Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • Reading bash command history file Low

    Attackers may access the bash history file to glean cleartext usernames and passwords that were entered on the command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Shell History (T1552.003)
    Required data: XDR Agent
    Attacker's goals: Adversaries may search the bash history file to search for insecurely stored credentials.
    Investigative actions: Investigate the process activities and use of the extracted credentials.
  • Recurring access to rare IP Low

    The endpoint is periodically accessing an external fixed-IP address that its peers rarely use. Access to this external IP address has occurred repeatedly over many days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    21 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.
    Investigative actions: Identify if the IP address belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious IP address. Examine file-system operations performed by the process to look for potential artifacts on infected endpoints.
  • Recurring access to rare domain Low 1 variation

    The endpoint is periodically connecting to an external domain (categorized as malware) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.

    Variations

    Recurring access to rare domain

    Low overridden

    The endpoint is periodically connecting to an external domain (categorized as command-and-control) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden

  • Recurring rare domain access from an unsigned process Low 2 variations

    An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Identify the process contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain. Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.

    Variations

    Recurring rare domain access from an uncommon unsigned process

    Medium overridden

    An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden

    Recurring access to a rare domain associated with known threats

    Medium overridden

    An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden

  • Recurring rare domain access to dynamic DNS domain Low

    The endpoint is periodically connecting to an external domain that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.
  • Registration of Uncommon .NET Services and/or Assemblies Informational

    Regasm.exe and regsvcs.exe are used to register .NET COM assemblies, which are typically located in specific paths, attackers might leverage that to execute code within a Microsoft signed binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Regsvcs/Regasm (T1218.009)
    Required data: XDR Agent
    Attacker's goals: Load untrusted code into a trusted Microsoft context to evade detection.
    Investigative actions: Verify if the loaded dll is known to be malicious. Track down which process dropped the library being loaded. Validate if the actions being done by the regasm.exe process are malicious.
  • Remote DCOM command execution Low 4 variations

    A remotely triggered DCOM initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Distributed Component Object Model (T1021.003)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the DCOM call from the source host and understand which software initiated it.

    Variations

    Remote suspicious DCOM-MMC20.Application command execution

    High overridden

    A remotely triggered suspicious DCOM-MMC20.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden

    Remote suspicious DCOM-Excel.Application command execution

    High overridden

    A remotely triggered suspicious DCOM-Excel.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden

    Remote suspicious DCOM-Outlook.Application command execution

    High overridden

    A remotely triggered suspicious DCOM-Outlook.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden

    Remote suspicious DCOM command execution

    Medium overridden

    A remotely triggered suspicious DCOM initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden

  • Remote PsExec-like command execution Informational 5 variations

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002) Lateral Tool Transfer (T1570)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.

    Variations

    Remote PsExec-like LOLBIN command execution from an unsigned non-standard PsExec service

    High overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like LOLBIN command execution from a signed non-standard PsExec service

    Medium overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like command execution from an unsigned non-standard PsExec service

    Medium overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec-like command execution from a signed non-standard PsExec service

    Low overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

    Remote PsExec command execution

    Low overridden

    A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden

  • Remote WMI process execution Medium 1 variation

    A host that rarely initiates WMI to other remote hosts triggered a remote process execution by using WMI RPC.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which process or software initiated it.

    Variations

    Suspicious remote WMI process execution

    High overridden

    A host that rarely initiates WMI to other remote hosts triggered a suspicious remote process execution by using WMI RPC. overridden

  • Remote account enumeration Informational Identity Analytics 2 variations

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Discover valid accounts to gain credentials.
    Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.

    Variations

    Suspicious Remote domain account enumeration

    Medium overridden

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden

    Remote account enumeration on domain accounts

    Low overridden

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden

  • Remote code execution into Kubernetes Pod Informational 2 variations

    A container administration service was used to execute commands within a Kubernetes Pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Attackers may use the container administration commands to execute commands within a Kubernetes Pod.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Remote code execution into Kubernetes Pod from another Pod for the first time

    Medium overridden

    A container administration service was used to execute commands within a Kubernetes Pod. overridden

    Remote code execution into Kubernetes Pod from another Pod

    Low overridden

    A container administration service was used to execute commands within a Kubernetes Pod. overridden

  • Remote command execution via wmic.exe Low 1 variation

    Remote command execution using the Windows Management Instrumentation command-line tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: The attacker is expanding his reach into your network by executing commands on a remote endpoint.
    Investigative actions: Examine Alert Details > Overview to identify the source endpoint, process running the command execution, process owner, and execution destination.

    Variations

    Remote command execution via wmic.exe

    Medium overridden

    Remote command execution using the Windows Management Instrumentation command-line tool. overridden

  • Remote service command execution from an uncommon source High

    A remotely triggered service initiated a command execution by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.
  • Remote service start from an uncommon source Low

    A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Impacket Analytics
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.
    Investigative actions: Investigate the service being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.
  • Remote usage of AWS Lambda's role Informational Cloud 5 variations

    An AWS Lambda's role was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the IAM role was assumed by an unknown identity. Check what API calls were executed using the access-key.

    Variations

    Remote command line usage of AWS Lambda's role

    High overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    Medium overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    Low overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    High overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Usage of AWS Lambda's role from a known ASN

    Informational overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

  • Remote usage of VM Service Account token Informational Cloud 1 variation

    A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the service account was attached to a specific VM. Check if the service account was used by a user. Check if the relevant VM is compromised.

