Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

134 alerts match the current filters. tactic: TA0007 ✕

Show ATT&CK heatmap
  • A Kubernetes service account has enumerated its permissions Informational Cloud 2 variations

    A Kubernetes service account has enumerated its permissions using the self subject review API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Discover permissions to the Kubernetes cluster.
    Investigative actions: Determine the scope of the Kubernetes service account permissions. Review additional activity of the Kubernetes service account.

    Variations

    Suspicious permission enumeration by a Kubernetes service account

    Low overridden

    A Kubernetes service account has enumerated its permissions using the self subject review API. overridden

    A Kubernetes service account attempted to enumerate its permissions

    Low overridden

    A Kubernetes service account has attempted to enumerate its permissions using the self subject review API. overridden

  • A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment Informational Cloud

    A new server has been added to an Azure Active Directory Hybrid Health AD FS Environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to sensitive data stored in the new server. Gain access to other servers in the Azure Active Directory Hybrid Health AD FS Environment. Gain access to user accounts in the Azure Active Directory Hybrid Health AD FS Environment.
    Investigative actions: Check the Azure Active Directory Hybrid Health Monitor to identify the new server. Verify that the new server is correctly configured for ADFS. Check the logs for any errors related to the new server.
  • A suspicious process queried AD CS objects via LDAP Informational Identity Analytics 1 variation

    A suspicious process queried AD CS objects via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.

    Variations

    A user suspiciously queried AD CS objects via LDAP

    Low overridden

    A user suspiciously queried AD CS objects via LDAP. overridden

  • A user accessed an abnormal number of files on a remote shared folder Informational Identity Threat Module

    A user remotely accessed an abnormal number of files on a remote shared folder. This might indicate an attempt to collect data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect valuable data about the organization for exfiltration purposes.
    Investigative actions: Check for other suspicious activity made by the user at the time of the event. Go over the list of files and check if such user should have access to those files.
  • A user accessed multiple unusual resources via SSO Informational Identity Threat Module 3 variations

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Cloud Service Dashboard (T1538) Cloud Service Discovery (T1526)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.

    Variations

    A user accessed multiple resources via SSO using an anonymized proxy

    Medium overridden

    A user accessed multiple resources via SSO, using an anonymized proxy, that are unusual for this user. This may be indicative of a compromised account. overridden

    Suspicious user access to multiple resources via SSO

    Low overridden

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden

    Multiple Resource Access from a New IP via SSO

    Low overridden

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden

  • A user changed the Windows system time Informational Identity Threat Module

    A user changed the Windows system time. This may be indicative of a malicious activity and may affect authentication from the source machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: System Time Discovery (T1124)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: A malicious insider might change their Windows system time. This action might affect the machine's ability to authenticate to the domain.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.
  • A user executed multiple LDAP enumeration queries Informational Identity Analytics 1 variation

    A user executed multiple LDAP enumeration queries.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server)
    Attacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.
    Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.

    Variations

    A user executed suspicious LDAP enumeration queries

    Low overridden

    A user executed multiple LDAP enumeration queries. overridden

  • A user queried AD CS objects via LDAP Informational Identity Analytics 1 variation

    A user queried AD CS objects via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time). Investigate the LDAP search query for any suspicious indicators.

    Variations

    A user enumerated AD CS objects using suspicious LDAP query

    Low overridden

    A user enumerated AD CS objects using suspicious LDAP query. overridden

  • AI model discovery Low Cloud

    A cloud identity listed available AI models. This behavior often suggests reconnaissance on AI models and potential misuse.MITRE ATLAS Technique: AML.T0007 - Discover ML Artifacts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Gather information about AI models in the environment.
    Investigative actions: Determine which AI models were enumerated. Monitor the usage of affected AI models to detect potential misuse, such as unusual or excessive access attempts. Investigate any unusual activity originating from the suspected identity.
  • AWS EBS discovery operation Informational Cloud

    AWS EBS discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Storage Object Discovery (T1619)
    Required data: AWS Audit Log
    Attacker's goals: Locate valuable data, understand storage configurations, and identify snapshots that can be copied or shared. Support data exfiltration, lateral movement, or persistence through volume or snapshot manipulation.
    Investigative actions: Verify if the identity typically queries EBS volumes or snapshots in this environment. Check whether this activity is part of expected workflows (e.g., backup validation, provisioning) or appears anomalous. Review surrounding activity for other discovery calls to assess broader enumeration behavior. Examine whether the activity was followed by potential exfiltration steps, such as copying a snapshot cross-region or sharing it externally.
  • AWS EBS enumeration activity Informational Cloud

    EBS volume and snapshot enumeration activity, potentially indicating block storage reconnaissance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Identify existing EBS volumes and snapshots to understand what storage resources are available and in use. Assess if snapshots are shared with other accounts or publicly accessible. Identify potential data exfiltration paths or targets.
    Investigative actions: Review which EBS API calls were executed and their frequency. Analyze the identity performing the actions. Inspect sharing or access configurations of enumerated snapshots.
  • AWS EC2 discovery operation Informational Cloud 3 variations

    AWS EC2 discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Gather information about instances to identify targets and understand the environment. Plan lateral movement or privilege escalation.
    Investigative actions: Verify if the identity is authorized to perform EC2 queries and whether this activity aligns with its normal behavior. Check if there were related API calls before or after this event. Determine if the activity is part of a scheduled task or an unexpected manual request. Investigate whether this was followed by any actions that could indicate lateral movement.

