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    A user connected from a new country - suspicious characteristics detected

    Low overridden

    The user connected from a country they have not accessed from previously, which may indicate potential account compromise due to unusual or suspicious characteristics. overridden

  • A user connected to a VPN from a new country Informational Identity Analytics 1 variation

    A user connected to a VPN from an unusual country that the user has not connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.

    Variations

    A user connected to a VPN from a suspicious country

    Low overridden

    A user connected to a VPN service from an unusual country. This may indicate the account was compromised. overridden

  • A user created a pfx file for the first time Informational Identity Analytics 1 variation

    A user created a pfx file for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may export certificates to pfx files to use them for authentication, persistence or NTLM extraction.
    Investigative actions: Check if the pfx creation is legitimate for the user (testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).

    Variations

    A user created a pfx in a suspicious folder for the first time

    Low overridden

    A user created a pfx in a suspicious folder which is publicly accessible, for the first time. overridden

  • A user logged in from an abnormal country or ASN Informational Identity Analytics 1 variation

    A user logged in from an unusual country or ASN. This may indicate that the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country. Check for any other suspicious activity related to the account. Check other ASNs and Countries that the user logged in from. Look for additional login attempts.

    Variations

    A service account successfully logged in from a new country or ASN

    Low overridden

    A service account successfully logged in to an internet facing server from an unusual country or ASN. This may indicate that the account was compromised. overridden

  • A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations

    A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.

    Variations

    Rare user authentication with a certificate via Schannel

    Low overridden

    A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

    Abnormal authentication with a certificate via Schannel

    Informational overridden

    An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

  • A user modified an Okta MFA factor Informational Identity Threat Module 1 variation

    An Okta MFA factor was modified by a user, suggesting a potential compromise of the account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Contact the user and ensure the operation was legitimate. Check if the user modifies more factors. If the user activates a weak factor, check for abnormal successful sign-ins from different countries and times. If the user deactivates a strong factor, check if he authenticates with unusual factors and checks for abnormal successful sign-ins from different countries and times.

    Variations

    Abnormal Okta MFA Factor Authentication Modification

    Low overridden

    An OKTA MFA factor was modified by a user with suspicious conditions. overridden

  • A user queried AD CS objects via LDAP Informational Identity Analytics 1 variation

    A user queried AD CS objects via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time). Investigate the LDAP search query for any suspicious indicators.

    Variations

    A user enumerated AD CS objects using suspicious LDAP query

    Low overridden

    A user enumerated AD CS objects using suspicious LDAP query. overridden

  • A user received multiple weakly encrypted service tickets Informational Identity Analytics 1 variation

    A user received multiple weakly encrypted service tickets. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Abnormal issuance of weakly encrypted service tickets to a user

    Low overridden

    A user received multiple weakly encrypted service tickets. This is typically a sign of a Kerberoasting attack. overridden

  • A user rejected an SSO request from an unusual country Low Identity Analytics

    A user rejected an SSO authentication request from an abnormal country.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Okta
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Verify the reject cause of the MFA attempts. Check to see if the user has successfully authenticated around the time of the alert, and confirm it's a legitimate login. Verify the authentication attempt from the rare country is benign.
  • A user requested multiple service tickets Informational Identity Analytics 1 variation

    A user requested multiple service tickets. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Abnormal issuance of service tickets to a user

    Low overridden

    A user requested multiple service tickets. This is typically a sign of a Kerberoasting attack. overridden

  • A user sent multiple TGT requests to irregular service Low Identity Analytics 2 variations

    A user sent multiple TGT requests to services other than KRBTGT and KADMIN. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    A user sent an excessive number of TGT requests to irregular services

    Medium overridden

    A user sent multiple TGT requests to services other than KRBTGT and KADMIN. This is typically a sign of a Kerberoasting attack. overridden

    A user sent a TGT request to irregular service

    Informational overridden

    A user sent a TGT request to a service other than KRBTGT and KADMIN. This might indicate an attempt to perform a Kerberoasting attack. overridden

  • ADFS DKM Key Access Low Identity Threat Module

    ADFS DKM key attribute (thumbnailphoto) access in AD container, potential Golden SAML token forging attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: The attack goal is to forge a valid SAML token to impersonate any user and gain persistent, unauthorized access to cloud resources, effectively bypassing MFA and standard security controls.
    Investigative actions: Check for recent changes to the SAML signing certificate on both the Identity Provider and the Service Provider to rule out a configuration drift or expiration issue. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • AWS SSM parameters discovery Informational Cloud 1 variation

    An attempt was made to list parameters stored in AWS SSM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in SSM parameter store.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS SSM parameters discovery

    Informational overridden

    An attempt was made to list parameters stored in AWS SSM. overridden

  • AWS SSM parameters retrieval Informational Cloud 2 variations

    An attempt was made to retrieve parameters stored in AWS SSM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS SSM parameter store.
    Investigative actions: Investigate the purpose of the encrypted parameter and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.

