Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • Unusual display name in From header Informational Email 2 variations

    An email was detected with an unusual display name in the From header.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Evade defenses and hide potential malicious data inside the email display name.
    Investigative actions: Analyze the email further to determine the source of the anomaly and what can be done about it.

    Variations

    Unusual display name in the From header containing an embedded URL

    Low overridden

    An email was detected with an unusual sender display name in the From header containing an embedded URL. overridden

    Unusual display name in the From header that is identical to the email address

    Informational overridden

    An email was detected where the display name in the From header is unusual and matches the sender email address. overridden

  • Unusual exec into a Kubernetes Pod Informational Cloud 5 variations

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Execute commands within the Kubernetes Pod. Access any resource the Kubernetes Pod has access to.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Failed exec attempt into a Kubernetes Pod

    Informational overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    First time execution into Kubernetes Pod at the cluster-level

    Medium overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    Identity executed into Kubernetes Pod for the first time

    Low overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    Identity executed into a Kubernetes namespace for the first time

    Low overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

    Identity executed into a Kubernetes Pod for the first time

    Low overridden

    An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden

  • Unusual hostname for the sending mail server in the email headers Informational Email

    The detected mail server hostname had not been observed in the organization's emails in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.
    Investigative actions: Review the email's received headers, to trace its path and spot spoofing signs. Examine the sender's IP address and domain reputation. Closely inspect the email content for malicious links, attachments, or requests for sensitive information. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Unusual internal access to network device management interface Informational

    Unusual internal access to Palo Alto Networks device on management port.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Discovery (TA0007)
    ATT&CK techniques: Remote Services (T1021) Network Service Discovery (T1046)
    Required data: XDR Agent
    Attacker's goals: Attackers aim to compromise network infrastructure to redirect traffic, create illegitimate VPN tunnels, modify ACLs (Access Control Lists) to bypass segmentation, or perform Man-in-the-Middle (MitM) attacks.
    Investigative actions: Identify the source address and machine role (e.g., Is it a known Admin Jump Host or a standard workstation?). Validate if a change request exists for the target network device at the time of the event. Check the connection protocol (SSH/HTTPS vs. insecure Telnet/HTTP) and the port used. Review the login status: Was the authentication successful or failed? Investigate the source machine for network scanning tools or terminal clients (e.g., PuTTY, SecureCRT). Analyze the causality chain: Did a suspicious process launch the connection?. Check if the user associated with the source address has network administration privileges.
  • Unusual key management activity Informational Cloud

    A cloud identity performed a key management operation for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse exposed cryptographic keys to decrypt sensitive information or create digital signatures to craft malicious messages.Using the decrypted information, the attacker may perform additional activities in an evasive manner.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive KMS operation that it shouldn't.
  • Unusual multi-region AWS Resource Explorer searches Informational Cloud

    An identity performed unusual discovery activity in multiple regions using Resource Explorer's Search operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Obtain a list of resources that could be targeted for lateral movement.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • Unusual process access to ld.so.preload file Medium

    Attackers can modify ld.so.preload to inject malicious code into every dynamically linked process, enabling persistence and code execution. This detected operation is considered atypical in terms of access.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: This allows attackers to inject malicious code into system processes, gain persistence, code injection, evade detection, and potentially escalate privileges.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Download the /etc/ld.so.preload file from the host and see if and what libraries are specified there. Download any library specified and see if it's benign.
  • Unusual process accessed FTP Client credentials Low

    An unusual process has accessed a third-party FTP client's credential file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Obtain access to passwords stored in the FTP client.
    Investigative actions: Determine whether it is legitimate for the process to access FTP passwords directly. Analyze the process/application that accessed the credentials. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the FTP client.
  • Unusual process accessed a crypto wallet's files Low

    An unusual process has accessed files belonging to a cryptocurrency wallet.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Local System (T1005)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to cryptocurrency stored in the wallet.
    Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Audit the usage of the cryptocurrency stored in the wallet.
  • Unusual process accessed a macOS notes DB file Informational 1 variation

    An unusual process has accessed a user's notes DB file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to user's notes and steal their contents.
    Investigative actions: Determine whether it is legitimate for the process to access user's notes. Analyze the process/application that accessed the DB file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above notes.