    Variations

    AWS VPC discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

    AWS Site-to-Site VPN discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

    AWS PrivateLink discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

  • AWS EC2 infrastructure enumeration activity Informational Cloud

    EC2 infrastructure enumeration activity detected within a specific AWS region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover EC2 resources and network setup to find potential weaknesses or targets. Use the gathered information to enable lateral movement, privilege escalation, or data exfiltration.
    Investigative actions: Identify and review the specific EC2 enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.
  • AWS IAM account discovery operation Informational Cloud

    AWS IAM account discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Understand the IAM structure and relationships between users, roles, and groups to identify high-privilege identities or misconfigurations. Identify identities or roles that can be used to escalate privileges or gain broader access.
    Investigative actions: Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address. Check if the operation is followed by or correlated with other enumeration actions.
  • AWS IAM permission groups discovery operation Informational Cloud 1 variation

    AWS IAM permission groups discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Cloud Groups (T1069.003)
    Required data: AWS Audit Log
    Attacker's goals: Understand the IAM structure and relationships between users, groups, and roles. Identify high-privilege identities or misconfigurations for privilege escalation.
    Investigative actions: Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address. Check if the operation is followed by or correlated with other enumeration actions.

    Variations

    Unusual AWS IAM permission groups discovery operation

    Informational overridden

    First execution of an AWS IAM permission groups discovery operation by a non-user identity. overridden

  • AWS Lambda discovery operation Informational Cloud

    AWS Lambda discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate functions, gather configuration and trigger details, and identify attached roles or permissions. Assess potential entry points, understand execution context, and plan privilege escalation or function tampering.
    Investigative actions: Verify if the identity is expected to access Lambda configuration or code metadata. Check if this API call was part of a broader enumeration pattern. Determine whether the activity aligns with typical deployment or monitoring behavior, or if it appears manual or anomalous. Investigate whether this was followed by any actions that could indicate lateral movement.
  • AWS Lambda infrastructure enumeration activity Informational Cloud

    Lambda infrastructure enumeration activity detected within a specific AWS region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover deployed functions and their configurations. Assess IAM policies, event triggers, and execution limits to evaluate privilege levels and potential abuse paths. Enumerate metadata for potential weaknesses or sensitive data.
    Investigative actions: Identify and review the specific Lambda enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.
  • AWS Password Policy Discovery Informational Cloud

    A cloud identity has viewed the AWS account password policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Password Policy Discovery (T1201)
    Required data: AWS Audit Log
    Attacker's goals: Obtaining the account password policy facilitates password brute-force attacks and enables lateral movement.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • AWS S3 Buckets enumeration activity Informational Cloud

    Enumeration of S3 buckets, suggesting potential cloud storage reconnaissance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover available S3 buckets in the environment. Enumerate objects within buckets to determine the type and structure of stored data. Evaluate public access configurations of buckets to identify potential exposure or misconfigurations.
    Investigative actions: Identify the identity performing the calls and determine if this behavior aligns with their typical access patterns. Check access control policies and public access settings on the enumerated buckets for misconfigurations or unauthorized access attempts.
  • AWS S3 discovery operation Informational Cloud

    AWS S3 discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Storage Object Discovery (T1619)
    Required data: AWS Audit Log
    Attacker's goals: Identify accessible buckets, enumerate their contents, and assess permissions or public exposure. Locate sensitive data, evaluate exfiltration paths, and plan privilege escalation or misconfiguration abuse.
    Investigative actions: Verify if the identity normally interacts with S3 in this environment. Check whether the activity was part of a legitimate application or automated process or if it appears interactive or out-of-pattern. Look for signs of broad enumeration, such as listing multiple buckets or traversing objects across different buckets. Investigate whether the accessed bucket or objects contain sensitive data or are configured for public or cross-account access. Correlate with other actions to determine if data was accessed, exfiltrated, or altered.
  • AWS SSM parameters discovery Informational Cloud 1 variation

    An attempt was made to list parameters stored in AWS SSM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in SSM parameter store.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS SSM parameters discovery

    Informational overridden

    An attempt was made to list parameters stored in AWS SSM. overridden

  • AWS Secrets Manager discovery Informational Cloud 1 variation

    An attempt was made to list secrets from AWS Secrets Manager.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS Secrets Manager discovery

    Informational overridden

    An attempt was made to list secrets from AWS Secrets Manager. overridden

  • AWS Security Service Enumeration Informational Cloud 1 variation

    AWS security service enumeration activity, potentially indicating reconnaissance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Software Discovery (T1518) Software Discovery: Security Software Discovery (T1518.001) Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Reconnaissance of security defenses to assess and identify exploitable weaknesses.
    Investigative actions: Review which API calls were executed and their frequency. Analyze the identity performing the actions. Inspect configurations of enumerated services.

