Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapReading bash command history file Low
Attackers may access the bash history file to glean cleartext usernames and passwords that were entered on the command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Shell History (T1552.003)Required data: XDR AgentAttacker's goals: Adversaries may search the bash history file to search for insecurely stored credentials.Investigative actions: Investigate the process activities and use of the extracted credentials.Recurring access to rare IP Low
The endpoint is periodically accessing an external fixed-IP address that its peers rarely use. Access to this external IP address has occurred repeatedly over many days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 21 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.Investigative actions: Identify if the IP address belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious IP address. Examine file-system operations performed by the process to look for potential artifacts on infected endpoints.Recurring access to rare domain Low 1 variation
The endpoint is periodically connecting to an external domain (categorized as malware) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR Agent Third-Party FirewallsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.Variations
Recurring access to rare domain
Low overridden
The endpoint is periodically connecting to an external domain (categorized as command-and-control) that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden
Recurring rare domain access from an unsigned process Low 2 variations
An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain. Inspect the domain or URL for suspicious indicators or its presence in malicious reputation lists.Variations
Recurring rare domain access from an uncommon unsigned process
Medium overridden
An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden
Recurring access to a rare domain associated with known threats
Medium overridden
An unsigned process is periodically connecting to an external domain that it and its peers rarely use.Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions. overridden
Recurring rare domain access to dynamic DNS domain Low
The endpoint is periodically connecting to an external domain that it and its peers rarely use. Access to this domain has occurred repeatedly over multiple days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Identify the process/user contacting the remote domain and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the suspicious domain.Registration of Uncommon .NET Services and/or Assemblies Informational
Regasm.exe and regsvcs.exe are used to register .NET COM assemblies, which are typically located in specific paths, attackers might leverage that to execute code within a Microsoft signed binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Regsvcs/Regasm (T1218.009)Required data: XDR AgentAttacker's goals: Load untrusted code into a trusted Microsoft context to evade detection.Investigative actions: Verify if the loaded dll is known to be malicious. Track down which process dropped the library being loaded. Validate if the actions being done by the regasm.exe process are malicious.Remote DCOM command execution Low 4 variations
A remotely triggered DCOM initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Distributed Component Object Model (T1021.003)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the DCOM call from the source host and understand which software initiated it.Variations
Remote suspicious DCOM-MMC20.Application command execution
High overridden
A remotely triggered suspicious DCOM-MMC20.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote suspicious DCOM-Excel.Application command execution
High overridden
A remotely triggered suspicious DCOM-Excel.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote suspicious DCOM-Outlook.Application command execution
High overridden
A remotely triggered suspicious DCOM-Outlook.Application initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote suspicious DCOM command execution
Medium overridden
A remotely triggered suspicious DCOM initiated a command execution by a host that rarely executes processes using DCOM to other remote hosts. overridden
Remote PsExec-like command execution Informational 5 variations
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002) Lateral Tool Transfer (T1570)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Variations
Remote PsExec-like LOLBIN command execution from an unsigned non-standard PsExec service
High overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like LOLBIN command execution from a signed non-standard PsExec service
Medium overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like command execution from an unsigned non-standard PsExec service
Medium overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec-like command execution from a signed non-standard PsExec service
Low overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote PsExec command execution
Low overridden
A remotely triggered service initiated a command execution in a PsExec-like manner by a host that rarely triggers services to other remote hosts. overridden
Remote WMI process execution Medium 1 variation
A host that rarely initiates WMI to other remote hosts triggered a remote process execution by using WMI RPC.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which process or software initiated it.Variations
Suspicious remote WMI process execution
High overridden
A host that rarely initiates WMI to other remote hosts triggered a suspicious remote process execution by using WMI RPC. overridden
Remote account enumeration Informational Identity Analytics 2 variations
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Discover valid accounts to gain credentials.Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.Variations
Suspicious Remote domain account enumeration
Medium overridden
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden
Remote account enumeration on domain accounts
Low overridden
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden
Remote code execution into Kubernetes Pod Informational 2 variations
A container administration service was used to execute commands within a Kubernetes Pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Container Administration Command (T1609)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Attackers may use the container administration commands to execute commands within a Kubernetes Pod.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Remote code execution into Kubernetes Pod from another Pod for the first time
Medium overridden
A container administration service was used to execute commands within a Kubernetes Pod. overridden
Remote code execution into Kubernetes Pod from another Pod
Low overridden
A container administration service was used to execute commands within a Kubernetes Pod. overridden
Remote command execution via wmic.exe Low 1 variation
Remote command execution using the Windows Management Instrumentation command-line tool.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Windows Management Instrumentation (T1047)Required data: XDR AgentAttacker's goals: The attacker is expanding his reach into your network by executing commands on a remote endpoint.Investigative actions: Examine Alert Details > Overview to identify the source endpoint, process running the command execution, process owner, and execution destination.Variations
Remote command execution via wmic.exe
Medium overridden
Remote command execution using the Windows Management Instrumentation command-line tool. overridden
Remote service command execution from an uncommon source High
A remotely triggered service initiated a command execution by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Remote service start from an uncommon source Low