    Variations

    Unusual unsigned process accessed a macOS notes DB file

    Low overridden

    An unusual process has accessed a user's notes DB file. overridden

  • Unusual process accessed a messaging app's files Low

    An unusual process has accessed files belonging to a messaging app.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Reconnaissance (TA0043)
    ATT&CK techniques: Data from Local System (T1005) Gather Victim Host Information (T1592)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to the user's message history and steal their contents.
    Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may have been associated with the above messaging app.
  • Unusual process accessed a web browser history file Low 1 variation

    An unusual process has accessed a web browser history file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Collection (TA0009)
    ATT&CK techniques: Browser Information Discovery (T1217) Data from Local System (T1005) Automated Collection (T1119)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to the user's browsing history and steal their contents.
    Investigative actions: Determine whether it is legitimate for the process to access web browser history. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above file.

    Variations

    Unusual process accessed a web browser history file on Linux

    Low overridden

    An unusual process has accessed a web browser history file. overridden

  • Unusual process accessed the PowerShell history file Informational

    An abnormal process accessed the PowerShell console history file.This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to run PowerShell without powershell.exe to evade detection.
    Investigative actions: Investigate the process and command line executed and whether it's benign or normal for this host.
  • Unusual process accessed web browser cookies Informational 1 variation

    An unusual process has accessed a web browser's session cookie store.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Web Session Cookie (T1539)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Obtain access to or hijack sessions to websites stored in the web browser's cookies.
    Investigative actions: Determine whether it is legitimate for the process to access session cookies directly. Analyze the process/application that accessed the cookie store. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser/cookie store.

    Variations

    Unusual unsigned process accessed web browser cookies

    Low overridden

    An unusual process has accessed a web browser's session cookie store. overridden

  • Unusual process accessed web browser credentials Informational 2 variations

    An unusual process has accessed a web browser credentials file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Obtain access to credentials (such as cached logins) stored in the web browser.
    Investigative actions: Determine whether it is legitimate for the process to access web browser credential data directly. Analyze the process/application that accessed the credentials. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser.

    Variations

    Unusual process accessed web browser credentials and executed by a terminal process

    High overridden

    An unusual process has accessed a web browser credentials file. overridden

    Unusual unsigned process accessed web browser credentials

    Low overridden

    An unusual process has accessed a web browser credentials file. overridden

  • Unusual resource access by Azure application Informational Cloud 1 variation

    An Azure application had interacted with an unusual resource using the Microsoft Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Abuse applications to gain access to the Azure tenant.
    Investigative actions: Verify whether the application is intended to use the resource in question. Investigate any unusual activity originating from the application.

    Variations

    Suspicious resource access by Azure application

    Low overridden

    An Azure application had interacted with an unusual resource using the Microsoft Graph API. overridden

  • Unusual resource modification by newly seen IAM user Informational Cloud 3 variations

    A cloud resource was modified by a newly seen IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Impact (TA0040)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage access to manipulate cloud infrastructure.
    Investigative actions: Examine which resources were affected and how. Investigate any unusual activity originating from the identity.

    Variations

    Unusual Kubernetes resource modification by newly seen IAM user

    Informational overridden

    A cloud resource was modified by a newly seen IAM user. overridden

    Unusual IAM resource modification by newly seen IAM user

    Low overridden

    A cloud resource was modified by a newly seen IAM user. overridden

    Unusual resource modification by newly seen IAM user from an uncommon IP

    Low overridden

    A cloud resource was modified by a newly seen IAM user. overridden

  • Unusual secret management activity Informational Cloud

    A cloud Identity performed a secret management operation for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse exposed secrets to gain access to restricted cloud resources and applications.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive secret management operation that it shouldn't.
  • Unusual sender IP subnet Informational Email 2 variations

    This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.
    Investigative actions: Review the email's received headers, to trace its path and spot spoofing signs. Examine the sender's IP address and domain reputation. Closely inspect the email content for malicious links, attachments, or requests for sensitive information. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Unusual sender IP subnet associated with infrastructure or tunneling services

    Informational overridden

    This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days. overridden

    Unusual sender IP subnet associated with internal sender

    Informational overridden

    This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days. overridden

  • Unusual use of a 'SysInternals' tool Informational 3 variations

    An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may leverage SysInternals tools for lateral movement, credential access, or to delete recovery backups to cause impact.
    Investigative actions: Check if the file is familiar to the user, if not, investigate further the source of it.