    Variations

    AWS Multiple Security Services Enumeration

    Informational overridden

    AWS security service enumeration activity, potentially indicating reconnaissance. overridden

  • AWS Storage Gateway enumeration Informational Cloud

    An AWS Storage Gateway was enumerated.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate the organizational structure to plan lateral movement.
    Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.
  • AWS Storage Gateway file share enumeration Informational Cloud

    AWS Storage Gateway file shares were enumerated.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate the organizational structure to plan lateral movement.
    Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.
  • AWS principals discovery Informational Cloud

    A cloud identity has enumerated principals.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Obtaining a list of principals that could be targeted for lateral movement.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • AWS resource discovery Informational Cloud

    A cloud identity has enumerated resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Obtaining a list of resources that could be targeted for lateral movement.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • AWS support case creation Informational Cloud

    A cloud identity has created a new case in AWS support.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Manipulation (T1098)
    Required data: AWS Audit Log
    Attacker's goals: Obtaining a list of resources that could be targeted for lateral movement or convincing AWS's support to perform actions on their behalf.
    Investigative actions: Investigate any unusual activity originating from the suspected identity. View the contents of the newly created case {case_id} .
  • Abnormal ICMP echo (PING) to multiple hosts Low

    An endpoint performed an abnormal ICMP echo (PING) to multiple hosts on the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    2 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: XDR Agent
    Attacker's goals: An adversary may use the ICMP protocol to map IP addresses, hostnames and segments to plan its lateral movement over the network.
    Investigative actions: Verify if the host is a newly deployed host. Verify if newly services or applications that require network mapping were installed on the initiating host.
  • Abnormal connections to a dormant host from a newly seen endpoint Informational 1 variation

    The endpoint has performed multiple connections to an endpoint that is relatively inactive on the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    6 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: While probing the network, an attacker may discover dormant hosts. These inactive systems can then be used for lateral movement or privilege escalation.
    Investigative actions: Validate that the source is not a sanctioned port scanner. Check for suspicious artifacts in the endpoint profile.

    Variations

    Abnormal connections to a dormant host

    Low overridden

    The endpoint has performed multiple connections to an endpoint that is relatively inactive on the network. overridden

  • Administrator groups enumerated via LDAP Informational

    An LDAP search query that collects information about administrators was executed. This may be indicative of Active Directory domain enumeration, which can be used to perform attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators.
  • An Azure application reached a throttling API rate Informational Cloud 2 variations

    An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Enumerate cloud services in an Azure tenant.
    Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.

    Variations

    An Azure application reached an unusual throttling API rate

    Informational overridden

    An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error. overridden

    An Azure application reached an unusual throttling API rate

    Low overridden

    An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error. overridden

  • An Azure identity performed multiple actions that were denied Informational Cloud 3 variations

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Execute various of commands to explore the cloud environment.
    Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.

    Variations

    An Azure application attempted multiple actions on resources that were denied

    Medium overridden

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden

    An Azure identity attempted multiple actions on resources that were denied

    Low overridden

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden

    An Azure application performed multiple actions that were denied

    Low overridden

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden

  • An internal Cloud resource performed port scan on external networks Medium Cloud

    An internal cloud resource attempted to connect to the same destination port of multiple external IP addresses.This may be a result of the cloud resource being hijacked by an attacker.Attackers perform port scans on a specific destination port for reconnaissance purposes, to detect known vulnerable services that accept connections in the specific port, and perform targeted attacks against them.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Impact (TA0040)
    ATT&CK techniques: Network Service Discovery (T1046) Resource Hijacking (T1496) Cloud Service Discovery (T1526)
    Required data: AWS Flow Log AWS OCSF Flow Logs Azure Flow Log Gcp Flow Log XDR Agent
    Attacker's goals: Detect vulnerable services, which listen on known ports and are opened to the Internet.
    Investigative actions: Check if similar activity was performed on additional cloud resources. Check if similar activity was performed against additional ports and external ip addresses from the same cloud resource. Check which process triggered the port scanning activity and for what purpose.
  • Azure enumeration activity using Microsoft Graph API Informational Cloud 1 variation

    The Microsoft Graph API was used to enumerate an Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Map the Azure tenant and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.