    Variations

    AWS SSM encrypted parameters retrieval

    Informational overridden

    An attempt was made to retrieve encrypted parameters stored in AWS SSM. overridden

    Unusual AWS SSM parameters retrieval

    Informational overridden

    An attempt was made to retrieve parameters stored in AWS SSM. overridden

  • AWS STS temporary credentials were generated Informational Cloud

    AWS STS temporary credentials were generated for an AWS identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Trusted Relationship (T1199) Forge Web Credentials (T1606)
    Required data: AWS Audit Log
    Attacker's goals: Gain access and persistence to AWS account.
    Investigative actions: Check which operation executed with the new credentials.
  • AWS Secrets Manager Access Informational Cloud 1 variation

    An attempt was made to retrieve secrets from AWS Secrets Manager.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.
    Investigative actions: Investigate the secret's purpose and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.

    Variations

    Unusual AWS Secrets Manager Access

    Informational overridden

    An attempt was made to retrieve secrets from AWS Secrets Manager. overridden

  • AWS Secrets Manager discovery Informational Cloud 1 variation

    An attempt was made to list secrets from AWS Secrets Manager.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS Secrets Manager discovery

    Informational overridden

    An attempt was made to list secrets from AWS Secrets Manager. overridden

  • AWS console login without MFA Informational Cloud

    An identity logged in to the AWS console without MFA.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)
    Required data: AWS Audit Log
    Attacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.
    Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.
  • Abnormal File Activity in SCCMContentLib Shared Folder by user Informational Identity Analytics 1 variation

    A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Attackers aim to exploit misconfigurations in Microsoft Configuration Manager to access sensitive data, such as credentials and certificates, stored within the SCCMContentLib. This access can facilitate lateral movement and further compromise within the network.
    Investigative actions: Verify the activity with the performing user. Check if SCCM admin credentials were accessed or exfiltrated. Review SCCM logs to identify unauthorized queries or modifications. Investigate recent access to the extracted files and their contents. Check other security logs (e.g., Windows Event Logs, SIEM alerts) for suspicious behavior. Identify the originating system and assess if it has been compromised. Monitor for any further lateral movement or privilege escalation attempts.

    Variations

    Suspicious File Activity in SCCMContentLib Shared Folder by user

    Low overridden

    A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers. overridden

  • Access to Kubernetes CA certificate file Informational 1 variation

    A process accessed a Kubernetes CA certificate file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Make API calls against the Kubernetes cluster.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed certificate was used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed certificate.

    Variations

    Access to Kubernetes CA certificate file by an unusual process

    Low overridden

    A process accessed a Kubernetes CA certificate file for the first time. overridden

  • Access to Kubernetes configuration file Informational 3 variations

    A process accessed a Kubernetes node configuration file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Gain access to the Kubernetes environment.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Access to Kubernetes configuration file by an unusual process

    Low overridden

    A process accessed a Kubernetes node configuration file. overridden

    Access to Kubernetes configuration file from an unusual Kubernetes pod

    Low overridden

    A process accessed a Kubernetes node configuration file. overridden

    Access to Kubernetes configuration file from a Kubernetes pod

    Informational overridden

    A process accessed a Kubernetes node configuration file. overridden

  • Access to kubelet credentials file Informational 1 variation

    A process accessed a kubelet credentials file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Impersonate the node agent to gain control over the cluster.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Access to kubelet credentials file by an unusual process

    Low overridden

    A process accessed a kubelet credentials file for the first time. overridden

  • Account probing Low Identity Analytics

    A user failed to log in to multiple hosts it never accessed before in a short amount of time.This may indicate the account is compromised and an attacker is probing for a host it can access with those credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Gain access to hosts by using stolen user-account credentials.
    Investigative actions: Check if the user account was compromised, and which resources it could access.
  • An Azure Key Vault key was modified Informational Cloud

    An Azure Key Vault key was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to sensitive data stored in the Azure Key Vault.
    Investigative actions: Check the Azure Key Vault configuration to identify what changes were made.
  • An Azure Key Vault was modified Informational Cloud