    Variations

    Unusual use of a 'SysInternals' tool by a process with an invalid or non-standard signature

    High overridden

    An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden

    Unusual use of a 'SysInternals' tool that can be used for offensive operations

    High overridden

    An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden

    A registry key related to SysInternals was modified by a known registry editor

    Informational overridden

    A registry key related to SysInternals was modified by a known registry editor to circumvent a EULA prompt. overridden

  • Unusual user account enablement Informational Identity Analytics 1 variation

    A user enabled an account. This user does not usually enable user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may enable a user account to gain persistence.
    Investigative actions: Investigate the associated enabling event. Check if the user is authorized to enable accounts. Confirm that the account enablement was expected. If the account enablement seems suspicious, address it accordingly by disabling the account again, forcing a password change, or monitoring its activity.

    Variations

    Unusual sensitive user account enablement

    Low overridden

    A user enabled a sensitive account. This user does not usually enable user accounts. overridden

  • Unusual user account unlock Informational Identity Analytics 1 variation

    A user unlocked an account. This user does not usually unlock user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may unlock a user account to gain unauthorized access.
    Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4625, 4776 events). Check if the user is authorized to unlock accounts. Confirm that the user unlock was expected. Monitor services that may be running with a user's credentials, resulting in lockouts.

    Variations

    Unusual sensitive user account unlock

    Low overridden

    A user unlocked a sensitive account. This user does not usually unlock user accounts. overridden

  • Unusual user-agent for a cloud identity Informational Cloud 1 variation

    A cloud identity has executed an API call with an unusual user-agent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Evade detection by using non-standard tools or scripts.
    Investigative actions: Examine the recent actions of the user for any abnormal or unauthorized behavior. Verify if the user intentionally used a new device or tool.

    Variations

    Unusual user-agent for a cloud identity by a compromised AWS access key

    Medium overridden

    A cloud identity has executed an API call with an unusual user-agent. overridden

  • Unusual weak authentication by user Informational Identity Analytics

    A user account authenticated to a host via NTLMv1 or LM authentication for the first time in the past 30 days. This may be indicative of an NTLM downgrade attackA downgrade attack may force the client to authenticate with a weaker hash/protocol (such as NTLMv1 or even LM) instead of NTLMv2.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material (T1550)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage.
  • Unverified domain added to Azure AD Informational Identity Threat Module 1 variation

    A new unverified domain was added to Azure AD.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.
    Investigative actions: Check if the new domain is known for the organization. Check whether the user changing the configuration is permitted. Monitor network activity to and from the added domain.

    Variations

    Rare unverified domain addition to Azure AD

    Low overridden

    A new unverified domain was added to Azure AD. overridden

  • Upload pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.
  • Usage of homograph characters detected in an email Informational Email

    Detected characters resembling Latin letters within an email's subject and/or body.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656) Masquerading (T1036)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.
    Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Usage of homograph characters detected in an email attachment(s) name Informational Email 1 variation

    Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion, Phishing
    Attacker's goals: Evade file scanner defenses, tricking recipients into running malicious attachments.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. Scrutinize the attachments related to the email message. Monitor file-related actions taken related to the attachment.

    Variations

    Usage of homograph characters detected in an email attachment(s) extension

    Low overridden

    Detected non-latin characters within an email attachment's extension(s).Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers. overridden

  • Usage of homograph characters detected in an email's from header Informational Email

    Detected characters resembling Latin letters within an email's From header.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.
    Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • User accessed SaaS resource via anonymous link Informational Identity Threat Module 2 variations

    A user accessed a SaaS resource via an anonymous link.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker is attempting to collect sensitive data.
    Investigative actions: Check the IP address from which the access originated. Examine the file that was accessed for any sensitive indicators. Follow further actions taken, such as downloading files.