    Variations

    Azure sensitive resources enumeration activity using Microsoft Graph API

    Informational overridden

    Microsoft Graph API was used to enumerate sensitive resources in Azure tenant. overridden

  • Browser bookmark files accessed by a rare non-browser process Informational

    Browser bookmark files accessed by a rare non-browser process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Browser Information Discovery (T1217)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Accessing these files is done by attackers to collect information about the endpoint.
    Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.
  • Cached credentials discovery with cmdkey Low 2 variations

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: OS Credential Dumping (T1003) Account Discovery (T1087)
    Required data: XDR Agent
    Attacker's goals: Access cached user credentials.
    Investigative actions: Check the initiator process for additional suspicious activity. Check if the host is a shared host that multiple users' credentials can be extracted from.

    Variations

    The process cmdkey runs with modified name and extract cached credentials

    High overridden

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden

    Transfer cached credentials with cmdkey to other standard output

    Medium overridden

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden

  • Cloud email infrastructure enumeration activity Informational Cloud

    A cloud identity attempted to discover available email sending resources within the cloud environment.This may indicate an adversary attempting to map the organization's email sending environment and discover cloud resources that may assist to send phishing emails or spam.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log
    Attacker's goals: Map the cloud email environment and detect potential email resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available email resources were discovered. Investigate if the discovered email resources were used to send phishing emails or spam, or perform other attacks in the cloud environment.
  • Cloud infrastructure enumeration activity Informational Cloud 1 variation

    A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Map the cloud environment and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.

    Variations

    Suspicious cloud infrastructure enumeration activity

    Low overridden

    A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment. overridden

  • Cloud storage object discovery Informational Cloud

    Cloud storage object discovery.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Storage Object Discovery (T1619)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Identify sensitive data, valuable files, configuration details or other information that can be leveraged for further attacks.
    Investigative actions: Review the identity's permissions and historical access to the storage resource. Analyze the identity's immediate post-listing actions on the storage resource. Correlate this event with other discovery activity or suspicious logins by the identity.
  • Cloud user performed multiple actions that were denied Informational Cloud 1 variation

    An identity performed multiple actions that were denied, which may indicate it is being misused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Execute various commands to explore the cloud environment.
    Investigative actions: Check if the API calls were made by the identity.Check if there are additional calls executed by the identity.

    Variations

    Cloud non-user identity performed multiple actions that were denied

    Low overridden

    An identity performed multiple actions that were denied, which may indicate it is being misused. overridden

  • Discovery of accounts with pre-authentication disabled via LDAP Low Identity Analytics 1 variation

    A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server), LDAP Analytics (Client)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Correlate logs from the same host or user for related LDAP queries or other unusual activities. Audit accounts flagged as not requiring pre-authentication and verify compliance with security policies. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Suspicious discovery of accounts without pre-authentication required via LDAP

    Medium overridden

    A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

  • Discovery of host users via WMIC Informational

    Attackers may use wmic.exe to list the users of a host, and potentially its owner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: System Owner/User Discovery (T1033)
    Required data: XDR Agent
    Attacker's goals: Attackers can attempt to use the command to discover host users and enumerate a huge amount of information.
    Investigative actions: Verify whether the command that was executed is benign or normal for the host and/or user performing it (for example, it may be an IT script).
  • Discovery of misconfigured certificate templates using LDAP Medium 1 variation

    An LDAP query searching for misconfigured certificate templates was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker can use misconfigured certificate templates for escalation and authentication.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.

    Variations

    Frequent LDAP discovery of misconfigured certificate templates by a common process

    Low overridden

    An LDAP query searching for misconfigured certificate templates was executed regularly by a common process. overridden

  • Failed Connections Low 2 variations

    The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: An attacker does not know your network and is exploring it for new or unknown subnets.
    Investigative actions: Validate that the source is not a sanctioned port scanner. Check for suspicious artifacts in the endpoint profile.

    Variations

    Failed Connections

    Informational overridden

    The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network. overridden

    Failed Connections with a rare causality and actor processes relations

    Informational overridden

    The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.These failed connections originated from a rare relation between an actor process and its causality. overridden

  • First SSO Resource Access in the Organization Informational Identity Analytics 1 variation

    A resource was accessed for the first time via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Discovery (TA0007)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Cloud Service Discovery (T1526)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use a possibly compromised account to access privileged resources.
    Investigative actions: Confirm that the activity is benign (e.g. this is a newly approved resource). Follow further actions done by the user that attempted to access the resource.

    Variations

    Abnormal first access to a resource via SSO in the organization

    Low overridden

    A resource was accessed for the first time via SSO with suspicious characteristics. overridden

  • IAM Enumeration sequence Informational Cloud 1 variation

    An identity has executed a sequence of events which may be related to an IAM recon enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    7 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Gather information about the cloud environment, including IAM users, groups, roles, and policies.
    Investigative actions: Verify whether the API calls were made by the identity and check for any additional related calls.