A remotely triggered service initiated by a host that rarely triggers services to other remote hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Impacket AnalyticsAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network.Investigative actions: Investigate the service being spawned on the host for malicious activities. Correlate the RPC call from the source host and understand which software initiated it.Remote usage of AWS Lambda's role Informational Cloud 5 variations
An AWS Lambda's role was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the IAM role was assumed by an unknown identity. Check what API calls were executed using the access-key.Variations
Remote command line usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Medium overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Low overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Usage of AWS Lambda's role from a known ASN
Informational overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Remote usage of VM Service Account token Informational Cloud 1 variation
A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Gcp Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the service account was attached to a specific VM. Check if the service account was used by a user. Check if the relevant VM is compromised.Variations
Suspicious usage of VM Service Account token
High overridden
A GCP Service Account token, which is attached to a VM, was used externally of the cloud environment. overridden
Remote usage of an AWS service token Low Cloud 1 variation
An AWS service token was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate a token and abuse it remotely.Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.Variations
Suspicious usage of AWS service token
Medium overridden
An AWS service token was used externally of the cloud environment. overridden
Remote usage of an App engine Service Account token Informational Cloud 1 variation
A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Gcp Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the Service Account was attached to a specific app engine. Check if the Service Account was used by a user. Check if the relevant app engine is compromised.Variations
Suspicious usage of App engine Service Account token
High overridden
A GCP Service Account token, which is attached to an app engine, was used externally of the cloud environment. overridden
Remote usage of an Azure Managed Identity token Low Cloud 4 variations
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Azure Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate valid token and abuse it remotely.Investigative actions: Verify whether the Managed Identity should be used remotely. Check what API calls were executed by the Managed Identity. Check if the relevant compute service is compromised.Variations
Remote usage of an Azure Function App's Managed Identity token
Medium overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Automation Account's Managed Identity token
Medium overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Managed Identity token from an unusual ASN
High overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Managed Identity token from an unusual IP
Medium overridden
An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment. overridden
Remote usage of an Azure Service Principal token Informational Cloud 2 variations
An Azure Service Principal token was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Azure Audit LogAttacker's goals: Exfiltrate valid token and abuse it remotely.Investigative actions: Verify whether the service principal should be used remotely. Check what API calls were executed by the service principal. Determine whether the service principal is compromised.Variations
Remote usage of an Azure Service Principal token from an unusual ASN
High overridden
An Azure Service Principal token was used externally of the cloud environment. overridden
Remote usage of an Azure Service Principal token from an unusual IP
Medium overridden
An Azure Service Principal token was used externally of the cloud environment. overridden
Removal of an Azure Owner from an Application or Service Principal Informational Cloud 1 variation
An Azure Owner was removed from an application or service principal. This may indicate malicious activity or unauthorized access to the application or service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: Azure Audit LogAttacker's goals: Remove owners from applications for full control of the application or service principal. Manipulate or delete data stored in the Azure environment.Investigative actions: Check the Azure Activity Log to identify which user removed the Azure Owner. Check the Azure Role Assignments to identify the current Azure Owners. Check the Application or Service Principal to identify if any changes have been made.Variations
Removal of an Azure AD privileged user from an Application or Service Principal
Low overridden
An Azure Owner was removed from an application or service principal. This may indicate malicious activity or unauthorized access to the application or service. overridden
Retrieval of cloud compute EC2 instance user data Informational Cloud 1 variation
A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Automated Collection (T1119)Required data: AWS Audit LogAttacker's goals: Access sensitive instance metadata or startup scripts.Investigative actions: Verify whether this action is expected. Inspect the user data script for sensitive data.Variations
Unusual Retrieval of cloud compute instance user data
Low overridden
A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance. overridden
Retrieval of kubelet credentials Informational 1 variation
A process retrieved kubelet credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Impersonate the node agent to gain control over the cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Retrieval of kubelet credentials by an unusual process
Low overridden
A process retrieved kubelet credentials. overridden
Run downloaded script using pipe Informational 1 variation
Downloading a script using wget or curl and executing it using a pipe to a shell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to download a script using wget or curl.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Run downloaded script using pipe in a Kubernetes pod
Informational overridden
Downloading a script using wget or curl and executing it using a pipe to a shell. overridden
Rundll32.exe executes a rare unsigned module Low 2 variations
Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)Required data: XDR AgentAttacker's goals: Evading detections by running code from a signed Microsoft executable.Investigative actions: Check whether the loaded module with the corresponding hash is benign and if this was a desired behavior as part of its normal execution flow.Variations
Rundll32.exe executes a rare unsigned module with very high entropy
Medium overridden
Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. The module executed by Rundll32 has very high entropy. overridden
Rundll32.exe executes a rare unsigned module with suspicious characteristics
Medium overridden
Rundll32.exe executes a rare unsigned module, which can indicate an attacker's malicious execution. overridden
Rundll32.exe running with no command-line arguments Medium
Rundll32.exe is meant to run with parameters, so the absence of them is extremely suspicious; this behavior is used in the default configuration of Cobalt Strike.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)Required data: XDR AgentAttacker's goals: Run as a signed Microsoft executables to avoid detection. Rundll32 is the default process used by Cobalt Strike for running post-exploitation tools.Investigative actions: Check for any injection event to the Rundll32 process. Check the causality of execution for any injections.Rundll32.exe spawns conhost.exe Medium