    Variations

    External user accessed a sensitive SaaS file via anonymous link

    Low overridden

    An external user accessed a sensitive SaaS file via an anonymous link. overridden

    User accessed a public Google Drive document

    Informational overridden

    A user accessed a Google Drive document that is public on the web. overridden

  • User accessed multiple O365 AIP sensitive files Informational Identity Threat Module

    A user accessed multiple O365 AIP sensitive files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Data from Local System (T1005)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to collect sensitive information.
    Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Check what sensitivity labels are detected and how suspicious they are. Examine the user's account history for suspicious behavior.
  • User account delegation change Informational Identity Analytics 2 variations

    A user account was modified with delegation to a service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to control an Active Directory environment.
    Investigative actions: Verify this action with the user who performed the change. Check if the account modified is a service account. Follow actions by the user, including TGT and TGS requests. Monitor for anomalous Kerberos activity.

    Variations

    User account delegation to KRBTGT

    High overridden

    A user account was modified with delegation to the KRBTGT service. overridden

    User account delegation to a DC

    Low overridden

    A user account was modified with delegation to a service on a domain controller. overridden

  • User added SID History to an account Informational Identity Analytics 1 variation

    A user added SID history to an account. This may be indicative of a user's migration between domains or a SID injection attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Access Token Manipulation: SID-History Injection (T1134.005)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may use SID history to escalate privileges and bypass access controls.
    Investigative actions: Verify if migration between domains was involved. Search for suspicious actions by the user, such as forged Kerberos tickets.

    Variations

    Suspicious SID History Addition

    Medium overridden

    A user added SID history to an account. The account was not migrated between domains, which may indicate a SID injection attack. overridden

  • User added a new device to Okta Verify instance Informational Identity Threat Module 1 variation

    The user has successfully registered a new device with the Okta Verify application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: Attackers may exploit the device registration process in Okta by registering unauthorized devices, thereby gaining access to sensitive resources and user accounts within an organization.
    Investigative actions: Reach out to the user responsible for the device registration to confirm its legitimacy. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN). Make sure the IP address is not showing any abnormal activity. Monitor the activity from the new registered device and ensure that it matches the user's normal activity.

    Variations

    Suspicious device enrollment to Okta

    Low overridden

    A new device was registered on Okta with suspicious characteristics, which increased the alert severity. overridden

  • User added to a group and removed Informational Identity Analytics 2 variations

    A user was added to an Active Directory group and removed within a short period of time, which may be a sign of compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Check for any suspicious actions performed by the added user. Check for a possible compromise of the initiating user.

    Variations

    Rare privileged group addition and removal

    Medium overridden

    A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden

    User added to a privileged group and removed

    Low overridden

    A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden

  • User added to the SMS Admins local group Low Identity Analytics 1 variation

    A user was added to the SMS Admins local group. This may indicate a potential attack targeting the Microsoft Configuration Manager infrastructure.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.
    Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.

    Variations

    User added to the SMS Admins group and removed

    Medium overridden

    A user was added to the SMS Admins group and removed within a short period of time, which may be a sign of compromise. overridden

  • User and Group Enumeration via SAMR Informational

    The endpoint performed unfamiliar SAMR querying activity to a domain controller.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may enumerate users and groups to gain information and plan its lateral movement over the network.
    Investigative actions: Check if the host is a newly deployed server that provides RPC-based services to multiple hosts. Check if there are any other suspicious activities originating from the same machine.
  • User attempted to connect from a suspicious country Informational Identity Analytics 1 variation

    A user connected from an unusual country. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    User successfully connected from a suspicious country

    Low overridden

    A user successfully connected from an unusual country. This may indicate the account was compromised. overridden

  • User collected remote shared files in an archive Low Identity Threat Module

    Multiple files from remote shares were archived in a local file. This may indicate collection of data and staging before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for remote archive file activity.
  • User discovery via WMI query execution Informational 3 variations

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Windows Management Instrumentation (T1047) System Owner/User Discovery (T1033) Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attacker or malware can use WMI queries to discover host users and enumerate a huge amount of information.
    Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.