    Variations

    IAM Enumeration sequence executed from a cloud Internet facing instance

    Low overridden

    A cloud Internet facing instance performed an unusual IAM enumeration. overridden

  • IAM instance profile associations were described Informational Cloud

    AWS IAM instance profile associations were described.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover infrastructure and resources that are available within a cloud environment.
    Investigative actions: Determine which instance profile associations were described. Investigate any suspicious activities related to the identity.
  • IAM instance profiles were listed Informational Cloud

    AWS IAM instance profiles associated with a role were listed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Identify users and roles in a cloud environment to find privileged accounts for further exploitation.
    Investigative actions: Determine which instance profiles were listed. Investigate any suspicious activities related to the identity and the role.
  • IAM role-attached managed policies were listed Informational Cloud

    AWS IAM managed policies that are attached to a role were listed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Identify users and roles in a cloud environment to find privileged accounts for further exploitation.
    Investigative actions: Determine which managed policies were listed. Investigate any suspicious activities related to the identity and the role.
  • Interactive local account enumeration Low Identity Analytics

    Multiple non-existing accounts attempted interactive local logins to a host within a short period.This may indicate that an attacker has physical access to the host and is trying to enumerate accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Discover valid accounts to gain credentials.
    Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.
  • Kerberos Traffic from Non-Standard Process Medium 1 variation

    The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Service Discovery (T1046)
    Required data: XDR Agent
    Attacker's goals: using a custom protocol implementation that offers malicious functionality Using the well-known Kerberos port with a different protocol to evade detection.Either way, the attacker's goal is to gain access to another endpoint on your network.The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.
    Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware. Check if this process was running on other endpoints as well.

    Variations

    Rare Kerberos Traffic from a Process

    Low overridden

    The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally. overridden

  • Kerberos User Enumeration Medium Identity Analytics

    A high amount of Kerberos principal unknown errors were generated on users in the last hour.This may be indicative of Kerberos user enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker may attempt to gain an initial foothold in the domain by enumerating users and finding service accounts.
    Investigative actions: Check whether any service principal names (SPNs) were not set correctly, as they will always return a principal unknown error.
  • Kubelet server communication from a pod Informational 1 variation

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Discovery (TA0007)
    ATT&CK techniques: Escape to Host (T1611) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubelet server to attempt a container breakout or escalate privileges.
    Investigative actions: Examine the process on the pod to understand its purpose.

    Variations

    Kubelet server communication from a pod by a first seen process

    Low overridden

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges. overridden

  • Kubernetes API server communication from within a pod Informational 2 variations

    The Kubernetes API server was accessed from within a pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Unusual Kubernetes API server communication from within a pod performed by curl process

    Medium overridden

    The Kubernetes API server was accessed from within a pod. overridden

    Unusual Kubernetes API server communication from within a pod

    Low overridden

    The Kubernetes API server was accessed from within a pod. overridden

  • Kubernetes enumeration activity Informational Cloud 1 variation

    An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    7 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Map the cluster environment and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.

    Variations

    Suspicious Kubernetes enumeration activity

    Informational overridden

    An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden

  • Kubernetes environment enumeration activity Informational 2 variations

    Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Map the Kubernetes cluster environment and detect potential resources to abuse.
    Investigative actions: Identify which Kubernetes resources were discovered. Investigate whether affected resources were used to extract sensitive information.

    Variations

    Kubernetes environment enumeration activity from a pod

    Medium overridden

    Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden

    Suspicious Kubernetes environment enumeration activity

    Low overridden

    Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden

  • Kubernetes version disclosure Informational

    The Kubernetes API server was inquired about the Kubernetes version by a process from within a pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubernetes API server to disclose information about the Kubernetes environment.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.
  • Kubernetes vulnerability scanner activity Medium 1 variation

    A Kubernetes cluster was scanned by a known vulnerability scanner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Kubernetes vulnerability scanner activity from within a Kubernetes Pod

    Medium overridden

    A Kubernetes cluster was scanned by a known vulnerability scanner from within a container. overridden

  • Kubernetes vulnerability scanning tool usage Medium Cloud 2 variations

    A known vulnerability scanning tool was used within a Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if this activity is expected (e.g. penetration testing). Determine which Kubernetes resources were affected. Review additional events for any suspicious activity within the cluster.

    Variations

    Kubernetes vulnerability scanning tool usage within a pod

    Medium overridden

    A known vulnerability scanning tool was used from a pod within a Kubernetes cluster. overridden

    External Kubernetes vulnerability scanning tool usage

    Medium overridden

    A known vulnerability scanning tool was used within a Kubernetes clusteroutside the cloud environment. overridden

  • LDAP AD CS Enumeration via Attack Tool Low Identity Analytics 1 variation

    A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Abnormal LDAP AD CS Enumeration via Attack Tool

    Medium overridden

    A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization. overridden

  • LDAP search query from an unpopular and unsigned process Low

    An unpopular and unsigned process performed an LDAP search query. This may be indicative of LDAP enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.
  • LDAP traffic from non-standard process Informational 4 variations

    LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating LDAP. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.