This unusual parent-child process relationship may indicate that an attacker has abused rundll32.exe to run a console-based application such as PowerShell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Rundll32 (T1218.011)Required data: XDR AgentAttacker's goals: Evading detections by running code from a signed Microsoft executable.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.S3 configuration deletion Informational Cloud
An S3 bucket configuration has been deleted.This may affect the S3 access, and the objects it contains.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Encrypted for Impact (T1486)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Modify the S3 configuration and expose stored sensitive data.Investigative actions: Check what data is stored on the S3. Check which configuration change has been made. Verify this change did not make this S3 publicly available.SAAS - Email was reported by the user or administrator as a phishing attempt Informational Email 2 variations
An email reported by the user or administrator as a phishing attempt has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Trick the user into interacting with a malicious email by disguising it as legitimate, potentially leading to credential theft, malware infection, or data exfiltration.Investigative actions: Analyze the sender's IP address and domain reputation. Check if the sender has appeared in other logs or alerts across the organization. Review any URLs or attachments for signs of phishing, malware, or command-and-control communication. Correlate user actions (e.g., link clicks, file downloads) to assess potential compromise. Determine whether similar emails were sent to other users to identify a broader campaign.Variations
SAAS - Phishing report with suspicious verdict on an internal user's email
Low overridden
An email sent by an internal user was reported by a recipient or administrator as a phishing attempt.This may indicate a compromised account. overridden
SAAS - Phishing report with with suspicious verdict
Low overridden
An email with a Malware/Block verdict reported by the user or administrator has been detected. overridden
SCCM log files enumeration Informational Identity Analytics 1 variation
Multiple local SCCM logs were accessed within a short period of time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Log Enumeration (T1654)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Enumerate data about the SCCM configuration, infrastructure and deployments.Investigative actions: Check suspicious network connections from the process or host. Check if the user account that initiated the enumeration is supposed to access these files.Variations
Suspicious SCCM log files enumeration
Low overridden
Multiple local SCCM logs were abnormally accessed within a short period of time. overridden
SES Production Access Requested Informational Cloud 1 variation
An identity requested to move the SES account from a restricted sandbox mode into production mode.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Compromise Accounts: Email Accounts (T1586.002)Required data: AWS Audit LogAttacker's goals: Use the existing account to send phishing or spread malware at scale.Investigative actions: Check if the identity has performed any email-related operations in the past. Check if this account should be used for email sending.Variations
SES Production Access Requested by an unusual identity
Low overridden
An identity requested to move the SES account from a restricted sandbox mode into production mode.The identity was not seen performing any operations in SES in the last 30 days. overridden
SMB Traffic from Non-Standard Process Low 1 variation
SMB traffic is usually performed by a standard set of privileged processes through designated ports.The endpoint had a non-standard process communicating over ports normally used by SMB.An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: using a custom protocol implementation that offers malicious functionality Using the well-known SMB port with a different protocol to evade detection. Either way, the attacker's goal is to gain access to another endpoint on your network.The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.Variations
SMB Traffic from Non-Standard Process on a sensitive server
Medium overridden
SMB traffic is usually performed by a standard set of privileged processes through designated ports.The endpoint had a non-standard process communicating over ports normally used by SMB.An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol. overridden
SPNs cleared from a machine account Low Identity Analytics 1 variation
Service principal names were cleared from a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Follow actions performed by the user. Look for associated sAMAccountName rename events.Variations
SPNs cleared from a machine account for the first time
Medium overridden
Service principal names were cleared from a machine account. overridden
SSH authentication brute force attempts Informational Identity Analytics 2 variations
A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 3 Hours
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: Attackers attempt to log in to a remote host.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
Successful SSH Brute Force
Low overridden
A user successfully authenticated via SSH after an excessive number of failures in a short period. overridden
Possible SSH Brute Force
Low overridden
A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack. overridden
SSO Brute Force Informational Identity Analytics 3 variations
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.Variations
SSO Brute Force on a Honey User Account
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Brute Force Threat Detected
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Brute Force Activity Observed
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Password Spray Informational Identity Analytics 3 variations
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: See whether this was a legitimate action. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.Variations
SSO Password Spray Involving a Honey User
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
SSO Password Spray Threat Detected
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
SSO Password Spray Activity Observed
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
SSO authentication attempt by a honey user Low Identity Analytics 1 variation
An SSO authentication attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Okta OneLogin PingOneDetector tags: Honey User AnalyticsAttacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.Variations
Abnormal SSO authentication by a honey user
Medium overridden
An SSO authentication attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity. overridden
SSO authentication by a machine account Low Identity Analytics
A machine account successfully authenticated via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.Investigative actions: Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.SSO authentication by a service account Low Identity Analytics 2 variations
A service account successfully authenticated via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.Investigative actions: Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Rare non-interactive SSO authentication by a service account
Informational overridden
A service account successfully authenticated via SSO. overridden
First time SSO authentication by a service account
Medium overridden
A service account successfully authenticated via SSO. overridden
SSO with abnormal operating system Informational Identity Analytics
A user successfully authenticated via SSO with an abnormal operating system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD OktaAttacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.SSO with abnormal user agent Informational Identity Analytics 1 variation
A user successfully authenticated via SSO with an abnormal user agent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Okta AzureAD Azure SignIn Log Duo PingOneAttacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new user agent app). Follow actions and suspicious activities regarding the user.Variations
SSO with an offensive user agent
Low overridden
A user successfully authenticated via SSO with an offensive user agent. overridden
SSO with new operating system Informational Identity Analytics
A user successfully authenticated via SSO with a new operating system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Okta Azure SignIn Log AzureAD DuoAttacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.SUID/GUID permission discovery Low
Attackers may search for potential to elevate permissions using binaries that have the SUID or GUID bit enabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: File and Directory Discovery (T1083)Required data: XDR AgentAttacker's goals: Attackers may use GUID/SUID binaries to elevate privileges.Investigative actions: Check whether additional malicious commands were executed from the same process. Verify if the command-line seems suspicious or contains malicious indicators.SaaS suspicious external domain user activity Informational Identity Threat Module 1 variation
An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: External Remote Services (T1133)Required data: Google Workspace Audit Logs Office 365 AuditAttacker's goals: Gain their initial foothold within the organization and explore the environment to achieve their target.Investigative actions: Investigate the external domain name. Check the identity activity in the organization.Variations
Suspicious external user activity detected from a domain first seen in the organization
Low overridden
An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization, both in cloud and SaaS environments. overridden
Scheduled Task hidden by registry modification Low
Attackers may try to hide a Scheduled Task by deleting the Scheduled Task's software descriptor (SD) value in the registry.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Registry (T1112) Hide Artifacts (T1564)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may hide their malicious Scheduled Task to evade detection.Investigative actions: Check the appropriate Scheduled Task to verify its legitimacy. You can also check the executing executable to verify its purpose.Scrcons.exe Rare Child Process Informational 1 variation
The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Windows Management Instrumentation (T1047) Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)Required data: XDR AgentAttacker's goals: The attacker is trying to gain Persistence via WMI script registration.Investigative actions: Search for any executions of the Managed Object Format (MOF) compiler mofcomp.exe and review the process that ran it. Review registered WMI ActiveScriptEventConsumer by running "WMIC /namespace:\\root\default path ActiveScriptEventConsumer get ".Variations
Scrcons.exe Rare Child Process
Medium overridden
The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker. overridden
Screensaver process executed from Users or temporary folder Low 1 variation
An executable file with a screensaver extension was executed from the Users or temp folder. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder. It is recommended to further investigate the execution flow for malicious indicators.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Event Triggered Execution: Screensaver (T1546.002)Required data: XDR AgentAttacker's goals: Gain persistence by configuring a new screensaver.Investigative actions: Check whether the executing process (with the SCR extension) is benign and if this was a desired behavior as part of its normal execution flow.Variations
Screensaver process executed from Users or temporary folder by a scripting engine process
High overridden
An executable file with a screensaver extension was executed from the Users or temp folder by a scripting engine process. This is not a common behavior for screensavers and may indicate a malicious file disguised as a screensaver in the Users or temp folder. It is recommended to further investigate the execution flow for malicious indicators. overridden
Script file added to startup-related Registry keys Medium
An attacker may add a script file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentAttacker's goals: Gain persistence using the legitimate Windows registry run key mechanism, which executes commands on user login or computer boot.Investigative actions: Verify if the registered script is malicious. Check if the installed software is a malicious binary or script.Scripting engine connected to a rare external host Low 3 variations
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Connect to the attacker's Command and Control server.Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.Variations
Scripting engine failed to connect to a rare external host
Informational overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Scripting engine with a modified image name connected to a rare external host
Low overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Windows LOLBIN scripting engine connected to a rare external host
Medium overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
SecureBoot was disabled Low
SecureBoot was disabled, this might be indicative of someone trying to install an alternate non-UEFI supported OS.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Pre-OS Boot (T1542)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Disable SecureBoot to install another OS on the machine.Investigative actions: Check if a new operating system was installed on the same hardware.Security object deletion in Google Workspace Admin Console Informational Identity Threat Module 1 variation
A security object was deleted in Google Workspace Admin Console.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may modify or disable security rules to avoid detection of their activities.Investigative actions: Investigate the security object name deleted and whether it was intended. Check if the user was recently granted new elevated permissions that allowed them to delete security rules. Follow other administrative or suspicious actions performed by this user around the same time.Variations
Security object deletion in Google Workspace Admin Console for the first time
Low overridden
A security object was deleted in Google Workspace Admin Console. overridden
Security tools detection attempt Informational
A script has executed commands that can be used to detect security tools.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion (T1497) Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Avoid detection by identifying execution alongside security tools that may alert on a malicious script.Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.Sending unusual file(s) to an external address Low Email
Unusual files sent to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)ATT&CK techniques: Phishing (T1566) Exfiltration Over Alternative Protocol (T1048)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Extracting sensitive credentials, potentially leading to account takeover or unauthorized access to internal services. Extracting valuable information outside the company.Investigative actions: Check the content of the unusual files that were sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further actions taken, such as accessing private keys, API tokens and sensitive data.Sensitive Exchange mail sent to external users Informational Identity Threat Module Email 2 variations
A user sent sensitive email messages to external users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection (T1114) Exfiltration Over Alternative Protocol (T1048)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to collect sensitive email information.Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.Variations
Exchange mail to external account matching high severity DLP rules
Low overridden
A user sent sensitive email messages to external users. overridden
Sensitive Exchange mail sent to an external user
Low overridden
A user sent sensitive email messages to external users. overridden
Sensitive account password reset attempt Informational Identity Analytics 1 variation
An attempt was made to reset a sensitive account's password.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain access to the account.Investigative actions: Verify this action with the user who performed the change.Variations
Sensitive account password reset attempt for the first time
Low overridden
An attempt was made to reset a sensitive account's password. overridden
Sensitive browser credential files accessed by a rare non browser process Informational 1 variation
Sensitive browser credential files accessed by a rare non browser process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Achieve Credential Access by harvesting credentials from local browser storage.This facilitates Lateral Movement and Persistence across the environmentto gain unauthorized control over sensitive resources and information.Investigative actions: Determine the legitimacy of the actor process that accessed the sensitive browser credential files. Analyze the process signature, file path, and command line arguments to verify the process's authenticity. Identify the process or user responsible for initiating the activity and assess its legitimacy.Variations
Sensitive browser credential files accessed by a rare non browser process from a commonly abused directory
Low overridden
Sensitive browser credential files accessed by a rare non browser process. overridden
Serial console access was enabled in AWS account Informational Cloud
Serial console access to EC2 instances was enabled in an AWS account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Utilize direct access to virtual infrastructure to pivot through a cloud environment.Investigative actions: Verify whether serial console access should be enabled. Investigate which actions were performed via serial console access.Service execution via sc.exe Informational
Sc.exe has the ability to start services on local and remote hosts. An attacker may abuse it to execute malicious services on a host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Execute commands and run code on local or remote hosts.Investigative actions: Check whether the service that was created via sc.exe is benign and if this was a desired behavior as part of its normal execution flow.Service ticket request with a spoofed sAMAccountName Medium Identity Analytics
A Kerberos service ticket (ST) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Follow actions by the account and if it performed a DCSync.Setting Windows Auto Logon by uncommon process Low
Setting Windows Auto Logon by uncommon process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversary may attempt to set auto logon for persistence and privilege escalation.Investigative actions: Investigate the process that set or create the registry key.Setuid and Setgid file bit manipulation Low 1 variation
The setuid or setgid bits were set on a file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to run the executable application as a different user.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Setuid and Setgid file bit manipulation in a Kubernetes pod
Low overridden
The setuid or setgid bits were set on a file. overridden
SharePoint Site Collection admin group addition Informational Identity Threat Module 2 variations
A user made an addition to the site collection administrators group in SharePoint.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Office 365 AuditAttacker's goals: Elevate permissions and establish persistence.Investigative actions: Check the IP address from which the access originated. Verify the activity with the performing user. Follow further actions done by the account.Variations
SharePoint site collection admin added to personal site
Informational overridden
A user was added as a site collection admin to a personal site, indicating that the user has accessed the SharePoint service for the first time. overridden
Abnormal SharePoint Site Collection admin group addition
Low overridden
A user made an addition to the site collection administrators group in SharePoint. This user has not made any SharePoint site admin additions over the past 30 days. overridden
Short-lived Azure AD user account Informational Identity Threat Module 1 variation
An Azure AD user was created and deleted within a short period of time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: Evasion using a valid account.Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.Variations
Abnormal Short-lived Azure AD user account
Low overridden
An Azure AD user was created and deleted within a short period of time. overridden
Short-lived user account Low Identity Analytics 2 variations
A user was created and deleted within a short period of time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Evasion using a valid account.Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.Variations
Abnormal short-lived user account
Low overridden
A user was observed creating and deleting an account a short time later. This user does not regularly create and delete accounts. overridden
Short-lived hidden user account
Medium overridden
A user was created with a name that mimics a machine account and later deleted within a short period of time. This may be an attacker's attempt to evade detection. overridden
Signed process creates a scheduled task via file access Informational 1 variation
A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: An attacker may gain persistence and execute malicious tools via scheduled tasks.Investigative actions: Check the created task file and look for the action triggered by the task.Variations
Signed process running from an untrusted directory creates a scheduled task via file access
Low overridden
A signed process created a scheduled task via file access. Attackers may create scheduled tasks for execution and to establish persistence. overridden
Signed process performed an unpopular DLL injection Informational 4 variations
A signed process performed an unpopular DLL injection into another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Signed process that got injected performed an unpopular and suspicious dll injection
High overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process that got injected performed an unpopular and suspicious dll injection
Medium overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process that got injected performed an unpopular dll injection
Medium overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process performed an unpopular DLL injection
Low overridden
A signed process performed an unpopular DLL injection into another process. overridden
Signed process performed an unpopular injection Informational 6 variations
A signed process performed an unpopular injection to another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Signed process that got injected performed an unpopular and suspicious injection
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Signed process that got injected performed an unpopular and suspicious injection
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Signed process that got injected performed an unpopular injection
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Commonly abused signed process performed a globally unpopular injection to a Microsoft signed process
Medium overridden
A signed process performed an unpopular injection to another process. overridden
Signed process performed an unpopular injection
Low overridden
A signed process performed an unpopular injection to another process. overridden
Signed process executed by a scheduled task performed an unpopular injection
Low overridden
A signed process performed an unpopular injection to another process. overridden
Single account excessively locked out Informational Identity Analytics 1 variation
A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if there were any successful authentications (event ID 4624). Determine if any programs have stored outdated credentials, causing account lockouts. Check recent user activity for unusual behavior, such as logins from unfamiliar locations or devices. Confirm whether the user's credentials have been compromised or leaked. Review if the account is enrolled in multifactor authentication (MFA). Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.Variations
Single suspicious account excessively locked out
Low overridden
A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account. overridden
Soft delete of cloud storage configuration was disabled Informational Cloud
A Soft Delete configuration was disabled on a cloud storage account.Soft delete allows a deletion of a blob or a container to be restored.Disabling it will impair the ability of the cloud environment to recover in disaster scenarios.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: Azure Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Impair the ability of the cloud environment to recover in disaster scenarios.Investigative actions: Check if the identity intended to disable soft delete for this storage account. Check if the identity performed additional malicious operations in the cloud environment.Space after filename Informational
A file was created or renamed to have a space at the end of its name.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Space after Filename (T1036.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may try to change the extension of the file to evade detection.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Spam Bot Traffic Low 2 variations
The endpoint connected to an excessive number of external SMTP servers.A spambot may be trying to send spam email using multiple SMTP servers.Spambots can cause your domain to be blacklisted, and can contain other malicious functionality. The same mechanism can also be used for exfiltration. Some VPN clients can also tunnel data over SMTP.Note: This detection model looks for SMTP connections to external servers, but the volume of traffic is not considered. A count is performed based on the number of domains being contacted, as well as the number of unresolved IP addresses.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Days
- Deduplication:
- 3 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Resource Hijacking (T1496)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: The attacker uses the host as an SMTP client to send mails and hide their real origin.Investigative actions: Verify that the source is not an SMTP server. If Cortex XDR Analytics has failed to identify the process as a valid SMTP server, this alert will be a false positive. Verify that IP addresses are actually not being resolved by the non-SMTP process. If the process is performing DNS resolution with a DNS service outside your network, it is possible (depending on your network topology) that Cortex XDR Analytics will not observe that traffic. Because SMTP services typically use numerous IP addresses, this situation could cause a process to exceed a limit when it would otherwise fail to do so. If the SMTP connection activity turns out to be the result of malicious file activity, search on the Triage page for other endpoints infected with the file.Variations
Spam Bot Traffic
Informational overridden
The endpoint connected to an excessive number of external SMTP servers.A spambot may be trying to send spam email using multiple SMTP servers.Spambots can cause your domain to be blacklisted, and can contain other malicious functionality. The same mechanism can also be used for exfiltration. Some VPN clients can also tunnel data over SMTP.Note: This detection model looks for SMTP connections to external servers, but the volume of traffic is not considered. A count is performed based on the number of domains being contacted, as well as the number of unresolved IP addresses. overridden
Failed Spam Bot Traffic
Informational overridden
The endpoint connected to an excessive number of external SMTP servers.A spambot may be trying to send spam email using multiple SMTP servers.Spambots can cause your domain to be blacklisted, and can contain other malicious functionality. The same mechanism can also be used for exfiltration. Some VPN clients can also tunnel data over SMTP.Note: This detection model looks for SMTP connections to external servers, but the volume of traffic is not considered. A count is performed based on the number of domains being contacted, as well as the number of unresolved IP addresses. overridden
Storage enumeration activity Informational Cloud
An identity attempted to discover cloud objects within storage buckets.This might be an attempt by an adversary to find sensitive data stored in cloud storage, which could lead to data theft.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Storage Object Discovery (T1619) Cloud Infrastructure Discovery (T1580)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: Access sensitive data stored in cloud infrastructure.Investigative actions: Check the identity's role designation in the organization. Identify which storage buckets were enumerated and whether they contained sensitive information.Stored credentials exported using credwiz.exe Low 3 variations
Attackers may abuse the credwiz tool to export stored accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores (T1555)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Stored credentials exported using credwiz.exe using keymgr.dll's KRShowKeyMgr function
Medium overridden
Attackers may abuse the credwiz tool to export stored accounts using keymgr.dll's KRShowKeyMgr function. overridden
Stored credentials exported using credwiz.exe over RDP
Low overridden
Attackers may abuse the credwiz tool to export stored accounts over RDP. overridden
Stored credentials exported using credwiz.exe with a built-in Windows tool
Low overridden
Attackers may abuse the credwiz tool to export stored accounts with a built-in Windows tool. overridden
Subdomain Fuzzing Low 1 variation
The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 20 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Active Scanning: Wordlist Scanning (T1595.003)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Scan a known external facing asset to gain knowledge about the organization.Investigative actions: Verify that the domain doesn't host numerous subdomains. Verify that the source of the scan is not a known external scanner.Variations
Subdomain Fuzzing To a Rare Destination
Medium overridden
The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network. overridden
Successful unusual guest user invitation Informational Identity Threat Module 1 variation
An identity successfully invited a guest user to the tenant with unusual characteristics.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker can invite users to for evasion.Investigative actions: Check who is the invited guest user. Check whether the inviter is permitted to perform such actions. Check if the domain of the invited guest is allowed for invitations in the organization.Variations
Rare successful guest invitation in the organization
Low overridden
An identity successfully invited a suspicious guest user to the tenant. overridden
Sudden spike in outbound email volume Informational Email 2 variations
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 2 Hours
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsAttacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Sudden spike in outbound emails sent to external recipients
Informational overridden
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden
Sudden spike in outbound emails sent to internal recipients
Informational overridden
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden
Sudoedit Brute force attempt Medium
An unusual amount of sudoedit commands executed in a short period of time. This may indicate an attempt to exploit CVE-2021-3156.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Exploitation for Privilege Escalation (T1068)Required data: XDR AgentAttacker's goals: The attacker may gain higher privileges via exploitation of sudoedit.Investigative actions: Verify that the current version of sudo in not vulnerable to CVE-2021-3156.Suspicious .NET process loads an MSBuild DLL Medium
A suspicious process in the Microsoft .NET directory loaded the Microsoft Build Framework DLL. This may occur if an attacker masquerades a process like MSBuild (PowerLessShell).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Suspicious AI Dataset Download Low Cloud 1 variation
A model dataset was accessed by an identity that typically doesn't interact with dataset files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Manipulate datasets used by ML models.Investigative actions: Determine which dataset was accessed. Examine the changes made to the dataset.Variations
Suspicious First-Time AI Dataset Download by Identity
Medium overridden
A model dataset was accessed by an identity that typically doesn't interact with dataset files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection. overridden
Suspicious AI Dataset Label Modification Low Cloud
AI Dataset labels were modified by an identity that typically doesn't interact with labels.MITRE ATLAS Technique: AML.T0020 - Poison Training Data.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Contaminating training set, so that predictions on new data will be modified.Investigative actions: Check the identity that modified the dataset's labels. Check that the dataset is correctly labeled.Suspicious AI model usage from a Tor exit node High Cloud 1 variation
A cloud identity invoked an AI model from a Tor exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Conceal information about malicious activities, such as location and network usage.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.Variations
Failed AI model usage from a Tor exit node
Informational overridden
A cloud identity invoked an AI model from a Tor exit node. overridden
Suspicious AMSI decode attempt Informational
A script has executed commands that can be used to decode commands or files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Minute
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Deobfuscate/Decode Files or Information (T1140)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Avoid security mitigations and detections.Investigative actions: Check the payload for malicious activity.Suspicious API call from a Tor exit node High Cloud 2 variations
A cloud API was called from a Tor exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Conceal information about malicious activities, such as location and network usage.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.Variations
Suspicious Kubernetes API call from a Tor exit node
High overridden
A Kubernetes API was called from a Tor exit node. overridden
A Failed API call from a Tor exit node
Informational overridden
A cloud API was called from a Tor exit node. overridden
Suspicious AWS SSM parameters retrieval activity Informational Cloud 1 variation
An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530)Required data: AWS Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed parameters' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
A non admin identity extracted multiple secrets within the organization across multiple regions
Low overridden
An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
Suspicious Azure AD interactive sign-in using PowerShell Informational Identity Analytics 1 variation
A user interactively logged in to Azure AD via PowerShell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureADAttacker's goals: The attacker attempts to gain access to the organization's resources.Investigative actions: Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).Variations
Unusual Azure AD interactive sign-in using PowerShell
Low overridden
A user interactively logged in to Azure AD via PowerShell from an unusual geolocation or ASN. overridden
Suspicious Azure enumeration activity Medium Cloud
An Azure identity performed resource enumeration across multiple services using Microsoft Graph.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Map the Azure tenant and detect potential resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.Suspicious Certutil AD CS contact Low 1 variation
A suspicious occurrence of Certutil attempted to contact the AD CS Request Interface.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: System Service Discovery (T1007) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.Investigative actions: Look at further action done by the user. Investigate whether other non-standard operations were done regarding the AD CS.Variations
Suspicious Certutil AD CS Admin Interface contact
Medium overridden
A suspicious occurrence of Certutil attempted to contact the AD CS Admin Interface. overridden
Suspicious DKIM Result Informational Email 4 variations
The email contains a suspicious DKIM entry, showing either an unexpected verification result (none, fail, or policy) or a mismatched signing domain, which may indicate potential tampering or spoofing activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. Examine the sender's IP address and reputation, and check why DKIM didn't pass. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Known domain DKIM deviation
Informational overridden
An email was sent from a commonly seen domain in the organization, that has historically passed DKIM checks, but returned a suspicious DKIM result of fail This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DKIM outcome from a previously trusted external domain warrants further investigation. overridden
Lack DKIM signature from typically signing domains
Informational overridden
An email was sent from a domain that has historically passed DKIM checks, but returned a suspicious DKIM result of none A none DKIM result implies on an unsigned email, which is atypical for domains with previous signed messages. This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DKIM outcome from a previously trusted external domain warrants further investigation. overridden
DKIM results lacking sender correlation
Informational overridden
The email's authentication results have no indication of proper signing from the email's sender This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. overridden
Known domain suspicious DKIM result
Informational overridden
An email was sent from a commonly seen domain that had no other suspicious DKIM outcomes for the past 30 days. This may indicate an attempt to spoof or impersonate a legitimate external sender. overridden
Suspicious DMARC result Informational Email 3 variations
The email has a suspicious DMARC result of either fail or none, which may indicate a potential domain misconfiguration or spoofing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Trick users into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings. Check the email address for any missing letters. Check the reason DMARC didn't pass and the action. Check if the email was delivered to the recipients based on the action taken, even though DMARC did not pass. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
DMARC deviation from historically compliant domain
Informational overridden
This deviation may indicate an attempt to spoof or impersonate a legitimate external sender. Such sudden DMARC outcome from a previously trusted external domain warrants further investigation. overridden
DMARC failure bypassed domain policy
Informational overridden
This indicates the message should have been rejected according to the domain owner policy, but was instead accepted and delivered, potentially exposing the user to email spoofing or phishing. This suggests a potential policy bypass or misconfiguration in mail filtering. overridden
DMARC failed with non-enforcing policy
Informational overridden
This may indicate an overly permissive DMARC configuration on the sender side and could allow unauthenticated messages to reach users' inboxes. Such configurations are often exploited in phishing or spoofing campaigns, and should be treated with caution. overridden
Suspicious DNS traffic Informational 2 variations
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: DNS tunneling, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked. An attacker may also use this protocol to exfiltrated data from the compromised endpoint outside the network.Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.Variations
Suspicious DNS traffic with a rarely seen domain
Low overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.This domain was rarely seen in this tenant. overridden
Suspicious DNS traffic with a globally rare DNS query length
Low overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The combination of the DNS queries along with this root domain is globally rare. overridden
Suspicious DotNet log file created Low 3 variations
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Reflective Code Loading (T1620) Process Injection (T1055)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Run/Inject DotNet code in the context of a signed process.Investigative actions: Verify if the actor process is using DotNet in a valid way. Check if a new application was recently installed on the host at the time of the alert.Variations
DotNet log file created by svchost from 'Absolute software Corp' causality
Informational overridden
Causality 'Absolute software Corp' loads/injects into svchost and creates DotNet log files. overridden
Suspicious DotNet log file created from an injected thread
Low overridden
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden
Suspicious DotNet log file created
Low overridden
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files. overridden
Suspicious EBS snapshots deletion Low Cloud 1 variation
An identity deleted multiple EBS snapshots from the project, considerably more than usual.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit LogAttacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system.Investigative actions: Identify the deleted snapshots and their associated resources. Investigate the identity that performed the deletion and review recent related activity.Variations
A non administrative identity successfully deleted multiple snapshots from a project
Medium overridden
An identity deleted multiple EBS snapshots from the project, considerably more than usual. overridden
Suspicious Encrypting File System Remote call (EFSRPC) to domain controller Medium
An Encrypting File System Remote call (EFSRPC) was made to a domain controller.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is attempting to steal credentials and move laterally within a network.Investigative actions: Check for suspicious processes on the host. Check if the source host is a vulnerability scanner. Look for following suspicious connections using the DC machine account.Suspicious External RDP Login Informational Identity Analytics
An unusual successful RDP connection by a user from an external IP.This may be indicative of using stolen credentials or malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: External Remote Services (T1133)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts through RDP from an external source.Investigative actions: Identify the user performing RDP and check that it is authorized. Check whether this IP has a malicious reputation. Reset the user's password. Follow further actions done by the user.Suspicious HTTP parameters detected Medium
The endpoint received suspicious HTTP parameters via an HTTP request, which may indicate attempts to exploit server components or web shell activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: Webshell AnalyticsAttacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.Investigative actions: Inspect the legitimacy of the URI path and the parameters values sent to the server. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.Suspicious ICMP packet Low 1 variation
An ICMP router advertisement was sent by a host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Make the victim change his routing table.Investigative actions: Investigate why the source host sent an ICMP router advertisement and if it changed the destination target routing table.Variations
Suspicious ICMP packet that resemble an ICMP redirect attack
Informational overridden
ICMP redirect was sent by a user. overridden
Suspicious ICMP traffic that resembles smurf attack Low
ICMP smurf attack was used.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Endpoint Denial of Service: Service Exhaustion Flood (T1499.002) Network Denial of Service (T1498)Required data: XDR AgentAttacker's goals: Attempt to perform a denial-of-service attack by network exhaustion.Investigative actions: Check if the ICMP message to broadcast was used for a legitimate reason. If not, check for denial-of-service impact on the subnet.Suspicious Kerberos Pre-Auth Failures by Host Low Identity Analytics
An endpoint failed unusual number of Kerberos pre-authentications (TGT requests) which may indicate a password-spraying attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.Investigative actions: Identify the source host from which the failed logons originated, by making sure the IP is not a shared address. Review source host activity to detect any additional suspicious or lateral movement behavior. Correlate successful logons from the source host to identify potential account compromises following the failed attempts.Suspicious Kubernetes pod token access Medium 2 variations
A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Gain access to the Kubernetes environment.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Suspicious Kubernetes pod token access by an unusual pod
High overridden
A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster. overridden
Suspicious Kubernetes pod token access by an unusual process
Medium overridden
A Kubernetes pod has accessed the access token of another pod.This could indicate potential unauthorized access or a security breach within the cluster. overridden
Suspicious LDAP queries followed by shared folder access Low
The user executed suspicious LDAP queries shortly before accessing a shared folder.This behavior may be indicative of Rubeus activity involving Kerberos ticket forgery, such as Golden Ticket or Silver Ticket attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets (T1558)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may use LDAP based account discovery and a forged Kerberos ticket (e.g. Silver Ticket) to access shared resources and collect sensitive data.Investigative actions: Review the LDAP query content to determine if it targets privileged groups (e.g., Domain Admins) or sensitive objects. Correlate the shared folder path with sensitive file shares (e.g., SYSVOL, NETLOGON, backup shares). Check if the IP address {ip_address} is associated with known administrative systems or unusual user behavior. Determine if Rubeus or other Kerberos abuse tools were used based on timing, patterns, or command line artifacts. Inspect for potential Silver Ticket or Golden Ticket activity by reviewing Kerberos ticket logs and security events. Verify if the user account had prior suspicious authentication events or privilege escalation.