    Variations

    User discovery via WMI query execution by an unsigned process

    Low overridden

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden

    User modification via WMIC query execution

    Low overridden

    Attackers or malware may use WMI queries to modify the users of a host, and potentially its owner. overridden

    User discovery via WMIC query execution

    Informational overridden

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden

  • User exported multiple messages in Microsoft Teams via Graph API Informational Identity Threat Module 3 variations

    A user exported multiple messages in Microsoft Teams via Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage messages extraction from Microsoft Teams to collect sensitive data.
    Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.

    Variations

    User exported multiple chats in Microsoft Teams via Graph API

    Low overridden

    A user exported multiple messages in Microsoft Teams via Graph API. overridden

    User exported multiple messages in Microsoft Teams via Graph API by a privileged user for the first time

    Low overridden

    A user exported multiple messages in Microsoft Teams via Graph API. overridden

    User exported multiple messages in Microsoft Teams via Graph API from a first seen ASN

    Low overridden

    A user exported multiple messages in Microsoft Teams via Graph API. overridden

  • User installed an application in Microsoft Teams via Graph API Informational Identity Threat Module 1 variation

    A user who rarely uses the Graph API to install Microsoft Teams applications has installed one using it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Cloud Application Integration (T1671)
    Required data: Microsoft Graph Logs
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.
    Investigative actions: Verify the user's role and typical usage of Microsoft Graph API. Check if the user's account has recently logged in from unusual locations or devices. Review recent email and chat activity to identify any phishing or suspicious messages sent. Examine the Graph API call logs to see what actions were performed and their timestamps. Correlate with endpoint logs to detect any malware or suspicious processes running on the user's device. Check for signs of account compromise, such as password changes or MFA bypass attempts. Follow further actions done by the account.

    Variations

    User installed an application in Microsoft Teams via Graph API from a first seen ASN

    Low overridden

    A user who rarely uses the Graph API to install Microsoft Teams applications has installed one using it. overridden

  • User moved Exchange sent messages to deleted items Informational Identity Threat Module Email 1 variation

    A user moved sent messages to deleted items in Exchange.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal: Clear Mailbox Data (T1070.008)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to hide newly sent email messages for evasion purposes.
    Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.

    Variations

    Sensitive Exchange sent messages moved to deleted items from unusual source

    Low overridden

    A user moved sensitive sent messages to deleted items in Exchange. overridden

  • User sent messages in Microsoft Teams to multiple conversations via Graph API Informational Identity Threat Module 1 variation

    A user who rarely uses the Graph API for Microsoft Teams messaging sent multiple messages using it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Internal Spearphishing (T1534)
    Required data: Microsoft Graph Logs
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage a compromised user account to send phishing or malicious messages via Graph API to multiple recipients, aiming to propagate the attack while evading detection.
    Investigative actions: Verify the user's role and typical usage of Microsoft Graph API. Check if the user's account has recently logged in from unusual locations or devices. Review recent email and chat activity to identify any phishing or suspicious messages sent. Examine the Graph API call logs to see what actions were performed and their timestamps. Correlate with endpoint logs to detect any malware or suspicious processes running on the user's device. Check for signs of account compromise, such as password changes or MFA bypass attempts. Follow further actions done by the account.

    Variations

    User sent messages in Microsoft Teams to several conversations via Graph API with suspicious characteristics

    Low overridden

    A user who rarely uses the Graph API for Microsoft Teams messaging sent multiple messages using it. overridden

  • User set insecure CA registry setting for global SANs Low Identity Analytics

    A user enabled the EDITF_ATTRIBUTESUBJECTALTNAME2 registry flag, allowing custom Subject Alternative Names (SANs) to be specified on all certificate templates. This could enable attackers to bypass security controls by requesting certificates with user-defined SANs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: This flag can allow an attacker to obtain a certificate with higher privileges and escalate to Domain Admin.
    Investigative actions: Confirm whether the registry change was authorized by the user or system administrator. Monitor certificate enrollments with Subject Alternate Names. Restore the secure configuration by disabling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag and enforcing strict certificate policies. Investigate any unusual authentication attempts or certificates issued to high-privilege users or accounts.
  • User signed in to an application via Power Automate for the first time Informational Identity Threat Module 1 variation