    Variations

    LDAP traffic from reverse SSH tunnel

    Medium overridden

    LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden

    LDAP traffic from non-standard and uncommon process

    Low overridden

    LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden

    LDAP traffic from non-standard process executed under an unsigned causality actor in a commonly abused directory

    Low overridden

    LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden

    LDAP traffic from an injected thread within a non-standard process

    Low overridden

    LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden

  • Linux network share discovery Informational

    An adversary might use known tools to discover SMB shares within the compromised network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Share Discovery (T1135)
    Required data: XDR Agent
    Attacker's goals: Exfiltrate or hide sensitive data.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.
  • Local account discovery Informational

    One of several local account discovery commands were executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Local Account (T1087.001)
    Required data: XDR Agent
    Attacker's goals: Account discovery.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Local group enumeration Informational Identity Analytics 2 variations

    A user performed an enumeration on local groups to retrieve their details.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.
    Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.

    Variations

    Local group enumeration for the first time

    Low overridden

    A user performed an enumeration on local groups to retrieve their details. overridden

    Local group enumeration using a builtin Windows binary

    Informational overridden

    A user performed an enumeration on local groups to retrieve their details. overridden

  • Local group enumeration via RPC Informational 1 variation

    A user enumerated local groups via RPC.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.
    Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.

    Variations

    Remote local group enumeration via RPC

    Informational overridden

    A user enumerated local groups via RPC. overridden

  • Local user enumeration via SAMR Informational 1 variation

    A user enumerated local users via SAMR.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Local Account (T1087.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may leverage local user discovery to identify privileged users and escalate privileges.
    Investigative actions: Determine the user, hostname, and process that performed the user enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local users is a known or an approved tool. Review the logs for suspicious activity from the same host or user.

    Variations

    Local user enumeration via SAMR on an internet facing server

    Low overridden

    A user enumerated local users via SAMR. overridden

  • Log enumeration via cloud native logging service Informational Cloud 1 variation

    An activity of log enumeration operations via cloud native logging service was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Log Enumeration (T1654)
    Required data: AWS Audit Log
    Attacker's goals: Gaining information about your environment as part of the discovery phase.
    Investigative actions: Check the identity which invoked the operations.

    Variations

    Log enumeration via cloud native logging service invoked by an identity for the first time

    Low overridden

    An activity of log enumeration operations via cloud native logging service was detected. overridden

  • Mailbox enumeration activity by Azure application Informational Cloud 1 variation

    Microsoft Graph API was used to enumerate mailboxes in Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in mailboxes.
    Investigative actions: Determine which mailboxes were enumerated and whether they contained any sensitive information. Investigate the identity following actions.

    Variations

    Mailbox enumeration activity by Azure user

    Informational overridden

    Microsoft Graph API was used by a user to enumerate mailboxes. overridden

  • Microsoft OneDrive enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft OneDrive items.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft OneDrive.
    Investigative actions: Determine which OneDrive files were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft OneNote enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft OneNote items.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft OneNote.
    Investigative actions: Determine which OneNote items were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft SharePoint enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft SharePoint sites in an Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft SharePoint.
    Investigative actions: Determine which SharePoint sites were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft Teams enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft Teams channels in an Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs, Microsoft Teams
    Attacker's goals: To extract sensitive information stored in Microsoft Teams.
    Investigative actions: Determine which Teams channels were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Multi region enumeration activity Informational Cloud

    An internal identity performed an operation on multiple regions, considerably more than usual.This may indicate an attacker's attempt to identify all available resources in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Defense Evasion (TA0005)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Unused/Unsupported Cloud Regions (T1535) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Discover cloud resources that are available within the environment and leverage them to perform additional attacks against the organization. Detect unused geographic regions and leverage them to evade detection of malicious operations.
    Investigative actions: Check the identity designation. Verify that the identity did not perform any operation in a region that it shouldn't.
  • Multiple discovery commands Low 4 variations

    The alerted causality performed multiple discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery commands from a web server CGO

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from an SQL server CGO

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from an unsigned causality

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from a standard IT tool

    Informational overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

  • Multiple discovery commands on a Linux host by the same process Informational 2 variations

    The alerted process performed multiple consecutive discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery commands on a Linux host by the same process

    Medium overridden

    The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Linux host by the same process

    Low overridden

    The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden

  • Multiple discovery commands on a Windows host by the same process Low 5 variations

    The alerted process performed multiple discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Remote Multiple discovery commands on a Windows host by the same IP

    High overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from a web server CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from an SQL server CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from a remote CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Rare Multiple discovery commands on a Windows host by the same process

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

  • Multiple discovery-like commands Informational 3 variations

    The alerted process performed multiple consecutive discovery commands in a short time frame.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery-like commands by web server process

