Analytics Alerts
Browse the Cortex analytics alert reference.
134 alerts match the current filters. tactic: TA0007 ✕
Show ATT&CK heatmapA Kubernetes service account has enumerated its permissions Informational Cloud 2 variations
A Kubernetes service account has enumerated its permissions using the self subject review API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Discover permissions to the Kubernetes cluster.Investigative actions: Determine the scope of the Kubernetes service account permissions. Review additional activity of the Kubernetes service account.Variations
Suspicious permission enumeration by a Kubernetes service account
Low overridden
A Kubernetes service account has enumerated its permissions using the self subject review API. overridden
A Kubernetes service account attempted to enumerate its permissions
Low overridden
A Kubernetes service account has attempted to enumerate its permissions using the self subject review API. overridden
A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment Informational Cloud
A new server has been added to an Azure Active Directory Hybrid Health AD FS Environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Azure Audit LogAttacker's goals: Gain access to sensitive data stored in the new server. Gain access to other servers in the Azure Active Directory Hybrid Health AD FS Environment. Gain access to user accounts in the Azure Active Directory Hybrid Health AD FS Environment.Investigative actions: Check the Azure Active Directory Hybrid Health Monitor to identify the new server. Verify that the new server is correctly configured for ADFS. Check the logs for any errors related to the new server.A suspicious process queried AD CS objects via LDAP Informational Identity Analytics 1 variation
A suspicious process queried AD CS objects via LDAP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.Variations
A user suspiciously queried AD CS objects via LDAP
Low overridden
A user suspiciously queried AD CS objects via LDAP. overridden
A user accessed an abnormal number of files on a remote shared folder Informational Identity Threat Module
A user remotely accessed an abnormal number of files on a remote shared folder. This might indicate an attempt to collect data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: File and Directory Discovery (T1083)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect valuable data about the organization for exfiltration purposes.Investigative actions: Check for other suspicious activity made by the user at the time of the event. Go over the list of files and check if such user should have access to those files.A user accessed multiple unusual resources via SSO Informational Identity Threat Module 3 variations
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Cloud Service Dashboard (T1538) Cloud Service Discovery (T1526)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.Investigative actions: Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.Variations
A user accessed multiple resources via SSO using an anonymized proxy
Medium overridden
A user accessed multiple resources via SSO, using an anonymized proxy, that are unusual for this user. This may be indicative of a compromised account. overridden
Suspicious user access to multiple resources via SSO
Low overridden
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden
Multiple Resource Access from a New IP via SSO
Low overridden
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden
A user changed the Windows system time Informational Identity Threat Module
A user changed the Windows system time. This may be indicative of a malicious activity and may affect authentication from the source machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Time Discovery (T1124)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: A malicious insider might change their Windows system time. This action might affect the machine's ability to authenticate to the domain.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.A user executed multiple LDAP enumeration queries Informational Identity Analytics 1 variation
A user executed multiple LDAP enumeration queries.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server)Attacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.Variations
A user executed suspicious LDAP enumeration queries
Low overridden
A user executed multiple LDAP enumeration queries. overridden
A user queried AD CS objects via LDAP Informational Identity Analytics 1 variation
A user queried AD CS objects via LDAP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time). Investigate the LDAP search query for any suspicious indicators.Variations
A user enumerated AD CS objects using suspicious LDAP query
Low overridden
A user enumerated AD CS objects using suspicious LDAP query. overridden
AI model discovery Low Cloud
A cloud identity listed available AI models. This behavior often suggests reconnaissance on AI models and potential misuse.MITRE ATLAS Technique: AML.T0007 - Discover ML Artifacts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Gather information about AI models in the environment.Investigative actions: Determine which AI models were enumerated. Monitor the usage of affected AI models to detect potential misuse, such as unusual or excessive access attempts. Investigate any unusual activity originating from the suspected identity.AWS EBS discovery operation Informational Cloud
AWS EBS discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Storage Object Discovery (T1619)Required data: AWS Audit LogAttacker's goals: Locate valuable data, understand storage configurations, and identify snapshots that can be copied or shared. Support data exfiltration, lateral movement, or persistence through volume or snapshot manipulation.Investigative actions: Verify if the identity typically queries EBS volumes or snapshots in this environment. Check whether this activity is part of expected workflows (e.g., backup validation, provisioning) or appears anomalous. Review surrounding activity for other discovery calls to assess broader enumeration behavior. Examine whether the activity was followed by potential exfiltration steps, such as copying a snapshot cross-region or sharing it externally.AWS EBS enumeration activity Informational Cloud
EBS volume and snapshot enumeration activity, potentially indicating block storage reconnaissance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Identify existing EBS volumes and snapshots to understand what storage resources are available and in use. Assess if snapshots are shared with other accounts or publicly accessible. Identify potential data exfiltration paths or targets.Investigative actions: Review which EBS API calls were executed and their frequency. Analyze the identity performing the actions. Inspect sharing or access configurations of enumerated snapshots.AWS EC2 discovery operation Informational Cloud 3 variations