    A user signed in to an application via Power Automate for the first time. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)
    ATT&CK techniques: Valid Accounts (T1078) Automated Exfiltration (T1020)
    Required data: AzureAD
    Attacker's goals: Use automation flows to automate data exfiltration, C2 communication, lateral movement and evade DLP solutions.
    Investigative actions: Check if this was a desired behavior as part of the automation flow. Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Look for signs of different data exfiltration via email, shared links or uploads to online storage.

    Variations

    User signed in to an uncommon application via Power Automate for the first time

    Low overridden

    A user signed in to an uncommon application via Power Automate for the first time. This may be indicative of a compromised account. overridden

  • VM Detection attempt Informational

    A script has executed commands that can be used to detect VM environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)
    ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.
    Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.
  • VM Detection attempt on Linux Informational 2 variations

    A Process executed a command and/or accessed a file that can be used to detect VM environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)
    ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)
    Required data: XDR Agent
    Attacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.
    Investigative actions: Review the process for additional malicious actions. Check for any additional alerts raised within the same context of the script.

    Variations

    VM Detection attempt on Linux with further reconnaissance commands

    Medium overridden

    A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden

    VM Detection attempt on Linux using an unpopular technique

    Low overridden

    A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden

  • VPN Login Password Spray Informational Identity Analytics 2 variations

    An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Analyze the time intervals between login attempts to check for patterns indicative of a password spraying attack. Investigate the cause of the login failures (e.g. incorrect passwords, account lockouts, other factors). Review the geographic regions behind the failed login attempts. Investigate if a successful login was made after unsuccessful attempts. Cross-reference the IP address with threat intelligence sources to see if it is associated with known malicious activity.

    Variations

    Successful VPN Password Spray Threat Detected with unusual characteristics

    Medium overridden

    An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden

    VPN login password spray with unusual characteristics

    Low overridden

    An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden

  • VPN access with an abnormal operating system Informational Identity Analytics 2 variations

    A user accessed a VPN with an abnormal operating system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use a legitimate user and connect to a VPN service to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.

    Variations

    VPN access with a suspicious operating system

    Medium overridden

    A user accessed a VPN with an abnormal operating system. overridden

    VPN access from an abnormal operating system with suspicious characteristics

    Low overridden

    A user accessed a VPN from an abnormal operating system with some more suspicious characteristics that flagged this login attempt as a suspicious login. overridden

  • VPN login Brute-Force attempt Informational Identity Analytics 2 variations

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force (T1110) Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: An attacker attempts to gain access to the account.
    Investigative actions: Verify successful connections by the user account, as these can indicate the attacker managed to guess the credentials. Analyze login patterns for abnormal times, locations, or IPs for suspicious activity. Look for VPN login attempts from countries where the organization does not typically operate. Cross-reference the IP addresses with threat intelligence sources. Follow further actions taken by the account.

    Variations

    Successful VPN Login Brute Force

    Low overridden

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden

    VPN login brute-force attempt with suspicious characteristics

    Low overridden

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden

  • VPN login attempt by a honey user Low Identity Analytics 1 variation

    A VPN login attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Detector tags: Honey User Analytics
    Attacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.
    Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.

    Variations

    Abnormal VPN login by a honey user

    Medium overridden

    A VPN login attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity. overridden

  • VPN login by a dormant user Informational Identity Analytics

    A dormant user logged on to a VPN service after having been unused for a month or longer.This may indicate the account is misused by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use a compromised user account which has not been used for a long while, and therefore is less likely to be noticed.
    Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check if the user initiated other logins aside from a VPN login. Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.
  • VPN login by a service account Low Identity Analytics 1 variation

    A service account attempted to log in to a VPN service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network and access privileged resources.
    Investigative actions: See whether the service authentication was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Rare VPN login by an administrative service account

    Medium overridden

    An administrative service account attempted to log in to a VPN service. overridden