    Low overridden

    The web server process performed multiple consecutive discovery commands in a short time frame. overridden

    Multiple discovery-like commands on a Linux host

    Informational overridden

    The alerted process performed multiple consecutive discovery commands in a short time frame. overridden

    Multiple discovery-like commands

    Informational overridden

    The alerted process performed multiple consecutive discovery commands in a short time frame. overridden

  • Multiple failed AWS assume role attempts Informational Cloud 1 variation

    An AWS identity performed an unusual high number of failed assume role attempts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Identify accessible roles and move laterally or escalate privileges within a cloud environment.
    Investigative actions: Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious. Evaluate if the source IP address or user agent associated with these attempts is known or suspicious. Verify if any successful assume role operations occurred from the same identity around the same time. Review any additional activity from the specific roles the identity assumed.

    Variations

    Suspicious multiple failed AWS assume role attempts

    Medium overridden

    An AWS identity performed an unusual high number of failed assume role attempts. overridden

  • Network sniffing detected in Cloud environment Informational Cloud 2 variations

    A network sniffing tool was used in a cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.
    Investigative actions: Check the targeted resources and the sniffing policy. Check The cloud identity activity prior/after the network sniffing.

    Variations

    Unusual Network sniffing detected in Cloud environment

    Low overridden

    A network sniffing tool was used in a cloud environment. overridden

    Successful Network sniffing detected in Cloud environment

    Informational overridden

    A network sniffing tool was used in a cloud environment. overridden

  • Permission Groups discovery commands Informational 1 variation

    Permission group discovery command execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Collect information about the host.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Permission Groups discovery commands in a Kubernetes pod

    Informational overridden

    Permission group discovery command execution. overridden

  • Port Scan Informational 3 variations

    The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Service Discovery (T1046)
    Required data: Palo Alto Networks Firewall traffic Logs Third-Party Firewalls
    Attacker's goals: An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.
    Investigative actions: New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time. Check if the activity is a SYN-ACK scan. These might result in Cortex XDR Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR Analytics used the wrong baseline in triggering the alert. Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR Analytics could raise a false alert.

    Variations

    Port scan by suspicious process

    Low overridden

    The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden

    Highly suspicious port scan

    Medium overridden

    The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden

    Suspicious port scan

    Low overridden

    The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden

  • Port Sweep Informational 1 variation

    The endpoint connected, or attempted to connect, to multiple hosts using privileged ports that serve a well-defined function.Attackers perform port sweep for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port sweeps using data arriving solely from Cortex agents is incomplete.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Service Discovery (T1046)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.
    Investigative actions: Ensure that the source of the port sweep is not a new server in the network. New domain controllers or servers hosting services such as SNMP can cause false positives. Check for new known vulnerabilities in the ports scanned, this method is often used to target known vulnerabilities.

    Variations

    Port Sweep to multiple subnets

    Low overridden

    The endpoint connected, or attempted to connect, to multiple hosts using privileged ports that serve a well-defined function.Attackers perform port sweep for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port sweeps using data arriving solely from Cortex agents is incomplete. overridden

  • Possible GPO Enumeration Informational Identity Analytics 2 variations

    A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Group Policy Discovery (T1615)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Investigate the LDAP search query for any suspicious indicators. Look for additional LDAP queries the user executed that might be suspicious. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries. Check if the process executes LDAP search queries as part of its normal behavior.

    Variations

    Suspicious GPO Enumeration by an LDAP tool

    Medium overridden

    A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

    Possible GPO Enumeration by a Suspicious Process

    Low overridden

    A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

  • Possible Kerberos User Enumeration Informational Identity Analytics 1 variation

    Multiple Kerberos TGT requests with KDC_ERR_C_PRINCIPAL_UNKNOWN errors were generated on different users in the last 10 minutes which may indicate Kerberos user enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Domain Account (T1087.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may attempt to gain an initial foothold in the domain by enumerating users.
    Investigative actions: Identify the source host from which the failed logons originated, by making sure the IP is not a shared address. Check the host from which the errors originated, and verify the legitimacy of the TGT requests. Correlate successful logons from the source host to identify potential account compromises following the failed attempts. Review source host activity to detect any additional suspicious or lateral movement behavior.

    Variations

    Possible Kerberos User Enumeration Involving Exposed Users

    Low overridden

    Multiple Kerberos TGT requests with KDC_ERR_C_PRINCIPAL_UNKNOWN errors were generated on different users in the last 10 minutes which may indicate Kerberos user enumeration. overridden

  • Possible LDAP Enumeration Tool Usage Informational Identity Analytics 3 variations

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Possible admin enumeration via LDAP

    Informational overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

    A user executed an LDAP enumeration query with suspicious characteristics

    Medium overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

    Rare LDAP enumeration query executed by a user

    Low overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

  • Possible LDAP Enumeration of Microsoft Configuration Manager Informational Identity Analytics 1 variation

    A possible enumeration on Microsoft Configuration Manager via LDAP was performed. Such enumeration may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Microsoft SCCM Analytics
    Attacker's goals: An attacker is attempting to enumerate Microsoft Configuration Manager.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries. Looking for suspicious activity or logins to the Microsoft Configuration Manager site server.

    Variations

    Suspicious enumeration on Microsoft Configuration Manager via LDAP

    Low overridden

    A possible enumeration on Microsoft Configuration Manager via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

  • Possible LDAP enumeration by unsigned process Informational 2 variations

    An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.

    Variations

    Possible LDAP enumeration by unsigned process

    Medium overridden

    An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration. overridden

    Possible LDAP enumeration by unsigned process

    Low overridden

    An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration. overridden

  • Possible SPN enumeration Informational Identity Analytics 1 variation

    A possible SPN enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Suspicious SPN enumeration via LDAP

    Low overridden

    A possible SPN enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

  • Possible network service discovery via command-line tool Low

    An attacker may use command-line utilities to discover open ports and services on a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Service Discovery (T1046)
    Required data: XDR Agent
    Attacker's goals: Unavailable.
    Investigative actions: Unavailable.
  • Possible network sniffing attempt via tcpdump or tshark Low

    Attackers may monitor network traffic for cleartext credentials or to learn the network's configuration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: XDR Agent
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Possible path traversal via HTTP request Low 3 variations

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.
    Investigative actions: Inspect the legitimacy of the URI path. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.

    Variations

    Possible sensitive path traversal via HTTP request

    Medium overridden

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden

    Possible path traversal via HTTP request from a TOR exit node

    Medium overridden

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden

    Possible credential path traversal via HTTP request

    Medium overridden

    The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden

  • Possible use of a networking driver for network sniffing Informational 2 variations

    A process wrote a known networking driver with network sniffing capabilities to disk, attackers can use it to sniff passwords and other credentials from the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Enable access to raw network traffic via promiscuous mode, allowing an attacker to sniff credentials and other sensitive data from the organization's network, and in some cases interfere with network communications.
    Investigative actions: Verify whether the process is expected and recognized by IT or the user. Check whether the driver was installed recently. If it was installed using sc.exe, this may indicate malicious activity. Review who executed sc.exe to validate legitimacy.

    Variations

    Possible use of a networking driver for network sniffing

    Medium overridden

    A process wrote a known and rare networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden

    Possible use of a networking driver for network sniffing

    Low overridden

    A process wrote a known networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden

  • Rare LDAP enumeration Low

    Possible LDAP enumeration with a rare combination of queries.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: Palo Alto Networks Firewall EAL Logs
    Detector tags: LDAP Analytics
    Attacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.
    Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.
  • Remote account enumeration Informational Identity Analytics 2 variations

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Discover valid accounts to gain credentials.
    Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.

    Variations

    Suspicious Remote domain account enumeration

    Medium overridden

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden

    Remote account enumeration on domain accounts

    Low overridden

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden

  • SCCM log files enumeration Informational Identity Analytics 1 variation

    Multiple local SCCM logs were accessed within a short period of time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Log Enumeration (T1654)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Enumerate data about the SCCM configuration, infrastructure and deployments.
    Investigative actions: Check suspicious network connections from the process or host. Check if the user account that initiated the enumeration is supposed to access these files.

    Variations

    Suspicious SCCM log files enumeration

    Low overridden

    Multiple local SCCM logs were abnormally accessed within a short period of time. overridden

  • SMB Traffic from Non-Standard Process Low 1 variation

    SMB traffic is usually performed by a standard set of privileged processes through designated ports.The endpoint had a non-standard process communicating over ports normally used by SMB.An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Service Discovery (T1046)
    Required data: XDR Agent
    Attacker's goals: using a custom protocol implementation that offers malicious functionality Using the well-known SMB port with a different protocol to evade detection. Either way, the attacker's goal is to gain access to another endpoint on your network.The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.
    Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.

    Variations

    SMB Traffic from Non-Standard Process on a sensitive server

    Medium overridden

    SMB traffic is usually performed by a standard set of privileged processes through designated ports.The endpoint had a non-standard process communicating over ports normally used by SMB.An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol. overridden

  • SUID/GUID permission discovery Low

    Attackers may search for potential to elevate permissions using binaries that have the SUID or GUID bit enabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: XDR Agent
    Attacker's goals: Attackers may use GUID/SUID binaries to elevate privileges.
    Investigative actions: Check whether additional malicious commands were executed from the same process. Verify if the command-line seems suspicious or contains malicious indicators.
  • Security tools detection attempt Informational

    A script has executed commands that can be used to detect security tools.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)
    ATT&CK techniques: Virtualization/Sandbox Evasion (T1497) Virtualization/Sandbox Evasion: System Checks (T1497.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Avoid detection by identifying execution alongside security tools that may alert on a malicious script.
    Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.