AWS EC2 discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Gather information about instances to identify targets and understand the environment. Plan lateral movement or privilege escalation.Investigative actions: Verify if the identity is authorized to perform EC2 queries and whether this activity aligns with its normal behavior. Check if there were related API calls before or after this event. Determine if the activity is part of a scheduled task or an unexpected manual request. Investigate whether this was followed by any actions that could indicate lateral movement.Variations
AWS VPC discovery operation
Informational overridden
AWS EC2 discovery operation. overridden
AWS Site-to-Site VPN discovery operation
Informational overridden
AWS EC2 discovery operation. overridden
AWS PrivateLink discovery operation
Informational overridden
AWS EC2 discovery operation. overridden
AWS EC2 infrastructure enumeration activity Informational Cloud
EC2 infrastructure enumeration activity detected within a specific AWS region.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover EC2 resources and network setup to find potential weaknesses or targets. Use the gathered information to enable lateral movement, privilege escalation, or data exfiltration.Investigative actions: Identify and review the specific EC2 enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.AWS IAM account discovery operation Informational Cloud
AWS IAM account discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Understand the IAM structure and relationships between users, roles, and groups to identify high-privilege identities or misconfigurations. Identify identities or roles that can be used to escalate privileges or gain broader access.Investigative actions: Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address. Check if the operation is followed by or correlated with other enumeration actions.AWS IAM permission groups discovery operation Informational Cloud 1 variation
AWS IAM permission groups discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Cloud Groups (T1069.003)Required data: AWS Audit LogAttacker's goals: Understand the IAM structure and relationships between users, groups, and roles. Identify high-privilege identities or misconfigurations for privilege escalation.Investigative actions: Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address. Check if the operation is followed by or correlated with other enumeration actions.Variations
Unusual AWS IAM permission groups discovery operation
Informational overridden
First execution of an AWS IAM permission groups discovery operation by a non-user identity. overridden
AWS Lambda discovery operation Informational Cloud
AWS Lambda discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Enumerate functions, gather configuration and trigger details, and identify attached roles or permissions. Assess potential entry points, understand execution context, and plan privilege escalation or function tampering.Investigative actions: Verify if the identity is expected to access Lambda configuration or code metadata. Check if this API call was part of a broader enumeration pattern. Determine whether the activity aligns with typical deployment or monitoring behavior, or if it appears manual or anomalous. Investigate whether this was followed by any actions that could indicate lateral movement.AWS Lambda infrastructure enumeration activity Informational Cloud
Lambda infrastructure enumeration activity detected within a specific AWS region.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover deployed functions and their configurations. Assess IAM policies, event triggers, and execution limits to evaluate privilege levels and potential abuse paths. Enumerate metadata for potential weaknesses or sensitive data.Investigative actions: Identify and review the specific Lambda enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.AWS Password Policy Discovery Informational Cloud
A cloud identity has viewed the AWS account password policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Password Policy Discovery (T1201)Required data: AWS Audit LogAttacker's goals: Obtaining the account password policy facilitates password brute-force attacks and enables lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.AWS S3 Buckets enumeration activity Informational Cloud
Enumeration of S3 buckets, suggesting potential cloud storage reconnaissance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover available S3 buckets in the environment. Enumerate objects within buckets to determine the type and structure of stored data. Evaluate public access configurations of buckets to identify potential exposure or misconfigurations.Investigative actions: Identify the identity performing the calls and determine if this behavior aligns with their typical access patterns. Check access control policies and public access settings on the enumerated buckets for misconfigurations or unauthorized access attempts.AWS S3 discovery operation Informational Cloud
AWS S3 discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Storage Object Discovery (T1619)Required data: AWS Audit LogAttacker's goals: Identify accessible buckets, enumerate their contents, and assess permissions or public exposure. Locate sensitive data, evaluate exfiltration paths, and plan privilege escalation or misconfiguration abuse.Investigative actions: Verify if the identity normally interacts with S3 in this environment. Check whether the activity was part of a legitimate application or automated process or if it appears interactive or out-of-pattern. Look for signs of broad enumeration, such as listing multiple buckets or traversing objects across different buckets. Investigate whether the accessed bucket or objects contain sensitive data or are configured for public or cross-account access. Correlate with other actions to determine if data was accessed, exfiltrated, or altered.AWS SSM parameters discovery Informational Cloud 1 variation
An attempt was made to list parameters stored in AWS SSM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in SSM parameter store.Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.Variations
Unusual AWS SSM parameters discovery
Informational overridden
An attempt was made to list parameters stored in AWS SSM. overridden
AWS Secrets Manager discovery Informational Cloud 1 variation
An attempt was made to list secrets from AWS Secrets Manager.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.Variations
Unusual AWS Secrets Manager discovery
Informational overridden
An attempt was made to list secrets from AWS Secrets Manager. overridden
AWS Security Service Enumeration Informational Cloud 1 variation
AWS security service enumeration activity, potentially indicating reconnaissance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Software Discovery (T1518) Software Discovery: Security Software Discovery (T1518.001) Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Reconnaissance of security defenses to assess and identify exploitable weaknesses.Investigative actions: Review which API calls were executed and their frequency. Analyze the identity performing the actions. Inspect configurations of enumerated services.Variations
AWS Multiple Security Services Enumeration
Informational overridden
AWS security service enumeration activity, potentially indicating reconnaissance. overridden
AWS Storage Gateway enumeration Informational Cloud
An AWS Storage Gateway was enumerated.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Enumerate the organizational structure to plan lateral movement.Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.AWS Storage Gateway file share enumeration Informational Cloud
AWS Storage Gateway file shares were enumerated.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Enumerate the organizational structure to plan lateral movement.Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.AWS principals discovery Informational Cloud
A cloud identity has enumerated principals.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Obtaining a list of principals that could be targeted for lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.AWS resource discovery Informational Cloud
A cloud identity has enumerated resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Obtaining a list of resources that could be targeted for lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.AWS support case creation Informational Cloud
A cloud identity has created a new case in AWS support.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Manipulation (T1098)Required data: AWS Audit LogAttacker's goals: Obtaining a list of resources that could be targeted for lateral movement or convincing AWS's support to perform actions on their behalf.Investigative actions: Investigate any unusual activity originating from the suspected identity. View the contents of the newly created case {case_id} .Abnormal ICMP echo (PING) to multiple hosts Low
An endpoint performed an abnormal ICMP echo (PING) to multiple hosts on the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 2 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: XDR AgentAttacker's goals: An adversary may use the ICMP protocol to map IP addresses, hostnames and segments to plan its lateral movement over the network.Investigative actions: Verify if the host is a newly deployed host. Verify if newly services or applications that require network mapping were installed on the initiating host.Abnormal connections to a dormant host from a newly seen endpoint Informational 1 variation
The endpoint has performed multiple connections to an endpoint that is relatively inactive on the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 6 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: While probing the network, an attacker may discover dormant hosts. These inactive systems can then be used for lateral movement or privilege escalation.Investigative actions: Validate that the source is not a sanctioned port scanner. Check for suspicious artifacts in the endpoint profile.Variations
Abnormal connections to a dormant host
Low overridden
The endpoint has performed multiple connections to an endpoint that is relatively inactive on the network. overridden
Administrator groups enumerated via LDAP Informational
An LDAP search query that collects information about administrators was executed. This may be indicative of Active Directory domain enumeration, which can be used to perform attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators.An Azure application reached a throttling API rate Informational Cloud 2 variations
An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Enumerate cloud services in an Azure tenant.Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.Variations
An Azure application reached an unusual throttling API rate
Informational overridden
An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error. overridden
An Azure application reached an unusual throttling API rate
Low overridden
An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error. overridden
An Azure identity performed multiple actions that were denied Informational Cloud 3 variations
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Execute various of commands to explore the cloud environment.Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.Variations
An Azure application attempted multiple actions on resources that were denied
Medium overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
An Azure identity attempted multiple actions on resources that were denied
Low overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
An Azure application performed multiple actions that were denied
Low overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
An internal Cloud resource performed port scan on external networks Medium Cloud
An internal cloud resource attempted to connect to the same destination port of multiple external IP addresses.This may be a result of the cloud resource being hijacked by an attacker.Attackers perform port scans on a specific destination port for reconnaissance purposes, to detect known vulnerable services that accept connections in the specific port, and perform targeted attacks against them.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Impact (TA0040)ATT&CK techniques: Network Service Discovery (T1046) Resource Hijacking (T1496) Cloud Service Discovery (T1526)Required data: AWS Flow Log AWS OCSF Flow Logs Azure Flow Log Gcp Flow Log XDR AgentAttacker's goals: Detect vulnerable services, which listen on known ports and are opened to the Internet.Investigative actions: Check if similar activity was performed on additional cloud resources. Check if similar activity was performed against additional ports and external ip addresses from the same cloud resource. Check which process triggered the port scanning activity and for what purpose.Azure enumeration activity using Microsoft Graph API Informational Cloud 1 variation
The Microsoft Graph API was used to enumerate an Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Map the Azure tenant and detect potential resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.Variations
Azure sensitive resources enumeration activity using Microsoft Graph API
Informational overridden
Microsoft Graph API was used to enumerate sensitive resources in Azure tenant. overridden
Browser bookmark files accessed by a rare non-browser process Informational
Browser bookmark files accessed by a rare non-browser process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Browser Information Discovery (T1217)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Accessing these files is done by attackers to collect information about the endpoint.Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.Cached credentials discovery with cmdkey Low 2 variations
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Account Discovery (T1087)Required data: XDR AgentAttacker's goals: Access cached user credentials.Investigative actions: Check the initiator process for additional suspicious activity. Check if the host is a shared host that multiple users' credentials can be extracted from.Variations
The process cmdkey runs with modified name and extract cached credentials
High overridden
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden
Transfer cached credentials with cmdkey to other standard output
Medium overridden
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden
Cloud email infrastructure enumeration activity Informational Cloud
A cloud identity attempted to discover available email sending resources within the cloud environment.This may indicate an adversary attempting to map the organization's email sending environment and discover cloud resources that may assist to send phishing emails or spam.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit LogAttacker's goals: Map the cloud email environment and detect potential email resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which available email resources were discovered. Investigate if the discovered email resources were used to send phishing emails or spam, or perform other attacks in the cloud environment.Cloud infrastructure enumeration activity Informational Cloud 1 variation
A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Map the cloud environment and detect potential resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.Variations
Suspicious cloud infrastructure enumeration activity
Low overridden
A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment. overridden
Cloud storage object discovery Informational Cloud
Cloud storage object discovery.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Storage Object Discovery (T1619)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Identify sensitive data, valuable files, configuration details or other information that can be leveraged for further attacks.Investigative actions: Review the identity's permissions and historical access to the storage resource. Analyze the identity's immediate post-listing actions on the storage resource. Correlate this event with other discovery activity or suspicious logins by the identity.Cloud user performed multiple actions that were denied Informational Cloud 1 variation
An identity performed multiple actions that were denied, which may indicate it is being misused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Execute various commands to explore the cloud environment.Investigative actions: Check if the API calls were made by the identity.Check if there are additional calls executed by the identity.Variations
Cloud non-user identity performed multiple actions that were denied
Low overridden
An identity performed multiple actions that were denied, which may indicate it is being misused. overridden
Discovery of accounts with pre-authentication disabled via LDAP Low Identity Analytics 1 variation
A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server), LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Correlate logs from the same host or user for related LDAP queries or other unusual activities. Audit accounts flagged as not requiring pre-authentication and verify compliance with security policies. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Suspicious discovery of accounts without pre-authentication required via LDAP
Medium overridden
A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Discovery of host users via WMIC Informational
Attackers may use wmic.exe to list the users of a host, and potentially its owner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Owner/User Discovery (T1033)Required data: XDR AgentAttacker's goals: Attackers can attempt to use the command to discover host users and enumerate a huge amount of information.Investigative actions: Verify whether the command that was executed is benign or normal for the host and/or user performing it (for example, it may be an IT script).Discovery of misconfigured certificate templates using LDAP Medium 1 variation
An LDAP query searching for misconfigured certificate templates was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: File and Directory Discovery (T1083)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker can use misconfigured certificate templates for escalation and authentication.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.Variations
Frequent LDAP discovery of misconfigured certificate templates by a common process
Low overridden
An LDAP query searching for misconfigured certificate templates was executed regularly by a common process. overridden
Failed Connections Low 2 variations
The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: An attacker does not know your network and is exploring it for new or unknown subnets.Investigative actions: Validate that the source is not a sanctioned port scanner. Check for suspicious artifacts in the endpoint profile.Variations
Failed Connections
Informational overridden
The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network. overridden
Failed Connections with a rare causality and actor processes relations
Informational overridden
The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.These failed connections originated from a rare relation between an actor process and its causality. overridden
First SSO Resource Access in the Organization Informational Identity Analytics 1 variation
A resource was accessed for the first time via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Discovery (TA0007)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Cloud Service Discovery (T1526)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use a possibly compromised account to access privileged resources.Investigative actions: Confirm that the activity is benign (e.g. this is a newly approved resource). Follow further actions done by the user that attempted to access the resource.Variations
Abnormal first access to a resource via SSO in the organization
Low overridden
A resource was accessed for the first time via SSO with suspicious characteristics. overridden
IAM Enumeration sequence Informational Cloud 1 variation
An identity has executed a sequence of events which may be related to an IAM recon enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Gather information about the cloud environment, including IAM users, groups, roles, and policies.Investigative actions: Verify whether the API calls were made by the identity and check for any additional related calls.Variations
IAM Enumeration sequence executed from a cloud Internet facing instance
Low overridden
A cloud Internet facing instance performed an unusual IAM enumeration. overridden
IAM instance profile associations were described Informational Cloud
AWS IAM instance profile associations were described.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover infrastructure and resources that are available within a cloud environment.Investigative actions: Determine which instance profile associations were described. Investigate any suspicious activities related to the identity.IAM instance profiles were listed Informational Cloud
AWS IAM instance profiles associated with a role were listed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify users and roles in a cloud environment to find privileged accounts for further exploitation.Investigative actions: Determine which instance profiles were listed. Investigate any suspicious activities related to the identity and the role.IAM role-attached managed policies were listed Informational Cloud
AWS IAM managed policies that are attached to a role were listed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify users and roles in a cloud environment to find privileged accounts for further exploitation.Investigative actions: Determine which managed policies were listed. Investigate any suspicious activities related to the identity and the role.Interactive local account enumeration Low Identity Analytics
Multiple non-existing accounts attempted interactive local logins to a host within a short period.This may indicate that an attacker has physical access to the host and is trying to enumerate accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Discover valid accounts to gain credentials.Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.Kerberos Traffic from Non-Standard Process Medium 1 variation
The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: using a custom protocol implementation that offers malicious functionality Using the well-known Kerberos port with a different protocol to evade detection.Either way, the attacker's goal is to gain access to another endpoint on your network.The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware. Check if this process was running on other endpoints as well.Variations
Rare Kerberos Traffic from a Process
Low overridden
The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally. overridden
Kerberos User Enumeration Medium Identity Analytics
A high amount of Kerberos principal unknown errors were generated on users in the last hour.This may be indicative of Kerberos user enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker may attempt to gain an initial foothold in the domain by enumerating users and finding service accounts.Investigative actions: Check whether any service principal names (SPNs) were not set correctly, as they will always return a principal unknown error.Kubelet server communication from a pod Informational 1 variation
The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Discovery (TA0007)ATT&CK techniques: Escape to Host (T1611) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubelet server to attempt a container breakout or escalate privileges.Investigative actions: Examine the process on the pod to understand its purpose.Variations
Kubelet server communication from a pod by a first seen process
Low overridden
The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges. overridden
Kubernetes API server communication from within a pod Informational 2 variations
The Kubernetes API server was accessed from within a pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Unusual Kubernetes API server communication from within a pod performed by curl process
Medium overridden
The Kubernetes API server was accessed from within a pod. overridden
Unusual Kubernetes API server communication from within a pod
Low overridden
The Kubernetes API server was accessed from within a pod. overridden
Kubernetes enumeration activity Informational Cloud 1 variation
An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613) Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Map the cluster environment and detect potential resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.Variations
Suspicious Kubernetes enumeration activity
Informational overridden
An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden
Kubernetes environment enumeration activity Informational 2 variations
Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Map the Kubernetes cluster environment and detect potential resources to abuse.Investigative actions: Identify which Kubernetes resources were discovered. Investigate whether affected resources were used to extract sensitive information.Variations
Kubernetes environment enumeration activity from a pod
Medium overridden
Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden
Suspicious Kubernetes environment enumeration activity
Low overridden
Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden
Kubernetes version disclosure Informational
The Kubernetes API server was inquired about the Kubernetes version by a process from within a pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes API server to disclose information about the Kubernetes environment.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Kubernetes vulnerability scanner activity Medium 1 variation
A Kubernetes cluster was scanned by a known vulnerability scanner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Kubernetes vulnerability scanner activity from within a Kubernetes Pod
Medium overridden
A Kubernetes cluster was scanned by a known vulnerability scanner from within a container. overridden
Kubernetes vulnerability scanning tool usage Medium Cloud 2 variations
A known vulnerability scanning tool was used within a Kubernetes cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.Investigative actions: Check if this activity is expected (e.g. penetration testing). Determine which Kubernetes resources were affected. Review additional events for any suspicious activity within the cluster.Variations
Kubernetes vulnerability scanning tool usage within a pod
Medium overridden
A known vulnerability scanning tool was used from a pod within a Kubernetes cluster. overridden
External Kubernetes vulnerability scanning tool usage
Medium overridden
A known vulnerability scanning tool was used within a Kubernetes clusteroutside the cloud environment. overridden
LDAP AD CS Enumeration via Attack Tool Low Identity Analytics 1 variation
A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Abnormal LDAP AD CS Enumeration via Attack Tool
Medium overridden
A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization. overridden
LDAP search query from an unpopular and unsigned process Low
An unpopular and unsigned process performed an LDAP search query. This may be indicative of LDAP enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.LDAP traffic from non-standard process Informational 4 variations
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR AgentAttacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating LDAP. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.Variations
LDAP traffic from reverse SSH tunnel
Medium overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
LDAP traffic from non-standard and uncommon process
Low overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
LDAP traffic from non-standard process executed under an unsigned causality actor in a commonly abused directory
Low overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
LDAP traffic from an injected thread within a non-standard process
Low overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
Linux network share discovery Informational
An adversary might use known tools to discover SMB shares within the compromised network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Share Discovery (T1135)Required data: XDR AgentAttacker's goals: Exfiltrate or hide sensitive data.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Local account discovery Informational
One of several local account discovery commands were executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Local Account (T1087.001)Required data: XDR AgentAttacker's goals: Account discovery.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Local group enumeration Informational Identity Analytics 2 variations
A user performed an enumeration on local groups to retrieve their details.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.Variations
Local group enumeration for the first time
Low overridden
A user performed an enumeration on local groups to retrieve their details. overridden
Local group enumeration using a builtin Windows binary
Informational overridden
A user performed an enumeration on local groups to retrieve their details. overridden
Local group enumeration via RPC Informational 1 variation
A user enumerated local groups via RPC.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.Variations
Remote local group enumeration via RPC
Informational overridden
A user enumerated local groups via RPC. overridden
Local user enumeration via SAMR Informational 1 variation
A user enumerated local users via SAMR.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Local Account (T1087.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may leverage local user discovery to identify privileged users and escalate privileges.Investigative actions: Determine the user, hostname, and process that performed the user enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local users is a known or an approved tool. Review the logs for suspicious activity from the same host or user.Variations
Local user enumeration via SAMR on an internet facing server
Low overridden
A user enumerated local users via SAMR. overridden
Log enumeration via cloud native logging service Informational Cloud 1 variation
An activity of log enumeration operations via cloud native logging service was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Log Enumeration (T1654)Required data: AWS Audit LogAttacker's goals: Gaining information about your environment as part of the discovery phase.Investigative actions: Check the identity which invoked the operations.Variations
Log enumeration via cloud native logging service invoked by an identity for the first time
Low overridden
An activity of log enumeration operations via cloud native logging service was detected. overridden
Mailbox enumeration activity by Azure application Informational Cloud 1 variation
Microsoft Graph API was used to enumerate mailboxes in Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To extract sensitive information stored in mailboxes.Investigative actions: Determine which mailboxes were enumerated and whether they contained any sensitive information. Investigate the identity following actions.Variations
Mailbox enumeration activity by Azure user
Informational overridden
Microsoft Graph API was used by a user to enumerate mailboxes. overridden
Microsoft OneDrive enumeration activity Informational Cloud
The Microsoft Graph API was used to enumerate Microsoft OneDrive items.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To extract sensitive information stored in Microsoft OneDrive.Investigative actions: Determine which OneDrive files were enumerated and whether they contained any sensitive information. Investigate the identity following actions.Microsoft OneNote enumeration activity Informational Cloud
The Microsoft Graph API was used to enumerate Microsoft OneNote items.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To extract sensitive information stored in Microsoft OneNote.Investigative actions: Determine which OneNote items were enumerated and whether they contained any sensitive information. Investigate the identity following actions.Microsoft SharePoint enumeration activity Informational Cloud
The Microsoft Graph API was used to enumerate Microsoft SharePoint sites in an Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To extract sensitive information stored in Microsoft SharePoint.Investigative actions: Determine which SharePoint sites were enumerated and whether they contained any sensitive information. Investigate the identity following actions.Microsoft Teams enumeration activity Informational Cloud
The Microsoft Graph API was used to enumerate Microsoft Teams channels in an Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity Logs, Microsoft TeamsAttacker's goals: To extract sensitive information stored in Microsoft Teams.Investigative actions: Determine which Teams channels were enumerated and whether they contained any sensitive information. Investigate the identity following actions.Multi region enumeration activity Informational Cloud
An internal identity performed an operation on multiple regions, considerably more than usual.This may indicate an attacker's attempt to identify all available resources in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Defense Evasion (TA0005)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Unused/Unsupported Cloud Regions (T1535) Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Discover cloud resources that are available within the environment and leverage them to perform additional attacks against the organization. Detect unused geographic regions and leverage them to evade detection of malicious operations.Investigative actions: Check the identity designation. Verify that the identity did not perform any operation in a region that it shouldn't.Multiple discovery commands Low 4 variations
The alerted causality performed multiple discovery commands in a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Multiple discovery commands from a web server CGO
Medium overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands from an SQL server CGO
Medium overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands from an unsigned causality
Medium overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands from a standard IT tool
Informational overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Linux host by the same process Informational 2 variations
The alerted process performed multiple consecutive discovery commands in a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Multiple discovery commands on a Linux host by the same process
Medium overridden
The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden
Multiple discovery commands on a Linux host by the same process
Low overridden
The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process Low 5 variations
The alerted process performed multiple discovery commands in a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Remote Multiple discovery commands on a Windows host by the same IP
High overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process from a web server CGO
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process from an SQL server CGO
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process from a remote CGO
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Rare Multiple discovery commands on a Windows host by the same process
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery-like commands Informational 3 variations
The alerted process performed multiple consecutive discovery commands in a short time frame.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Multiple discovery-like commands by web server process
Low overridden
The web server process performed multiple consecutive discovery commands in a short time frame. overridden
Multiple discovery-like commands on a Linux host
Informational overridden
The alerted process performed multiple consecutive discovery commands in a short time frame. overridden
Multiple discovery-like commands
Informational overridden
The alerted process performed multiple consecutive discovery commands in a short time frame. overridden
Multiple failed AWS assume role attempts Informational Cloud 1 variation
An AWS identity performed an unusual high number of failed assume role attempts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify accessible roles and move laterally or escalate privileges within a cloud environment.Investigative actions: Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious. Evaluate if the source IP address or user agent associated with these attempts is known or suspicious. Verify if any successful assume role operations occurred from the same identity around the same time. Review any additional activity from the specific roles the identity assumed.Variations
Suspicious multiple failed AWS assume role attempts
Medium overridden
An AWS identity performed an unusual high number of failed assume role attempts. overridden
Network sniffing detected in Cloud environment Informational Cloud 2 variations
A network sniffing tool was used in a cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.Investigative actions: Check the targeted resources and the sniffing policy. Check The cloud identity activity prior/after the network sniffing.Variations
Unusual Network sniffing detected in Cloud environment
Low overridden
A network sniffing tool was used in a cloud environment. overridden
Successful Network sniffing detected in Cloud environment
Informational overridden
A network sniffing tool was used in a cloud environment. overridden
Permission Groups discovery commands Informational 1 variation
Permission group discovery command execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Collect information about the host.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Permission Groups discovery commands in a Kubernetes pod
Informational overridden
Permission group discovery command execution. overridden
Port Scan Informational 3 variations
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: Palo Alto Networks Firewall traffic Logs Third-Party FirewallsAttacker's goals: An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.Investigative actions: New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time. Check if the activity is a SYN-ACK scan. These might result in Cortex XDR Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR Analytics used the wrong baseline in triggering the alert. Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR Analytics could raise a false alert.Variations
Port scan by suspicious process
Low overridden
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden
Highly suspicious port scan
Medium overridden
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden
Suspicious port scan
Low overridden
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden
Port Sweep Informational 1 variation
The endpoint connected, or attempted to connect, to multiple hosts using privileged ports that serve a well-defined function.Attackers perform port sweep for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port sweeps using data arriving solely from Cortex agents is incomplete.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.Investigative actions: Ensure that the source of the port sweep is not a new server in the network. New domain controllers or servers hosting services such as SNMP can cause false positives. Check for new known vulnerabilities in the ports scanned, this method is often used to target known vulnerabilities.Variations
Port Sweep to multiple subnets
Low overridden
The endpoint connected, or attempted to connect, to multiple hosts using privileged ports that serve a well-defined function.Attackers perform port sweep for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port sweeps using data arriving solely from Cortex agents is incomplete. overridden
Possible GPO Enumeration Informational Identity Analytics 2 variations
A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Group Policy Discovery (T1615)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Investigate the LDAP search query for any suspicious indicators. Look for additional LDAP queries the user executed that might be suspicious. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries. Check if the process executes LDAP search queries as part of its normal behavior.Variations
Suspicious GPO Enumeration by an LDAP tool
Medium overridden
A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Possible GPO Enumeration by a Suspicious Process
Low overridden
A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Possible Kerberos User Enumeration Informational Identity Analytics 1 variation
Multiple Kerberos TGT requests with KDC_ERR_C_PRINCIPAL_UNKNOWN errors were generated on different users in the last 10 minutes which may indicate Kerberos user enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Domain Account (T1087.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may attempt to gain an initial foothold in the domain by enumerating users.Investigative actions: Identify the source host from which the failed logons originated, by making sure the IP is not a shared address. Check the host from which the errors originated, and verify the legitimacy of the TGT requests. Correlate successful logons from the source host to identify potential account compromises following the failed attempts. Review source host activity to detect any additional suspicious or lateral movement behavior.Variations
Possible Kerberos User Enumeration Involving Exposed Users
Low overridden
Multiple Kerberos TGT requests with KDC_ERR_C_PRINCIPAL_UNKNOWN errors were generated on different users in the last 10 minutes which may indicate Kerberos user enumeration. overridden
Possible LDAP Enumeration Tool Usage Informational Identity Analytics 3 variations
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Possible admin enumeration via LDAP
Informational overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
A user executed an LDAP enumeration query with suspicious characteristics
Medium overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
Rare LDAP enumeration query executed by a user
Low overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
Possible LDAP Enumeration of Microsoft Configuration Manager Informational Identity Analytics 1 variation
A possible enumeration on Microsoft Configuration Manager via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Microsoft SCCM AnalyticsAttacker's goals: An attacker is attempting to enumerate Microsoft Configuration Manager.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries. Looking for suspicious activity or logins to the Microsoft Configuration Manager site server.Variations
Suspicious enumeration on Microsoft Configuration Manager via LDAP
Low overridden
A possible enumeration on Microsoft Configuration Manager via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Possible LDAP enumeration by unsigned process Informational 2 variations
An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.Variations
Possible LDAP enumeration by unsigned process
Medium overridden
An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration. overridden
Possible LDAP enumeration by unsigned process
Low overridden
An unsigned process performed multiple different LDAP search queries. This may be indicative of LDAP enumeration. overridden
Possible SPN enumeration Informational Identity Analytics 1 variation
A possible SPN enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Suspicious SPN enumeration via LDAP
Low overridden
A possible SPN enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Possible network service discovery via command-line tool Low
An attacker may use command-line utilities to discover open ports and services on a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: Unavailable.Investigative actions: Unavailable.Possible network sniffing attempt via tcpdump or tshark Low
Attackers may monitor network traffic for cleartext credentials or to learn the network's configuration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: XDR AgentAttacker's goals: Gain user-account credentials.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Possible path traversal via HTTP request Low 3 variations
The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: File and Directory Discovery (T1083)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: Webshell AnalyticsAttacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.Investigative actions: Inspect the legitimacy of the URI path. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.Variations
Possible sensitive path traversal via HTTP request
Medium overridden
The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden
Possible path traversal via HTTP request from a TOR exit node
Medium overridden
The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden
Possible credential path traversal via HTTP request
Medium overridden
The endpoint received a suspicious URI via an HTTP request that resembles a path traversal attempt. overridden
Possible use of a networking driver for network sniffing Informational 2 variations
A process wrote a known networking driver with network sniffing capabilities to disk, attackers can use it to sniff passwords and other credentials from the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Enable access to raw network traffic via promiscuous mode, allowing an attacker to sniff credentials and other sensitive data from the organization's network, and in some cases interfere with network communications.Investigative actions: Verify whether the process is expected and recognized by IT or the user. Check whether the driver was installed recently. If it was installed using sc.exe, this may indicate malicious activity. Review who executed sc.exe to validate legitimacy.Variations
Possible use of a networking driver for network sniffing
Medium overridden
A process wrote a known and rare networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden
Possible use of a networking driver for network sniffing
Low overridden
A process wrote a known networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden
Rare LDAP enumeration Low
Possible LDAP enumeration with a rare combination of queries.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Palo Alto Networks Firewall EAL LogsDetector tags: LDAP AnalyticsAttacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.Remote account enumeration Informational Identity Analytics 2 variations
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Discover valid accounts to gain credentials.Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.Variations
Suspicious Remote domain account enumeration
Medium overridden
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden
Remote account enumeration on domain accounts
Low overridden
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden
SCCM log files enumeration Informational Identity Analytics 1 variation
Multiple local SCCM logs were accessed within a short period of time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Log Enumeration (T1654)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Enumerate data about the SCCM configuration, infrastructure and deployments.Investigative actions: Check suspicious network connections from the process or host. Check if the user account that initiated the enumeration is supposed to access these files.Variations
Suspicious SCCM log files enumeration
Low overridden
Multiple local SCCM logs were abnormally accessed within a short period of time. overridden
SMB Traffic from Non-Standard Process Low 1 variation
SMB traffic is usually performed by a standard set of privileged processes through designated ports.The endpoint had a non-standard process communicating over ports normally used by SMB.An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: using a custom protocol implementation that offers malicious functionality Using the well-known SMB port with a different protocol to evade detection. Either way, the attacker's goal is to gain access to another endpoint on your network.The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.Variations
SMB Traffic from Non-Standard Process on a sensitive server
Medium overridden
SMB traffic is usually performed by a standard set of privileged processes through designated ports.The endpoint had a non-standard process communicating over ports normally used by SMB.An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol. overridden
SUID/GUID permission discovery Low
Attackers may search for potential to elevate permissions using binaries that have the SUID or GUID bit enabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: File and Directory Discovery (T1083)Required data: XDR AgentAttacker's goals: Attackers may use GUID/SUID binaries to elevate privileges.Investigative actions: Check whether additional malicious commands were executed from the same process. Verify if the command-line seems suspicious or contains malicious indicators.Security tools detection attempt Informational
A script has executed commands that can be used to detect security tools.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion (T1497) Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Avoid detection by identifying execution alongside security tools that may alert on a malicious script.Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.