  • VPN login with a machine account Informational Identity Analytics 1 variation

    A machine account successfully logged in to a VPN service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network and access privileged resources.
    Investigative actions: See whether the service login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Rare VPN login with a machine account

    Low overridden

    A machine account successfully logged in to a VPN service. overridden

  • Vulnerable certificate template loaded Informational Identity Analytics 2 variations

    A possible misconfigured certificate template was loaded by Certificate Services. This may indicate potential certificate template abuse.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to exploit AD CS misconfigurations to obtain certificates that can be used for credential theft and privilege escalation.
    Investigative actions: Review the AD CS configuration for vulnerable templates and EKU settings. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Look for signs of certificate template enumeration via LDAP. Inspect certificates issued to privileged accounts. Check for abnormal PKINIT authentication or elevated Kerberos tickets.

    Variations

    First detection of AD CS ESC vulnerability in certificate template

    Medium overridden

    A misconfigured certificate template vulnerable to an AD CS ESC attack was loaded by Certificate Services for the first time. This may indicate potential certificate template abuse. overridden

    Certificate template vulnerable to AD CS ESC attack

    Low overridden

    A misconfigured certificate template vulnerable to an AD CS ESC attack was loaded by Certificate Services. This may indicate potential certificate template abuse. overridden

  • Wbadmin deleted files in quiet mode High

    Wbadmin was used to delete files in quiet mode.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: XDR Agent
    Attacker's goals: Adversaries may delete the backup catalog to prevent recovery of a corrupted system.
    Investigative actions: Check if the delete action was legitimate and performed by an authorized user.
  • Weakly-Encrypted Kerberos TGT Response Informational 1 variation

    A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process: Domain Controller Authentication (T1556.001)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Manipulate the domain controller authentication process to bypass standard authentication and gain access to hosts and resources in environments relying on single-factor authentication.
    Investigative actions: Identify the user or entity that requested the TGT during the alert timeframe. Determine whether a legitimate service or application requested weak Kerberos encryption. Verify whether the domain controller is patched against the Skeleton Key vulnerability (CVE-2016-1567).

    Variations

    Abnormal Weakly-Encrypted Kerberos TGT Response

    Low overridden

    A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack. overridden

  • Weakly-Encrypted Kerberos Ticket Requested Low 1 variation

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes and is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Weakly-Encrypted Kerberos Ticket Requested on a sensitive server

    Medium overridden

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes and is typically a sign of a Kerberoasting attack. This action occurred on a sensitive server, which may indicate a malicious activity. overridden

  • Web server CGO executed a process following a potential Webshell dropped Informational

    A process was executed by a web server CGO following a potential drop of a webshell file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    4 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.
  • Web server CGO executed an uncommon process Informational 1 variation

    An uncommon process was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the executed process is malicious or executes a suspicious action.

    Variations

    Web server CGO executed a LOLBIN process with direct IP in the command line

    High overridden

    A LOLBIN process with a direct IP in the command line was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit. overridden

  • WebDAV drive mounted from net.exe over HTTPS Informational

    Attackers may mount a WebDAV drive over HTTPS to upload files to and download files from a compromised machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: XDR Agent
    Attacker's goals: Attackers might use WebDAV as a C&C or exfiltration channel to evade detection and firewall rules.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.
  • Well-known brand in sender headers with header inconsistencies Informational Email

    Sender headers include a well-known brand with header inconsistencies indicating possible impersonation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Brand Impersonation
    Attacker's goals: Impersonate known legitimate brands or other technological entities to trick recipients into disclosing information or executing malicious code unwillingly.
    Investigative actions: Identify the specific emails responsible for the accumulation of these alerts. Review their headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Review the email headers and metadata of each flagged email to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Engage potentially affected users to understand if any actions were taken in response to these emails, which could increase the overall risk. Document and escalate findings in case this is a broader phenomenon.
  • Windows CGO, actor and action processes with anomalous characteristics Informational 2 variations

    Windows CGO, actor and action processes with anomalous characteristics.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Detector tags: Process Anomaly Analytics
    Attacker's goals: Processes anomalous characteristics which commonly appear in malicious activities.
    Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the CGO and actor processes that executed the process and check if they are malicious.