    Variations

    Suspicious usage of VM Service Account token

    High overridden

    A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment. overridden

  • Remote usage of an AWS service token Low Cloud 1 variation

    An AWS service token was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate a token and abuse it remotely.
    Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.

    Variations

    Suspicious usage of AWS service token

    Medium overridden

    An AWS service token was used externally of the cloud environment. overridden

  • Remote usage of an App engine Service Account token Informational Cloud 1 variation

    A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the Service Account was attached to a specific app engine. Check if the Service Account was used by a user. Check if the relevant app engine is compromised.

    Variations

    Suspicious usage of App engine Service Account token

    High overridden

    A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment. overridden

  • Remote usage of an Azure Managed Identity token Low Cloud 4 variations

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Azure Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate valid token and abuse it remotely.
    Investigative actions: Verify whether the Managed Identity should be used remotely. Check what API calls were executed by the Managed Identity. Check if the relevant compute service is compromised.

    Variations

    Remote usage of an Azure Function App's Managed Identity token

    Medium overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

    Remote usage of an Azure Automation Account's Managed Identity token

    Medium overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

    Remote usage of an Azure Managed Identity token from an unusual ASN

    High overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

    Remote usage of an Azure Managed Identity token from an unusual IP

    Medium overridden

    An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden

  • Remote usage of an Azure Service Principal token Informational Cloud 2 variations

    An Azure Service Principal token was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Azure Audit Log
    Attacker's goals: Exfiltrate valid token and abuse it remotely.
    Investigative actions: Verify whether the service principal should be used remotely. Check what API calls were executed by the service principal. Determine whether the service principal is compromised.

    Variations

    Remote usage of an Azure Service Principal token from an unusual ASN

    High overridden

    An Azure Service Principal token was used externally of the cloud environment. overridden

    Remote usage of an Azure Service Principal token from an unusual IP

    Medium overridden

    An Azure Service Principal token was used externally of the cloud environment. overridden

  • Removal of an Azure Owner from an Application or Service Principal Informational Cloud 1 variation

    An Azure Owner was removed from an application or service principal. This may indicate malicious activity or unauthorized access to the application or service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal (T1070)
    Required data: Azure Audit Log
    Attacker's goals: Remove owners from applications for full control of the application or service principal. Manipulate or delete data stored in the Azure environment.
    Investigative actions: Check the Azure Activity Log to identify which user removed the Azure Owner. Check the Azure Role Assignments to identify the current Azure Owners. Check the Application or Service Principal to identify if any changes have been made.

    Variations

    Removal of an Azure AD privileged user from an Application or Service Principal

    Low overridden

    An Azure Owner was removed from an application or service principal. This may indicate malicious activity or unauthorized access to the application or service. overridden

  • Retrieval of cloud compute EC2 instance user data Informational Cloud 1 variation

    A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Automated Collection (T1119)
    Required data: AWS Audit Log
    Attacker's goals: Access sensitive instance metadata or startup scripts.
    Investigative actions: Verify whether this action is expected. Inspect the user data script for sensitive data.

    Variations

    Unusual Retrieval of cloud compute instance user data

    Low overridden

    A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance. overridden

  • Retrieval of kubelet credentials Informational 1 variation

    A process retrieved kubelet credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Impersonate the node agent to gain control over the cluster.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Retrieval of kubelet credentials by an unusual process

    Low overridden

    A process retrieved kubelet credentials. overridden

  • Run downloaded script using pipe Informational 1 variation

    Downloading a script using wget or curl and executing it using a pipe to a shell.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to download a script using wget or curl.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Run downloaded script using pipe in a Kubernetes pod

    Informational overridden

    Downloading a script using wget or curl and executing it using a pipe to a shell. overridden

  • Rundll32.exe executes a rare unsigned module Low 2 variations

    Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)
    Required data: XDR Agent
    Attacker's goals: Evading detections by running code from a signed Microsoft executable.
    Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Rundll32.exe executes a rare unsigned module with very high entropy

    Medium overridden

    Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. The module executed by Rundll32 has very high entropy. overridden

    Rundll32.exe executes a rare unsigned module with suspicious characteristics

    Medium overridden

    Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. overridden

  • Rundll32.exe running with no command-line arguments Medium

    Rundll32.exe is meant to run with parameters, so the absence of them is extremely suspicious; this behavior is used in the default configuration of Cobalt Strike.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)
    Required data: XDR Agent
    Attacker's goals: Run as a signed Microsoft executables to avoid detection. Rundll32 is the default process used by Cobalt Strike for running post-exploitation tools.
    Investigative actions: Check for any injection event to the Rundll32 process. Check the causality of execution for any injections.
  • Rundll32.exe spawns conhost.exe Medium

    This unusual parent-child process relationship may indicate that an attacker has abused rundll32.exe to run a console-based application such as PowerShell.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)
    Required data: XDR Agent
    Attacker's goals: Evading detections by running code from a signed Microsoft executable.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • S3 configuration deletion Informational Cloud

    An S3 bucket configuration has been deleted.This may affect the S3 access, and the objects it contains.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Encrypted for Impact (T1486)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Modify the S3 configuration and expose stored sensitive data.
    Investigative actions: Check what data is stored on the S3. Check which configuration change has been made. Verify this change did not make this S3 publicly available.
  • SAAS - Email was reported by the user or administrator as a phishing attempt Informational Email 2 variations

    An email reported by the user or administrator as a phishing attempt has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Trick the user into interacting with a malicious email by disguising it as legitimate, potentially leading to credential theft, malware infection, or data exfiltration.
    Investigative actions: Analyze the sender's IP address and domain reputation. Check if the sender has appeared in other logs or alerts across the organization. Review any URLs or attachments for signs of phishing, malware, or command-and-control communication. Correlate user actions (e.g., link clicks, file downloads) to assess potential compromise. Determine whether similar emails were sent to other users to identify a broader campaign.

    Variations

    SAAS - Phishing report with suspicious verdict on an internal user's email

    Low overridden

    An email sent by an internal user was reported by a recipient or administrator as a phishing attempt.This may indicate a compromised account. overridden

    SAAS - Phishing report with with suspicious verdict

    Low overridden

    An email with a Malware/Block verdict reported by the user or administrator has been detected. overridden

  • SCCM log files enumeration Informational Identity Analytics 1 variation

    Multiple local SCCM logs were accessed within a short period of time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Log Enumeration (T1654)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Enumerate data about the SCCM configuration, infrastructure and deployments.
    Investigative actions: Check suspicious network connections from the process or host. Check if the user account that initiated the enumeration is supposed to access these files.

    Variations

    Suspicious SCCM log files enumeration

    Low overridden

    Multiple local SCCM logs were abnormally accessed within a short period of time. overridden

  • SES Production Access Requested Informational Cloud 1 variation

    An identity requested to move the SES account from a restricted sandbox mode into production mode.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts: Email Accounts (T1586.002)
    Required data: AWS Audit Log
    Attacker's goals: Use the existing account to send phishing or spread malware at scale.
    Investigative actions: Check if the identity has performed any email-related operations in the past. Check if this account should be used for email sending.

    Variations

    SES Production Access Requested by an unusual identity

    Low overridden

    An identity requested to move the SES account from a restricted sandbox mode into production mode.The identity was not seen performing any operations in SES in the last 30 days. overridden

  • SMB Traffic from Non-Standard Process Low 1 variation

    SMB traffic is usually performed by a standard set of privileged processes through designated ports.The endpoint had a non-standard process communicating over ports normally used by SMB.An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Service Discovery (T1046)
    Required data: XDR Agent
    Attacker's goals: using a custom protocol implementation that offers malicious functionality Using the well-known SMB port with a different protocol to evade detection. Either way, the attacker's goal is to gain access to another endpoint on your network.The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.
    Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.

    Variations

    SMB Traffic from Non-Standard Process on a sensitive server

    Medium overridden

    SMB traffic is usually performed by a standard set of privileged processes through designated ports.The endpoint had a non-standard process communicating over ports normally used by SMB.An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol. overridden

  • SPNs cleared from a machine account Low Identity Analytics 1 variation

    Service principal names were cleared from a machine account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Follow actions performed by the user. Look for associated sAMAccountName rename events.

    Variations

    SPNs cleared from a machine account for the first time

    Medium overridden

    Service principal names were cleared from a machine account. overridden

  • SSH authentication brute force attempts Informational Identity Analytics 2 variations

    A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    3 Hours
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Attackers attempt to log in to a remote host.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    Successful SSH Brute Force

    Low overridden

    A user successfully authenticated via SSH after an excessive number of failures in a short period. overridden

    Possible SSH Brute Force

    Low overridden

    A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack. overridden

  • SSO Brute Force Informational Identity Analytics 3 variations

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.

    Variations

    SSO Brute Force on a Honey User Account

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

    SSO Brute Force Threat Detected

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

    SSO Brute Force Activity Observed

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

  • SSO Password Spray Informational Identity Analytics 3 variations

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: See whether this was a legitimate action. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.

    Variations

    SSO Password Spray Involving a Honey User

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

    SSO Password Spray Threat Detected

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

    SSO Password Spray Activity Observed

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

  • SSO authentication attempt by a honey user Low Identity Analytics 1 variation

    An SSO authentication attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Okta OneLogin PingOne
    Detector tags: Honey User Analytics
    Attacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.
    Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.

    Variations

    Abnormal SSO authentication by a honey user

    Medium overridden

    An SSO authentication attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity. overridden

  • SSO authentication by a machine account Low Identity Analytics

    A machine account successfully authenticated via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.
    Investigative actions: Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.
  • SSO authentication by a service account Low Identity Analytics 2 variations

    A service account successfully authenticated via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.
    Investigative actions: Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Rare non-interactive SSO authentication by a service account

    Informational overridden

    A service account successfully authenticated via SSO. overridden

    First time SSO authentication by a service account

    Medium overridden

    A service account successfully authenticated via SSO. overridden

  • SSO with abnormal operating system Informational Identity Analytics

    A user successfully authenticated via SSO with an abnormal operating system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Okta
    Attacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.
  • SSO with abnormal user agent Informational Identity Analytics 1 variation

    A user successfully authenticated via SSO with an abnormal user agent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Okta AzureAD Azure SignIn Log Duo PingOne
    Attacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new user agent app). Follow actions and suspicious activities regarding the user.

    Variations

    SSO with an offensive user agent

    Low overridden

    A user successfully authenticated via SSO with an offensive user agent. overridden

  • SSO with new operating system Informational Identity Analytics

    A user successfully authenticated via SSO with a new operating system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Okta Azure SignIn Log AzureAD Duo
    Attacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.
  • SUID/GUID permission discovery Low

    Attackers may search for potential to elevate permissions using binaries that have the SUID or GUID bit enabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: XDR Agent
    Attacker's goals: Attackers may use GUID/SUID binaries to elevate privileges.
    Investigative actions: Check whether additional malicious commands were executed from the same process. Verify if the command-line seems suspicious or contains malicious indicators.
  • SaaS suspicious external domain user activity Informational Identity Threat Module 1 variation

    An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: Gain their initial foothold within the organization and explore the environment to achieve their target.
    Investigative actions: Investigate the external domain name. Check the identity activity in the organization.

    Variations

    Suspicious external user activity detected from a domain first seen in the organization

    Low overridden

    An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization, both in cloud and SaaS environments. overridden

  • Scheduled Task hidden by registry modification Low

    Attackers may try to hide a Scheduled Task by deleting the Scheduled Task's software descriptor (SD) value in the registry.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Registry (T1112) Hide Artifacts (T1564)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may hide their malicious Scheduled Task to evade detection.
    Investigative actions: Check the appropriate Scheduled Task to verify its legitimacy. You can also check the executing executable to verify its purpose.
  • Scrcons.exe Rare Child Process Informational 1 variation

    The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent
    Attacker's goals: The attacker is trying to gain Persistence via WMI script registration.
    Investigative actions: Search for any executions of the Managed Object Format (MOF) compiler mofcomp.exe and review the process that ran it. Review registered WMI ActiveScriptEventConsumer by running "WMIC /namespace:\\root\default path ActiveScriptEventConsumer get ".

    Variations

    Scrcons.exe Rare Child Process

    Medium overridden

    The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker. overridden

  • Screensaver process executed from Users or temporary folder Low 1 variation

    An executable file with a screensaver extension was executed from the Users or temp folder. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder. It is recommended to further investigate the execution flow for malicious indicators.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Screensaver (T1546.002)
    Required data: XDR Agent
    Attacker's goals: Gain persistence by configuring a new screensaver.
    Investigative actions: Check whether the executing process (with the SCR extension) is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Screensaver process executed from Users or temporary folder by a scripting engine process

    High overridden

    An executable file with a screensaver extension was executed from the Users or temp folder by a scripting engine process. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder. It is recommended to further investigate the execution flow for malicious indicators. overridden

  • Script file added to startup-related Registry keys Medium

    An attacker may add a script file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate Windows registry run key mechanism, which executes commands on user login or computer boot.
    Investigative actions: Verify if the registered script is malicious. Check if the installed software is a malicious binary or script.
  • Scripting engine connected to a rare external host Low 3 variations

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)
    ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Connect to the attacker's Command and Control server.
    Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.

    Variations

    Scripting engine failed to connect to a rare external host

    Informational overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Scripting engine with a modified image name connected to a rare external host

    Low overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Windows LOLBIN scripting engine connected to a rare external host

    Medium overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

  • SecureBoot was disabled Low

    SecureBoot was disabled, this might be indicative of someone trying to install an alternate non-UEFI supported OS.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Pre-OS Boot (T1542)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Disable SecureBoot to install another OS on the machine.
    Investigative actions: Check if a new operating system was installed on the same hardware.
  • Security object deletion in Google Workspace Admin Console Informational Identity Threat Module 1 variation

    A security object was deleted in Google Workspace Admin Console.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may modify or disable security rules to avoid detection of their activities.
    Investigative actions: Investigate the security object name deleted and whether it was intended. Check if the user was recently granted new elevated permissions that allowed them to delete security rules. Follow other administrative or suspicious actions performed by this user around the same time.

    Variations

    Security object deletion in Google Workspace Admin Console for the first time

    Low overridden

    A security object was deleted in Google Workspace Admin Console. overridden

  • Security tools detection attempt Informational

    A script has executed commands that can be used to detect security tools.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)
    ATT&CK techniques: Virtualization/Sandbox Evasion (T1497) Virtualization/Sandbox Evasion: System Checks (T1497.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Avoid detection by identifying execution alongside security tools that may alert on a malicious script.
    Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.
  • Sending unusual file(s) to an external address Low Email

    Unusual files sent to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)
    ATT&CK techniques: Phishing (T1566) Exfiltration Over Alternative Protocol (T1048)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Extracting sensitive credentials, potentially leading to account takeover or unauthorized access to internal services. Extracting valuable information outside the company.
    Investigative actions: Check the content of the unusual files that were sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further actions taken, such as accessing private keys, API tokens and sensitive data.
  • Sensitive Exchange mail sent to external users Informational Identity Threat Module Email 2 variations

    A user sent sensitive email messages to external users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection (T1114) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to collect sensitive email information.
    Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.

    Variations

    Exchange mail to external account matching high severity DLP rules

    Low overridden

    A user sent sensitive email messages to external users. overridden

    Sensitive Exchange mail sent to an external user

    Low overridden

    A user sent sensitive email messages to external users. overridden

  • Sensitive account password reset attempt Informational Identity Analytics 1 variation

    An attempt was made to reset a sensitive account's password.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain access to the account.
    Investigative actions: Verify this action with the user who performed the change.

    Variations

    Sensitive account password reset attempt for the first time

    Low overridden

    An attempt was made to reset a sensitive account's password. overridden

  • Sensitive browser credential files accessed by a rare non browser process Informational 1 variation

    Sensitive browser credential files accessed by a rare non browser process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Achieve Credential Access by harvesting credentials from local browser storage.This facilitates Lateral Movement and Persistence across the environmentto gain unauthorized control over sensitive resources and information.
    Investigative actions: Determine the legitimacy of the actor process that accessed the sensitive browser credential files. Analyze the process signature, file path, and command line arguments to verify the process's authenticity. Identify the process or user responsible for initiating the activity and assess its legitimacy.

    Variations

    Sensitive browser credential files accessed by a rare non browser process from a commonly abused directory

    Low overridden

    Sensitive browser credential files accessed by a rare non browser process. overridden

  • Serial console access was enabled in AWS account Informational Cloud

    Serial console access to EC2 instances was enabled in an AWS account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Utilize direct access to virtual infrastructure to pivot through a cloud environment.
    Investigative actions: Verify whether serial console access should be enabled. Investigate which actions were performed via serial console access.
  • Service execution via sc.exe Informational

    Sc.exe has the ability to start services on local and remote hosts. An attacker may abuse it to execute malicious services on a host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Execute commands and run code on local or remote hosts.
    Investigative actions: Check whether the service that was created via sc.exe is benign and if this was a desired behavior as part of its normal execution flow.
  • Service ticket request with a spoofed sAMAccountName Medium Identity Analytics

    A Kerberos service ticket (ST) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Follow actions by the account and if it performed a DCSync.
  • Setting Windows Auto Logon by uncommon process Low

    Setting Windows Auto Logon by uncommon process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to set auto logon for persistence and privilege escalation.
    Investigative actions: Investigate the process that set or create the registry key.
  • Setuid and Setgid file bit manipulation Low 1 variation

    The setuid or setgid bits were set on a file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to run the executable application as a different user.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Setuid and Setgid file bit manipulation in a Kubernetes pod

    Low overridden

    The setuid or setgid bits were set on a file. overridden

  • SharePoint Site Collection admin group addition Informational Identity Threat Module 2 variations

    A user made an addition to the site collection administrators group in SharePoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Office 365 Audit
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Check the IP address from which the access originated. Verify the activity with the performing user. Follow further actions done by the account.

    Variations

    SharePoint site collection admin added to personal site

    Informational overridden

    A user was added as a site collection admin to a personal site, indicating that the user has accessed the SharePoint service for the first time. overridden

    Abnormal SharePoint Site Collection admin group addition

    Low overridden

    A user made an addition to the site collection administrators group in SharePoint. This user has not made any SharePoint site admin additions over the past 30 days. overridden

  • Short-lived Azure AD user account Informational Identity Threat Module 1 variation

    An Azure AD user was created and deleted within a short period of time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: Evasion using a valid account.
    Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.

    Variations

    Abnormal Short-lived Azure AD user account

    Low overridden

    An Azure AD user was created and deleted within a short period of time. overridden

  • Short-lived user account Low Identity Analytics 2 variations

    A user was created and deleted within a short period of time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Evasion using a valid account.
    Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.

    Variations

    Abnormal short-lived user account

    Low overridden

    A user was observed creating and deleting an account a short time later. This user does not regularly create and delete accounts. overridden

    Short-lived hidden user account

    Medium overridden

    A user was created with a name that mimics a machine account and later deleted within a short period of time. This may be an attacker's attempt to evade detection. overridden

  • Signed process creates a scheduled task via file access Informational 1 variation

    A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: An attacker may gain persistence and execute malicious tools via scheduled tasks.
    Investigative actions: Check the created task file and look for the action triggered by the task.

    Variations

    Signed process running from an untrusted directory creates a scheduled task via file access

    Low overridden

    A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence. overridden

  • Signed process performed an unpopular DLL injection Informational 4 variations

    A signed process performed an unpopular DLL injection into another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Signed process that got injected performed an unpopular and suspicious dll injection

    High overridden

    A signed process performed an unpopular DLL injection into another process. overridden

    Signed process that got injected performed an unpopular and suspicious dll injection

    Medium overridden

    A signed process performed an unpopular DLL injection into another process. overridden

    Signed process that got injected performed an unpopular dll injection

    Medium overridden

    A signed process performed an unpopular DLL injection into another process. overridden

    Signed process performed an unpopular DLL injection

    Low overridden

    A signed process performed an unpopular DLL injection into another process. overridden

  • Signed process performed an unpopular injection Informational 6 variations

    A signed process performed an unpopular injection to another process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Signed process that got injected performed an unpopular and suspicious injection

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process that got injected performed an unpopular and suspicious injection

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process that got injected performed an unpopular injection

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Commonly abused signed process performed a globally unpopular injection to a Microsoft signed process

    Medium overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process performed an unpopular injection

    Low overridden

    A signed process performed an unpopular injection to another process. overridden

    Signed process executed by a scheduled task performed an unpopular injection

    Low overridden

    A signed process performed an unpopular injection to another process. overridden

  • Single account excessively locked out Informational Identity Analytics 1 variation

    A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if there were any successful authentications (event ID 4624). Determine if any programs have stored outdated credentials, causing account lockouts. Check recent user activity for unusual behavior, such as logins from unfamiliar locations or devices. Confirm whether the user's credentials have been compromised or leaked. Review if the account is enrolled in multifactor authentication (MFA). Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.

    Variations

    Single suspicious account excessively locked out

    Low overridden

    A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account. overridden

  • Soft delete of cloud storage configuration was disabled Informational Cloud

    A Soft Delete configuration was disabled on a cloud storage account.Soft delete allows a deletion of a blob or a container to be restored.Disabling it will impair the ability of the cloud environment to recover in disaster scenarios.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Impair the ability of the cloud environment to recover in disaster scenarios.
    Investigative actions: Check if the identity intended to disable soft delete for this storage account. Check if the identity performed additional malicious operations in the cloud environment.
  • Space after filename Informational

    A file was created or renamed to have a space at the end of its name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Space after Filename (T1036.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may try to change the extension of the file to evade detection.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.
  • Spam Bot Traffic Low 2 variations

    The endpoint connected to an excessive number of external SMTP servers.A spambot may be trying to send spam email using multiple SMTP servers.Spambots can cause your domain to be blacklisted, and can contain other malicious functionality. The same mechanism can also be used for exfiltration. Some VPN clients can also tunnel data over SMTP.Note: This detection model looks for SMTP connections to external servers, but the volume of traffic is not considered. A count is performed based on the number of domains being contacted, as well as the number of unresolved IP addresses.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Days
    Deduplication:
    3 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Resource Hijacking (T1496)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: The attacker uses the host as an SMTP client to send mails and hide their real origin.
    Investigative actions: Verify that the source is not an SMTP server. If Cortex XDR Analytics has failed to identify the process as a valid SMTP server, this alert will be a false positive. Verify that IP addresses are actually not being resolved by the non-SMTP process. If the process is performing DNS resolution with a DNS service outside your network, it is possible (depending on your network topology) that Cortex XDR Analytics will not observe that traffic. Because SMTP services typically use numerous IP addresses, this situation could cause a process to exceed a limit when it would otherwise fail to do so. If the SMTP connection activity turns out to be the result of malicious file activity, search on the Triage page for other endpoints infected with the file.

    Variations

    Spam Bot Traffic

    Informational overridden

    The endpoint connected to an excessive number of external SMTP servers.A spambot may be trying to send spam email using multiple SMTP servers.Spambots can cause your domain to be blacklisted, and can contain other malicious functionality. The same mechanism can also be used for exfiltration. Some VPN clients can also tunnel data over SMTP.Note: This detection model looks for SMTP connections to external servers, but the volume of traffic is not considered. A count is performed based on the number of domains being contacted, as well as the number of unresolved IP addresses. overridden

    Failed Spam Bot Traffic

    Informational overridden

    The endpoint connected to an excessive number of external SMTP servers.A spambot may be trying to send spam email using multiple SMTP servers.Spambots can cause your domain to be blacklisted, and can contain other malicious functionality. The same mechanism can also be used for exfiltration. Some VPN clients can also tunnel data over SMTP.Note: This detection model looks for SMTP connections to external servers, but the volume of traffic is not considered. A count is performed based on the number of domains being contacted, as well as the number of unresolved IP addresses. overridden

  • Storage enumeration activity Informational Cloud

    An identity attempted to discover cloud objects within storage buckets.This might be an attempt by an adversary to find sensitive data stored in cloud storage, which could lead to data theft.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Storage Object Discovery (T1619) Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Data Detection & Response
    Attacker's goals: Access sensitive data stored in cloud infrastructure.
    Investigative actions: Check the identity's role designation in the organization. Identify which storage buckets were enumerated and whether they contained sensitive information.
  • Stored credentials exported using credwiz.exe Low 3 variations

    Attackers may abuse the credwiz tool to export stored accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores (T1555)
    Required data: XDR Agent
    Attacker's goals: An attacker may attempt to gain higher privileges.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Stored credentials exported using credwiz.exe using keymgr.dll's KRShowKeyMgr function

    Medium overridden

    Attackers may abuse the credwiz tool to export stored accounts using keymgr.dll's KRShowKeyMgr function. overridden

    Stored credentials exported using credwiz.exe over RDP

    Low overridden

    Attackers may abuse the credwiz tool to export stored accounts over RDP. overridden

    Stored credentials exported using credwiz.exe with a built-in Windows tool

    Low overridden

    Attackers may abuse the credwiz tool to export stored accounts with a built-in Windows tool. overridden

  • Subdomain Fuzzing Low 1 variation

    The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    20 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Active Scanning: Wordlist Scanning (T1595.003)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Scan a known external facing asset to gain knowledge about the organization.
    Investigative actions: Verify that the domain doesn't host numerous subdomains. Verify that the source of the scan is not a known external scanner.

    Variations

    Subdomain Fuzzing To a Rare Destination

    Medium overridden

    The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network. overridden

  • Successful unusual guest user invitation Informational Identity Threat Module 1 variation

    An identity successfully invited a guest user to the tenant with unusual characteristics.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker can invite users to for evasion.
    Investigative actions: Check who is the invited guest user. Check whether the inviter is permitted to perform such actions. Check if the domain of the invited guest is allowed for invitations in the organization.

    Variations

    Rare successful guest invitation in the organization

    Low overridden

    An identity successfully invited a suspicious guest user to the tenant. overridden

  • Sudden spike in outbound email volume Informational Email 2 variations

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    2 Hours
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Attacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Sudden spike in outbound emails sent to external recipients

    Informational overridden

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden

    Sudden spike in outbound emails sent to internal recipients

    Informational overridden

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden

  • Sudoedit Brute force attempt Medium

    An unusual amount of sudoedit commands executed in a short period of time. This may indicate an attempt to exploit CVE-2021-3156.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Exploitation for Privilege Escalation (T1068)
    Required data: XDR Agent
    Attacker's goals: The attacker may gain higher privileges via exploitation of sudoedit.
    Investigative actions: Verify that the current version of sudo in not vulnerable to CVE-2021-3156.
  • Suspicious .NET process loads an MSBuild DLL Medium

    A suspicious process in the Microsoft .NET directory loaded the Microsoft Build Framework DLL. This may occur if an attacker masquerades a process like MSBuild (PowerLessShell).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Suspicious AI Dataset Download Low Cloud 1 variation

    A model dataset was accessed by an identity that typically doesn't interact with dataset files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Manipulate datasets used by ML models.
    Investigative actions: Determine which dataset was accessed. Examine the changes made to the dataset.

    Variations

    Suspicious First-Time AI Dataset Download by Identity

    Medium overridden

    A model dataset was accessed by an identity that typically doesn't interact with dataset files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection. overridden

  • Suspicious AI Dataset Label Modification Low Cloud

    AI Dataset labels were modified by an identity that typically doesn't interact with labels.MITRE ATLAS Technique: AML.T0020 - Poison Training Data.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Contaminating training set, so that predictions on new data will be modified.
    Investigative actions: Check the identity that modified the dataset's labels. Check that the dataset is correctly labeled.
  • Suspicious AI model usage from a Tor exit node High Cloud 1 variation

    A cloud identity invoked an AI model from a Tor exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Conceal information about malicious activities, such as location and network usage.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.

    Variations

    Failed AI model usage from a Tor exit node

    Informational overridden

    A cloud identity invoked an AI model from a Tor exit node. overridden

  • Suspicious AMSI decode attempt Informational

    A script has executed commands that can be used to decode commands or files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Minute
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Deobfuscate/Decode Files or Information (T1140)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Avoid security mitigations and detections.
    Investigative actions: Check the payload for malicious activity.
  • Suspicious API call from a Tor exit node High Cloud 2 variations

    A cloud API was called from a Tor exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Conceal information about malicious activities, such as location and network usage.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.

    Variations

    Suspicious Kubernetes API call from a Tor exit node

    High overridden

    A Kubernetes API was called from a Tor exit node. overridden

    A Failed API call from a Tor exit node

    Informational overridden

    A cloud API was called from a Tor exit node. overridden

  • Suspicious AWS SSM parameters retrieval activity Informational Cloud 1 variation

    An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed parameters' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    A non admin identity extracted multiple secrets within the organization across multiple regions

    Low overridden

    An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

  • Suspicious Azure AD interactive sign-in using PowerShell Informational Identity Analytics 1 variation

    A user interactively logged in to Azure AD via PowerShell.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD
    Attacker's goals: The attacker attempts to gain access to the organization's resources.
    Investigative actions: Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

    Variations

    Unusual Azure AD interactive sign-in using PowerShell

    Low overridden

    A user interactively logged in to Azure AD via PowerShell from an unusual geolocation or ASN. overridden

  • Suspicious Azure enumeration activity Medium Cloud

    An Azure identity performed resource enumeration across multiple services using Microsoft Graph.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Map the Azure tenant and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.
  • Suspicious Certutil AD CS contact Low 1 variation

    A suspicious occurrence of Certutil attempted to contact the AD CS Request Interface.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: System Service Discovery (T1007) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Look at further action done by the user. Investigate whether other non-standard operations were done regarding the AD CS.

    Variations

    Suspicious Certutil AD CS Admin Interface contact

    Medium overridden

    A suspicious occurrence of Certutil attempted to contact the AD CS Admin Interface. overridden

  • Suspicious DKIM Result Informational Email 4 variations

    The email contains a suspicious DKIM entry, showing either an unexpected verification result (none, fail, or policy) or a mismatched signing domain, which may indicate potential tampering or spoofing activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. Examine the sender's IP address and reputation, and check why DKIM didn't pass. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Known domain DKIM deviation

    Informational overridden

    An email was sent from a commonly seen domain in the organization, that has historically passed DKIM checks, but returned a suspicious DKIM result of fail This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DKIM outcome from a previously trusted external domain warrants further investigation. overridden

    Lack DKIM signature from typically signing domains

    Informational overridden

    An email was sent from a domain that has historically passed DKIM checks, but returned a suspicious DKIM result of none A none DKIM result implies on an unsigned email, which is atypical for domains with previous signed messages. This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DKIM outcome from a previously trusted external domain warrants further investigation. overridden

    DKIM results lacking sender correlation

    Informational overridden

    The email's authentication results have no indication of proper signing from the email's sender This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. overridden

    Known domain suspicious DKIM result

    Informational overridden

    An email was sent from a commonly seen domain that had no other suspicious DKIM outcomes for the past 30 days. This may indicate an attempt to spoof or impersonate a legitimate external sender. overridden

  • Suspicious DMARC result Informational Email 3 variations

    The email has a suspicious DMARC result of either fail or none, which may indicate a potential domain misconfiguration or spoofing.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Trick users into clicking on malicious links or attachments.
    Investigative actions: Check the email address for any unusual spellings. Check the email address for any missing letters. Check the reason DMARC didn't pass and the action. Check if the email was delivered to the recipients based on the action taken, even though DMARC did not pass. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    DMARC deviation from historically compliant domain

    Informational overridden

    This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DMARC outcome from a previously trusted external domain warrants further investigation. overridden

    DMARC failure bypassed domain policy

    Informational overridden

    This indicates the message should have been rejected according to the domain owner policy, but was instead accepted and delivered, potentially exposing the user to email spoofing or phishing. This suggests a potential policy bypass or misconfiguration in mail filtering. overridden

    DMARC failed with non-enforcing policy

    Informational overridden

    This may indicate an overly permissive DMARC configuration on the sender side and could allow unauthenticated messages to reach users' inboxes. Such configurations are often exploited in phishing or spoofing campaigns, and should be treated with caution. overridden

  • Suspicious DNS traffic Informational 2 variations

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: DNS tunneling, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked. An attacker may also use this protocol to exfiltrated data from the compromised endpoint outside the network.
    Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.

    Variations

    Suspicious DNS traffic with a rarely seen domain

    Low overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.This domain was rarely seen in this tenant. overridden

    Suspicious DNS traffic with a globally rare DNS query length

    Low overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The combination of the DNS queries along with this root domain is globally rare. overridden

  • Suspicious DotNet log file created Low 3 variations

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Reflective Code Loading (T1620) Process Injection (T1055)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Run/Inject DotNet code in the context of a signed process.
    Investigative actions: Verify if the actor process is using DotNet in a valid way. Check if a new application was recently installed on the host at the time of the alert.

    Variations

    DotNet log file created by svchost from 'Absolute software Corp' causality

    Informational overridden

    Causality 'Absolute software Corp' loads/injects into svchost and creates DotNet log files. overridden

    Suspicious DotNet log file created from an injected thread

    Low overridden

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden

    Suspicious DotNet log file created

    Low overridden

    Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden

  • Suspicious EBS snapshots deletion Low Cloud 1 variation

    An identity deleted multiple EBS snapshots from the project, considerably more than usual.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system.
    Investigative actions: Identify the deleted snapshots and their associated resources. Investigate the identity that performed the deletion and review recent related activity.

    Variations

    A non administrative identity successfully deleted multiple snapshots from a project

    Medium overridden

    An identity deleted multiple EBS snapshots from the project, considerably more than usual. overridden

  • Suspicious Encrypting File System Remote call (EFSRPC) to domain controller Medium

    An Encrypting File System Remote call (EFSRPC) was made to a domain controller.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is attempting to steal credentials and move laterally within a network.
    Investigative actions: Check for suspicious processes on the host. Check if the source host is a vulnerability scanner. Look for following suspicious connections using the DC machine account.
  • Suspicious External RDP Login Informational Identity Analytics

    An unusual successful RDP connection by a user from an external IP.This may be indicative of using stolen credentials or malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts through RDP from an external source.
    Investigative actions: Identify the user performing RDP and check that it is authorized. Check whether this IP has a malicious reputation. Reset the user's password. Follow further actions done by the user.
  • Suspicious HTTP parameters detected Medium

    The endpoint received suspicious HTTP parameters via an HTTP request, which may indicate attempts to exploit server components or web shell activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.
    Investigative actions: Inspect the legitimacy of the URI path and the parameters values sent to the server. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.
  • Suspicious ICMP packet Low 1 variation

    An ICMP router advertisement was sent by a host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Make the victim change his routing table.
    Investigative actions: Investigate why the source host sent an ICMP router advertisement and if it changed the destination target routing table.

    Variations

    Suspicious ICMP packet that resemble an ICMP redirect attack

    Informational overridden

    ICMP redirect was sent by a user. overridden

  • Suspicious ICMP traffic that resembles smurf attack Low

    ICMP smurf attack was used.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Endpoint Denial of Service: Service Exhaustion Flood (T1499.002) Network Denial of Service (T1498)
    Required data: XDR Agent
    Attacker's goals: Attempt to perform a denial-of-service attack by network exhaustion.
    Investigative actions: Check if the ICMP message to broadcast was used for a legitimate reason. If not, check for denial-of-service impact on the subnet.
  • Suspicious Kerberos Pre-Auth Failures by Host Low Identity Analytics

    An endpoint failed unusual number of Kerberos pre-authentications (TGT requests) which may indicate a password-spraying attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.
    Investigative actions: Identify the source host from which the failed logons originated, by making sure the IP is not a shared address. Review source host activity to detect any additional suspicious or lateral movement behavior. Correlate successful logons from the source host to identify potential account compromises following the failed attempts.
  • Suspicious Kubernetes pod token access Medium 2 variations

    A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Gain access to the Kubernetes environment.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Suspicious Kubernetes pod token access by an unusual pod

    High overridden

    A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster. overridden

    Suspicious Kubernetes pod token access by an unusual process

    Medium overridden

    A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster. overridden

  • Suspicious LDAP queries followed by shared folder access Low

    The user executed suspicious LDAP queries shortly before accessing a shared folder.This behavior may be indicative of Rubeus activity involving Kerberos ticket forgery, such as Golden Ticket or Silver Ticket attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets (T1558)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may use LDAP based account discovery and a forged Kerberos ticket (e.g. Silver Ticket) to access shared resources and collect sensitive data.
    Investigative actions: Review the LDAP query content to determine if it targets privileged groups (e.g., Domain Admins) or sensitive objects. Correlate the shared folder path with sensitive file shares (e.g., SYSVOL, NETLOGON, backup shares). Check if the IP address {ip_address} is associated with known administrative systems or unusual user behavior. Determine if Rubeus or other Kerberos abuse tools were used based on timing, patterns, or command line artifacts. Inspect for potential Silver Ticket or Golden Ticket activity by reviewing Kerberos ticket logs and security events. Verify if the user account had prior suspicious authentication events or privilege escalation.