    Azure Key Vault has been modified or deleted by an Identity. This could be an indication of unauthorized access or malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to sensitive data stored in the Azure Key Vault.
    Investigative actions: Check the Azure Key Vault configuration to identify what changes were made.
  • An identity accessed Azure Kubernetes Secrets Informational Cloud

    An identity has accessed or attempted to access Azure Kubernetes secrets or Config Objects.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: Azure Audit Log
    Attacker's goals: Extract Kubernetes secrets to gain access to restricted resources in the cluster.
    Investigative actions: Verify whether the identity should be making this action. Check for any suspicious activity initiated by the identity.
  • An identity successfully extracted multiple secrets within the organization Low Cloud 2 variations

    An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    An identity successfully enumerated and extracted multiple secrets within the organization

    Medium overridden

    An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

    An identity successfully extracted multiple secrets within the organization across multiple regions

    Medium overridden

    An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

  • An unusual process in ingress-nginx has accessed a service-account token file High Cloud

    An unusual process in ingress-nginx has read a service-account token.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: An attacker is attempting to gain unauthorized access by leveraging valid credentials.
    Investigative actions: Check if the process is intended to preform these actions.
  • Azure Key Vault Secrets were modified Informational Cloud

    Azure key vault secrets were modified. A change or deletion of secrets in Azure Key Vault has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to confidential data stored in the Azure Key Vault.
    Investigative actions: Investigate what Azure Key Vault Secrets were modified or deleted. Check for any suspicious activity initiated by the identity.
  • Azure Key Vault modification Informational Cloud

    Azure Key Vault modifications can be crucial as it stores secrets e.g. encryption keys, certifications, etc.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552)
    Required data: Azure Audit Log
    Attacker's goals: Exfiltrate information, persistence on existing users or damage critical accounts.
    Investigative actions: Check the identity actions before or after the Key Vault modification. Find which credentials were modified and their usage.
  • Azure Storage Account key generated Informational Cloud

    Azure storage access keys rotation, might affect services/applications depended on the key set.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate information or damage critical services.
    Investigative actions: Check what actions were made by the users a few hours prior/after to the generation operation. Which actions were taken using the newly generated access keys.
  • Azure application consent Informational Identity Threat Module 1 variation

    An identity consented permissions to an application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Phishing (T1566) Phishing: Spearphishing Link (T1566.002) Steal Application Access Token (T1528) Trusted Relationship (T1199)
    Required data: AzureAD Audit Log
    Attacker's goals: Get access to credentials, data or an organization via applications with sufficient permissions.
    Investigative actions: Follow further actions by the consenting user. Check for new resource creations by the new user. Check how the consenting user got to the application. Verify the application creators. Check what permissions the application requested. Check for possible phishing in the organization.

    Variations

    First seen Azure admin consent to an application

    Low overridden

    An administrative identity consented permissions to an application. overridden

  • Brute-force attempt on a local account Informational Identity Analytics 1 variation

    A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the account.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    Brute force on a local account

    Low overridden

    A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack. overridden

  • Cached credentials discovery with cmdkey Low 2 variations

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: OS Credential Dumping (T1003) Account Discovery (T1087)
    Required data: XDR Agent
    Attacker's goals: Access cached user credentials.
    Investigative actions: Check the initiator process for additional suspicious activity. Check if the host is a shared host that multiple users' credentials can be extracted from.

    Variations

    The process cmdkey runs with modified name and extract cached credentials

    High overridden

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden

    Transfer cached credentials with cmdkey to other standard output

    Medium overridden

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden

  • Cloud IMDS access followed by remote token usage Medium Cloud

    A request was made to the cloud Instance Metadata Service (IMDS) followed by a remote usage of EC2 role token.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)
    Required data: AWS Audit Log XDR Agent
    Attacker's goals: Gain unauthorized access by leveraging valid cloud credentials.
    Investigative actions: Identify the process that accessed the IMDS on the cloud instance. Examine the AWS API calls made by the stolen token, focusing on unusual or sensitive actions. Assess the role's permissions and rotate credentials if compromise is confirmed.
  • Copy a process memory file High 1 variation

    Copy a process memory file using the dd utility.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping: Proc Filesystem (T1003.007)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Read another process memory, mainly for credential access.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Copy a process memory file from a Kubernetes pod

    High overridden

    Copy a process memory file using the dd utility. overridden

  • Copy a user's GnuPG directory with rsync Low

    Copy a user's GnuPG (.gnupg) directory on to a staging folder using the 'find' and 'rsync' commands.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Private Keys (T1552.004)
    Required data: XDR Agent
    Attacker's goals: Adversaries may use the rsync tool to exfiltrate secrets.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Discovery of accounts with pre-authentication disabled via LDAP Low Identity Analytics 1 variation

    A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server), LDAP Analytics (Client)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Correlate logs from the same host or user for related LDAP queries or other unusual activities. Audit accounts flagged as not requiring pre-authentication and verify compliance with security policies. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Suspicious discovery of accounts without pre-authentication required via LDAP

    Medium overridden

    A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

  • Email contains URL delivering high-risk file type Informational Email 1 variation

    Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: To bypass attachment-based blocking by delivering malware or exploiting payloads via URLs pointing to file types commonly blocked by email vendors.
    Investigative actions: Review the URLs and determine if they host executable or script-based content. Check threat intelligence sources for reputation or known associations with malware. Investigate whether any users clicked the URL or downloaded the file. Analyze the file content using sandbox or static analysis tools.

    Variations

    External email with URL delivers blocked file types

    Low overridden

    Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery. overridden

  • Excessive user account lockouts Low Identity Analytics 2 variations

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Determine if any programs have stored outdated credentials, causing account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.

    Variations

    Excessive user account lockouts from a suspicious source

    Medium overridden

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden

    Excessive account lockouts on suspicious users

    Medium overridden

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden

  • External Login Password Spray Informational Identity Analytics 6 variations

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Check the amount of time in between each login attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful login attempts and the ratio of login success versus login failures.

    Variations

    External Login Password Spray Involving a Honey User

    Medium overridden

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden

    External Login Password Spray from Multiple Source Hosts

    Informational overridden

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden

    Successful External Login Password Spray on a Domain Controller

    Medium overridden

    An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden

    Successful External Login Password Spray on a sensitive server

    Medium overridden

    An abnormally high amount of user account login attempts were seen on a sensitive server within a short period of time. overridden

    Successful External Login Password Spray

    Low overridden

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden

    External Login Password Spray on a Domain Controller

    Low overridden

    An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden

  • External email with a single internal recipient hidden in BCC Informational Email 1 variation

    External email with mailbox owner hidden in BCC as the only internal recipient.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Attacker's goals: BCC enables sending the same email to multiple hidden recipients without revealing them to each other.
    Investigative actions: Review the headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.

    Variations

    External email with only a hidden internal BCC recipient

    Informational overridden

    External email with no visible recipients, mailbox owner is hidden in BCC. overridden

  • Extracting credentials from Unix files Low

    Suspicious Unix files containing insecurely stored credentials were accessed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent
    Attacker's goals: Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
    Investigative actions: Investigate the process activities and use of the extracted credentials.
  • FTP Connection Using an Anonymous Login or Default Credentials Low

    An FTP connection using an anonymous login was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this FTP. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.
  • First VPN access attempt from a country in organization Informational Identity Analytics 1 variation

    A user attempted to connect from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.

    Variations

    First successful VPN access from a country in organization

    Low overridden

    A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden

  • First connection from a country in organization Informational Identity Analytics 1 variation

    A user connected to an SSO service from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    First successful SSO connection from a country in organization

    Informational overridden

    A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden

  • Google Workspace user authentication information changed Informational Identity Threat Module 2 variations

    Google Workspace authentication information was changed for a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006) Account Manipulation (T1098)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may manipulate user authentication information to obtain Persistence or Bypass Multi-Factor Authentication (MFA) controls.
    Investigative actions: Verify if the authentication information change was authorized. Follow further actions done by the user and IP address.

    Variations

    Google Workspace administrative user authentication information changed

    Low overridden

    Google Workspace authentication information was changed for a user. overridden

    Google Workspace user authentication information changed by another account

    Low overridden

    Google Workspace authentication information was changed for a user. overridden

  • Granting Access to an Account Informational Cloud

    Azure access has been granted to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)
    Required data: Azure Audit Log
    Attacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.
    Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.
  • Hydra Password Brute-Force Tool Execution High 1 variation

    Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: The attacker attempts to gain access to the account or host.
    Investigative actions: Verify that the commands are executed from a trusted source. Audit the victim account or host and verify that they haven't been compromised.

    Variations

    Hydra Password Brute-Force Tool Execution from a Kubernetes pod

    High overridden

    Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown. overridden

  • IP Rotation Pattern in SSO Spray Informational Identity Analytics 2 variations

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker may be attempting to compromise user accounts through unauthorized access attempts.
    Investigative actions: Determine if the activity was performed by a legitimate user. Check for any successful logins that occurred following a series of failed attempts. Investigate the AS organization and evaluate the ASN's reputation for malicious activity. Review historical login behavior from the same IP addresses or ASN. Validate whether MFA was triggered or bypassed during the authentication attempts.

    Variations

    Potential Targeted SSO Password Spray Activity Detected

    Medium overridden

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden

    Suspicious SSO Login Attempts from Multiple IPs

    Low overridden

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden

  • Impossible traveler - SSO Low Identity Analytics 3 variations

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    6 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.

    Variations

    Impossible traveler - non-interactive SSO authentication

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

    Possible Impossible traveler via SSO

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

    SSO impossible traveler from a VPN or proxy

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

  • Impossible traveler - VPN Low Identity Analytics 3 variations

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user routed their traffic via a proxy, or shared their credentials with a remote employee.

    Variations

    Possible Impossible traveler via VPN

    Informational overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

    VPN impossible traveler from a VPN or proxy

    Informational overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

    VPN impossible traveler with an unusual parameter

    Medium overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

  • Intense SSO failures Informational Identity Analytics 1 variation

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check whether a successful login was made after unsuccessful attempts.

    Variations

    Intense SSO failures with suspicious characteristics

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt. overridden

  • Interactive local account enumeration Low Identity Analytics

    Multiple non-existing accounts attempted interactive local logins to a host within a short period.This may indicate that an attacker has physical access to the host and is trying to enumerate accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Discover valid accounts to gain credentials.
    Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.
  • Internal Login Password Spray Informational Identity Analytics 5 variations

    An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Check the amount of time in between each authentication attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful authentication attempts and the ratio of login success versus login failures. Monitor for potential abuse of MFA on users who have successfully logged in.

    Variations

    Suspicious intensive and short internal Login Password Spray

    Medium overridden

    An abnormally high number of login attempts within a very short period of time and suspicious automated behavior. overridden

    High-Volume Internal Password Spray Attack

    Medium overridden

    Over 500 user accounts failed to login within a short period of time. overridden

    Internal Login Password Spray with many wrong password attempts

    Low overridden

    An abnormally high amount of user account login attempts with wrong password were seen with a wrong password within a short period of time. overridden

    Internal Login Password Spray attempt on local user

    Low overridden

    An abnormally high number of login attempts with the same username to different domains or local machines within a short period of time. overridden

    Internal Login Password Spray on many users

    Low overridden

    An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack. overridden

  • Invalid SAML Detected Informational Identity Threat Module 1 variation

    A user attempted to sign in using an invalid SAML. This might indicate a Golden SAML attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002)
    Required data: AzureAD Okta
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: An attacker might forge a valid SAML token to impersonate other user accounts. This is used to gain persistent, unauthorized access to cloud resources, and bypassing MFA.
    Investigative actions: Check for recent changes to the SAML signing certificate on both the Identity Provider and the Service Provider to rule out a configuration drift or expiration issue. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

    Variations

    Suspicious Invalid SAML Detected

    Low overridden

    A user attempted to sign in using an invalid SAML. This might indicate a Golden SAML attack. overridden

  • Kerberos Pre-Auth Failures by Host Low

    The endpoint failed an unusual number of Kerberos pre-authentications (TGT requests) from at least three users when compared to its baseline.This can indicate a password-spraying attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.
    Investigative actions: Verify whether the host that generated the alert is normally used by many users (for example, a terminal server). Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • Kerberos Pre-Auth Failures by User and Host Informational

    The user account on this host failed Kerberos pre-authentications (TGT requests) an unusual number of times.This can indicate a Kerberos brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting to guess the credentials for the user account.
    Investigative actions: Verify that the password for the account has not been changed recently, without updating the user or the program using it. Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • Key credential attribute modification Informational Identity Analytics 2 variations

    A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker may be attempting to add shadow credentials to an account, gaining persistent unauthorized access.
    Investigative actions: Follow further PKINIT authentication activity by the modified identity. Verify if Windows Hello for Business is enabled, as this is a common benign cause for this activity. Check if the modified credential maps to an existing device ID in Entra ID. Examine recent activity from the user account, including logon patterns and privilege changes.

    Variations

    Possible shadow credentials addition

    Medium overridden

    A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden

    Key credential attribute addition

    Low overridden

    A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden

  • Keylogging using system commands Low 1 variation

    Usage of a Linux system utility to capture input.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Input Capture: Keylogging (T1056.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may capture keystrokes to intercept user credentials.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Keylogging using system commands in a Kubernetes pod

    Low overridden

    Usage of a Linux system utility to capture input. overridden

  • Kubernetes admission controller activity Informational Cloud 4 variations

    A Kubernetes admission controller has been created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials: Container API (T1552.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Intercept the requests to the Kubernetes API sever, records secrets, and other sensitive information. Modify requests to the Kubernetes API sever.
    Investigative actions: Verify whether the identity should use Kubernetes admission controllers. Examine the role of the Kubernetes admission controller and its intended function. Investigate other operations that were performed by the identity within the cluster.

    Variations

    Kubernetes validating admission controller was used in the organization for the first time

    Low overridden

    A validating Kubernetes admission controller has been created or modified. overridden

    Kubernetes mutating admission controller was used in the organization for the first time

    Medium overridden

    A mutating Kubernetes admission controller has been created or modified. overridden

    Kubernetes validating admission controller was used in the cluster for the first time

    Low overridden

    A validating Kubernetes admission controller has been created or modified. overridden

    Kubernetes mutating admission controller was used in the cluster for the first time

    Medium overridden

    A mutating Kubernetes admission controller has been created or modified. overridden

  • Kubernetes secret enumeration activity Informational 5 variations

    Kubectl secret enumeration command was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Attackers may gather sensitive information within a container environment.
    Investigative actions: Check whether the executing process is performed by authorized identity and if this was a desired behavior as part of its normal execution flow.

    Variations

    Kubernetes secret describe activity from a Kubernetes Pod

    Medium overridden

    Kubectl secret enumeration command was executed. overridden

    Kubernetes secret value extraction activity from a Kubernetes pod

    Medium overridden

    Kubectl secret enumeration command was executed. overridden

    Kubernetes secret enumeration activity from a Kubernetes Pod

    Medium overridden

    Kubectl secret enumeration command was executed. overridden

    Kubernetes secret enumeration activity from a host

    Low overridden

    Kubectl secret enumeration command was executed. overridden

    Kubernetes secret value extraction activity

    Informational overridden

    Kubectl secret enumeration command was executed. overridden

  • LDAP AD CS Enumeration via Attack Tool Low Identity Analytics 1 variation

    A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Abnormal LDAP AD CS Enumeration via Attack Tool

    Medium overridden

    A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization. overridden

  • LSASS dump file written to disk Medium

    Dumping Lsass.exe (Local Security Authority Subsystem Service) memory to file allows attackers to later extract credentials from the memory dump.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may try to extract OS credentials from the dumped Lsass.exe file.
    Investigative actions: Check the dumping process for more suspicious activity.
  • Large volume of files potentially containing credentials accessed in Google Drive Informational Identity Threat Module 1 variation

    A user accessed a large volume of files potentially containing credentials in Google Drive.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Credential Access (TA0006)
    ATT&CK techniques: Data from Cloud Storage (T1530) Unsecured Credentials (T1552)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An attacker may attempt to gain unauthorized access by leveraging valid credentials found in Google Drive.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Verify if the user account that accessed the files is authorized to access them. Review the files accessed and whether it was part of a breach or a legitimate activity. Monitor the account for any further suspicious actions.

    Variations

    Possible credential files harvesting in Google Drive

    Low overridden

    A user accessed a large volume of files potentially containing credentials in Google Drive. overridden

  • MFA Disabled for Google Workspace Low Identity Threat Module 1 variation

    An administrator has disabled Multi-Factor Authentication for Google Workspace users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to Google Workspace accounts with disabled MFA. Exploit Google Workspace accounts with weaker security. Steal sensitive data from Google Workspace accounts.
    Investigative actions: Check the MFA settings for the Google Workspace users. Identify the users who have MFA disabled and investigate the reason for it. Check the security log to see if there have been any suspicious activities in the account.

    Variations

    MFA Disabled for Google Workspace from an unusual caller IP ASN

    Low overridden

    An administrator has disabled Multi-Factor Authentication for Google Workspace users. overridden

  • MFA was disabled for an Azure identity Low Identity Threat Module 2 variations

    MFA was disabled for the user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: AzureAD Audit Log
    Attacker's goals: This allows the attacker to connect using this account without the need for the additional layer of authentication.
    Investigative actions: Follow further actions by the initiator. Check the login activity from this account. Follow further actions done by this account.

    Variations

    Suspicious MFA was disabled for an Azure identity

    Medium overridden

    MFA was disabled for the user. overridden

    MFA was disabled for an Azure identity regularly by the user

    Informational overridden

    MFA was disabled for the user. overridden

  • Machine Account NTLM Relay Low

    An NTLM NTProofStr was seen from more than one source. This indicates that machine account NTLM authentication data has been relayed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.
  • Memory dumping with comsvcs.dll High

    A process memory dump was performed using comsvcs.dll MiniDump. This method is commonly used by attackers to dump Lsass.exe (Local Security Authority Subsystem Service) process memory to a file, so they could later extract credentials from the memory dump.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: LSASS Memory (T1003.001)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to dump the memory of sensitive processes.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Microsoft Configuration Manager device registration and policy request Informational Identity Analytics 1 variation

    A user registered a device and requested a Microsoft Configuration Manager policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)
    Required data: XDR Agent
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker aims to extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment, enabling unauthorized access to resources and lateral movement within the network.
    Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.

    Variations

    Suspicious Microsoft Configuration Manager device registration and policy request

    Low overridden

    A suspicious process registered a new device and requested policies from Microsoft Configuration Manager, triggering a suspicious activity alert due to unusual characteristics. overridden

  • Mimikatz command-line arguments High

    These command-line arguments are often used by Mimikatz to dump and harvest credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to use Mimikatz, a known credential theft tool, to dump and harvest credentials.
    Investigative actions: Investigate the executed process to verify if it is malicious. Investigate the command line purpose.
  • Modification of NTLM restrictions in the Registry Low

    Allowing the transmission of NTLM could be part of an NTLM downgrade or an Internal Monologue attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Downgrading to a lower NTLM version gives the attacker an easy way to retrieve NTLM hashes from a Windows machine.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Modification of PAM Informational 1 variation

    Modification of PAM configuration files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process: Pluggable Authentication Modules (T1556.003)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Credential access, defense evasion or persistence.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Modification of PAM from a Kubernetes pod

    Informational overridden

    Modification of PAM configuration files. overridden

  • Moniker link detected in URL(s) Informational Email 2 variations

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user on clicking the link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    A suspicious Moniker link, SMB and suspicious extension detected

    Medium overridden

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden

    A suspicious Moniker link pointing to SMB detected

    Low overridden

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden

  • Multiple Okta MFA requests sent to a user Informational Identity Analytics 1 variation

    Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Multi-Factor Authentication Request Generation (T1621)
    Required data: Okta
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Verify the reasoning behind the MFA request rejections. Follow further actions performed by the user.

    Variations

    Multiple Okta MFA requests sent to a user with unusual characteristics

    Low overridden

    Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack. overridden

  • Multiple Suspicious FTP Login Attempts Low

    Multiple suspicious FTP sessions were detected, which may indicate a brute-force attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this uncommon FTP connection. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.
  • Multiple TGT requests for users without Kerberos pre-authentication Informational Identity Analytics 2 variations

    Multiple TGT requests for users that do not require Kerberos pre-authentication were observed. This is typically a sign of an AS-REP attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    An excessive number of TGT requests were sent for users that do not require Kerberos pre-authentication

    Low overridden

    Multiple TGT requests for users that do not require Kerberos pre-authentication were observed. This is typically a sign of an AS-REP attack. overridden

    A TGT request was sent for a user who does not require Kerberos pre-authentication

    Informational overridden

    A TGT request was sent for a user who does not require Kerberos pre-authentication. This might indicate an AS-REP attack. overridden

  • Multiple Weakly-Encrypted Kerberos Tickets Received Low

    A user accessed a number of services associated with user accounts in the 10 minutes leading to the alert, generating a number of weakly encrypted Kerberos TGS (ticket granting service) tickets that is significantly larger than the number of weakly encrypted TGS tickets received by that user in the 30 days leading to the alert.Services associated with user accounts are a common target for Kerberoasting due to default weak encryption.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Crack account credentials by obtaining easy-to-crack Kerberos tickets.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool accessing those services.
  • Multiple uncommon SSH Servers with the same Server host key Low

    Multiple uncommon SSH servers were observed using the same host key.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Adversary-in-the-Middle (T1557)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Attackers may attempt to move laterally within the network by exploiting and relaying stolen client credentials to another SSH server.
    Investigative actions: Audit the authentication attempts to the SSH server using the same key. Look for unusual or repeated connections from the same or unexpected hosts. Audit Client Credentials, check for any signs of compromised client credentials being used on different SSH servers.
  • Multiple user accounts failed login due to account lockouts Low Identity Analytics 1 variation

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if any programs were cached with old credentials, resulting in account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.

    Variations

    Excessive user account login failure due to lockout from a suspicious source

    Medium overridden

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden

  • NTDS.dit file written by an uncommon executable Low 3 variations

    The Active Directory database file was written by an uncommon process to a non-default location.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: NTDS (T1003.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Dump the sensitive contents of the database to masquerade as legitimate domain users.
    Investigative actions: Investigate the nature of the process writing the sensitive file. Is it a standard backup procedure? Check the path the file was written to. Is it local? Are there other relevant artifacts in this location?

    Variations

    NTDS.dit file written by a remote actor

    High overridden

    The Active Directory database file was written to the disk by a remote actor. overridden

    NTDS.dit file written by a rare executable to a suspicious path

    High overridden

    The Active Directory database file was written by a rare process to a suspicious path. overridden

    NTDS.dit file written by a rare executable

    Medium overridden

    The Active Directory database file was written by a rare process to a non-default location. overridden

  • NTLM Brute Force Informational Identity Analytics 2 variations

    This may indicate an NTLM brute force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    NTLM brute force on a sensitive user

    Medium overridden

    This may indicate an NTLM brute force attack. overridden

    High-frequency NTLM brute force attempts detected

    Low overridden

    This may indicate an NTLM brute force attack. overridden

  • NTLM Brute Force on a Service Account Low Identity Analytics

    This may indicate a NTLM brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the service accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • NTLM Brute Force on an Administrator Account Low Identity Analytics

    This may indicate an NTLM brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the administrator accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • NTLM Hash Harvesting Medium Identity Analytics

    An unusual number of users has sent NTLM to a target in the last hour. This may be indicative of poisoning and NTLM hash harvesting.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker may attempt to extract NTLM hashes for credential access.
    Investigative actions: Check that the destination is not a server. Verify that the destination is not external to the organization.
  • NTLM Password Spray Informational Identity Analytics 1 variation

    A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time. This may be indicative of a NTLM password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker may attempt to guess user credential by password spray attack over multiple machines.
    Investigative actions: Verify any successful authentication made by one of the user accounts referenced by the alert, as these may indicate the attacker managed to guess the credentials.

    Variations

    NTLM password spray on a sensitive entity

    Low overridden

    A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time on a sensitive entity. This may be indicative of a NTLM password spray attack. overridden

  • NTLM Relay Informational

    An NTLM NTProofStr was seen from more than one source. This indicates that NTLM authentication data has been relayed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.
  • Network sniffing detected in Cloud environment Informational Cloud 2 variations

    A network sniffing tool was used in a cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.
    Investigative actions: Check the targeted resources and the sniffing policy. Check The cloud identity activity prior/after the network sniffing.

    Variations

    Unusual Network sniffing detected in Cloud environment

    Low overridden

    A network sniffing tool was used in a cloud environment. overridden

    Successful Network sniffing detected in Cloud environment

    Informational overridden

    A network sniffing tool was used in a cloud environment. overridden

  • Outbound email contains file-sharing service link sent to external recipient Informational Email 2 variations

    Identifies outbound emails that include links to file-sharing services sent externally.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Exfiltrate data by sharing a link to a file-sharing service with external recipients, bypassing attachment inspection and potentially evading visibility controls.
    Investigative actions: Review the shared URL to determine if the file is publicly accessible or shared outside the organization. Check if the file-sharing domain has been previously used by this sender or others in the organization. Investigate recent outbound emails for similar use of file-sharing services or unusual external recipients.

    Variations

    Outbound email to external recipient(s) uses first-seen for organization file-sharing service

    Informational overridden

    Identifies outbound emails that include links to file-sharing services sent externally. overridden

    Outbound email to external recipient(s) uses first-seen for sender file-sharing service

    Informational overridden

    Identifies outbound emails that include links to file-sharing services sent externally. overridden

  • Outbound email includes an external BCC recipient observed for the first time Informational Email 1 variation

    Internal sender BCC'd an external recipient whose address has not been observed in prior communications.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Use BCC to covertly exfiltrate data to an unusual external recipient without visibility to other recipients or monitoring systems.
    Investigative actions: Review headers and content for anomalies or potential exposure of sensitive data. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.

    Variations

    Outbound email sent to an unknown external BCC recipient with no To or CC addresses

    Low overridden

    Internal sender BCC'd an external recipient whose address has not been observed in prior communications. overridden

  • Outbound email to an address hosted by a public email service provider Informational Email 1 variation

    Internal sender emailed to an address hosted by a public email service provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration, Account Takeover
    Attacker's goals: Extracting valuable information outside the company.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Outbound email to a single address hosted by a public email service provider

    Informational overridden

    Internal sender emailed to a single recipient with public email service provider. overridden