    Variations

    Windows CGO, actor and action processes with anomalous characteristics by an untrusted CGO

    Low overridden

    Windows CGO, actor and action processes with anomalous characteristics by an untrusted CGO. overridden

    Windows CGO, actor and action processes with highly anomalous characteristics

    Low overridden

    Windows CGO, actor and action processes with anomalous characteristics. overridden

  • Windows CGO, actor process and action module with anomalous characteristics Informational 1 variation

    Windows CGO, actor process and action module with anomalous characteristics.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Loading modules with anomalous characteristics that commonly appear in malicious activities.
    Investigative actions: Investigate the loaded image and check if it is malicious. Investigate the CGO process and actor process that loaded the module and check if they are malicious.

    Variations

    Windows CGO, actor process and action module with very anomalous characteristics

    Low overridden

    Windows CGO, actor process and action module with anomalous characteristics. overridden

  • Windows Event Log was cleared using wevtutil.exe Low 2 variations

    A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: XDR Agent
    Attacker's goals: Delete logs to cover tracks of the malicious activity, making it harder to perform analysis.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Security Event Log was cleared using wevtutil.exe

    High overridden

    A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis. overridden

    A Sensitive Windows Event Log was cleared using wevtutil.exe

    Medium overridden

    A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis. overridden

  • Windows Installer exploitation for local privilege escalation Medium

    The Windows installer (msiexec.exe) was likely exploited to run a malicious rollback script (.rbs file) instead of the original.Users should not be able to modify config.msi during the installation process, only SYSTEM should have access to it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Exploitation for Privilege Escalation (T1068)
    Required data: XDR Agent
    Attacker's goals: An attacker is attempting to gain SYSTEM privileges.
    Investigative actions: Investigate the actor process SID and path and whether it's benign or normal for this host. This action is not common, but allowed on Windows versions older than Windows 8. On those systems, check the file reputation for both the CGO and OS actor executables that ran the installation.
  • Windows LOLBIN executable connected to a rare external host Medium 2 variations

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Connect to the attacker's Command and Control server.
    Investigative actions: Check the external address the process connects to.

    Variations

    Windows LOLBIN executable connected to a rare external host on a newly activated agent

    Low overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Windows LOLBIN executable connected to a rare external host

    Medium overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

  • Windows event logs were cleared with PowerShell Informational 3 variations

    Windows event logs were cleared or deleted with PowerShell.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal: Clear Windows Event Logs (T1070.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may clear events from Windows event logs to remove traces of their malicious activity.
    Investigative actions: Validate if the script that was executed is from a legitimate IT activity. Look for additional suspicious actions that were executed on the host.

    Variations

    Suspicious clear or delete security provider event logs with PowerShell

    High overridden

    Windows event logs were cleared or deleted with PowerShell. overridden

    Suspicious clear or delete default providers event logs with PowerShell

    Medium overridden

    Windows event logs were cleared or deleted with PowerShell. overridden

    Windows event logs were cleared with uncommon PowerShell command line

    Low overridden

    Windows event logs were cleared or deleted with PowerShell. overridden

  • WmiPrvSe.exe Rare Child Command Line Low 1 variation

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on a remote host.
    Investigative actions: Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators. Correlate the RPC call from the source host and understand what initiated it.

    Variations

    WmiPrvSe.exe Rare Child Command Line

    Medium overridden

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker. overridden

  • Wscript/Cscript loads .NET DLLs Low

    An unusual script loads .NET DLLs, possibly indicating JScriptToDotnet execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Wsmprovhost.exe Rare Child Process Low

    The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on a remote host.
    Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.
  • X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations

    This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type

    Informational overridden

    X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden

    Email identified by X-Forefront-Antispam-Report as a phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as impersonating internal communication

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden

    X-Forefront-Antispam-Report has strongly flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report has flagged this email as a bulk email

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden

    X-Forefront-Antispam-Report has flagged an internal email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden

    X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain

    Informational overridden

    This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden

    X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden