Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapUnusual display name in From header Informational Email 2 variations
An email was detected with an unusual display name in the From header.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Evade defenses and hide potential malicious data inside the email display name.Investigative actions: Analyze the email further to determine the source of the anomaly and what can be done about it.Variations
Unusual display name in the From header containing an embedded URL
Low overridden
An email was detected with an unusual sender display name in the From header containing an embedded URL. overridden
Unusual display name in the From header that is identical to the email address
Informational overridden
An email was detected where the display name in the From header is unusual and matches the sender email address. overridden
Unusual exec into a Kubernetes Pod Informational Cloud 5 variations
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Container Administration Command (T1609)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Execute commands within the Kubernetes Pod. Access any resource the Kubernetes Pod has access to.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Failed exec attempt into a Kubernetes Pod
Informational overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
First time execution into Kubernetes Pod at the cluster-level
Medium overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
Identity executed into Kubernetes Pod for the first time
Low overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
Identity executed into a Kubernetes namespace for the first time
Low overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
Identity executed into a Kubernetes Pod for the first time
Low overridden
An identity initiated a shell session within a Kubernetes pod using the exec command.The command allows an identity to establish a temporary shell session and execute commands in the pod.This may indicate an attacker attempting to gain an interactive shell, which will allow access to the pod's data. overridden
Unusual hostname for the sending mail server in the email headers Informational Email
The detected mail server hostname had not been observed in the organization's emails in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.Investigative actions: Review the email's received headers, to trace its path and spot spoofing signs. Examine the sender's IP address and domain reputation. Closely inspect the email content for malicious links, attachments, or requests for sensitive information. Monitor further actions taken, such as file downloads or access to potentially malicious links.Unusual internal access to network device management interface Informational
Unusual internal access to Palo Alto Networks device on management port.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Discovery (TA0007)ATT&CK techniques: Remote Services (T1021) Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: Attackers aim to compromise network infrastructure to redirect traffic, create illegitimate VPN tunnels, modify ACLs (Access Control Lists) to bypass segmentation, or perform Man-in-the-Middle (MitM) attacks.Investigative actions: Identify the source address and machine role (e.g., Is it a known Admin Jump Host or a standard workstation?). Validate if a change request exists for the target network device at the time of the event. Check the connection protocol (SSH/HTTPS vs. insecure Telnet/HTTP) and the port used. Review the login status: Was the authentication successful or failed? Investigate the source machine for network scanning tools or terminal clients (e.g., PuTTY, SecureCRT). Analyze the causality chain: Did a suspicious process launch the connection?. Check if the user associated with the source address has network administration privileges.Unusual key management activity Informational Cloud
A cloud identity performed a key management operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse exposed cryptographic keys to decrypt sensitive information or create digital signatures to craft malicious messages.Using the decrypted information, the attacker may perform additional activities in an evasive manner.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive KMS operation that it shouldn't.Unusual multi-region AWS Resource Explorer searches Informational Cloud
An identity performed unusual discovery activity in multiple regions using Resource Explorer's Search operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Obtain a list of resources that could be targeted for lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.Unusual process access to ld.so.preload file Medium
Attackers can modify ld.so.preload to inject malicious code into every dynamically linked process, enabling persistence and code execution. This detected operation is considered atypical in terms of access.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: This allows attackers to inject malicious code into system processes, gain persistence, code injection, evade detection, and potentially escalate privileges.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Download the /etc/ld.so.preload file from the host and see if and what libraries are specified there. Download any library specified and see if it's benign.Unusual process accessed FTP Client credentials Low
An unusual process has accessed a third-party FTP client's credential file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to passwords stored in the FTP client.Investigative actions: Determine whether it is legitimate for the process to access FTP passwords directly. Analyze the process/application that accessed the credentials. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the FTP client.Unusual process accessed a crypto wallet's files Low
An unusual process has accessed files belonging to a cryptocurrency wallet.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Local System (T1005)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to cryptocurrency stored in the wallet.Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Audit the usage of the cryptocurrency stored in the wallet.Unusual process accessed a macOS notes DB file Informational 1 variation
An unusual process has accessed a user's notes DB file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to user's notes and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access user's notes. Analyze the process/application that accessed the DB file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above notes.Variations
Unusual unsigned process accessed a macOS notes DB file
Low overridden
An unusual process has accessed a user's notes DB file. overridden
Unusual process accessed a messaging app's files Low
An unusual process has accessed files belonging to a messaging app.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Reconnaissance (TA0043)ATT&CK techniques: Data from Local System (T1005) Gather Victim Host Information (T1592)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to the user's message history and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may have been associated with the above messaging app.Unusual process accessed a web browser history file Low 1 variation
An unusual process has accessed a web browser history file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Collection (TA0009)ATT&CK techniques: Browser Information Discovery (T1217) Data from Local System (T1005) Automated Collection (T1119)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to the user's browsing history and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access web browser history. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above file.Variations
Unusual process accessed a web browser history file on Linux
Low overridden
An unusual process has accessed a web browser history file. overridden
Unusual process accessed the PowerShell history file Informational
An abnormal process accessed the PowerShell console history file.This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: An attacker is attempting to run PowerShell without powershell.exe to evade detection.Investigative actions: Investigate the process and command line executed and whether it's benign or normal for this host.Unusual process accessed web browser cookies Informational 1 variation
An unusual process has accessed a web browser's session cookie store.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Web Session Cookie (T1539)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to or hijack sessions to websites stored in the web browser's cookies.Investigative actions: Determine whether it is legitimate for the process to access session cookies directly. Analyze the process/application that accessed the cookie store. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser/cookie store.Variations
Unusual unsigned process accessed web browser cookies
Low overridden
An unusual process has accessed a web browser's session cookie store. overridden
Unusual process accessed web browser credentials Informational 2 variations
An unusual process has accessed a web browser credentials file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to credentials (such as cached logins) stored in the web browser.Investigative actions: Determine whether it is legitimate for the process to access web browser credential data directly. Analyze the process/application that accessed the credentials. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser.Variations
Unusual process accessed web browser credentials and executed by a terminal process
High overridden
An unusual process has accessed a web browser credentials file. overridden
Unusual unsigned process accessed web browser credentials
Low overridden
An unusual process has accessed a web browser credentials file. overridden
Unusual resource access by Azure application Informational Cloud 1 variation
An Azure application had interacted with an unusual resource using the Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Abuse applications to gain access to the Azure tenant.Investigative actions: Verify whether the application is intended to use the resource in question. Investigate any unusual activity originating from the application.Variations
Suspicious resource access by Azure application
Low overridden
An Azure application had interacted with an unusual resource using the Microsoft Graph API. overridden
Unusual resource modification by newly seen IAM user Informational Cloud 3 variations
A cloud resource was modified by a newly seen IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Impact (TA0040)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage access to manipulate cloud infrastructure.Investigative actions: Examine which resources were affected and how. Investigate any unusual activity originating from the identity.Variations
Unusual Kubernetes resource modification by newly seen IAM user
Informational overridden
A cloud resource was modified by a newly seen IAM user. overridden
Unusual IAM resource modification by newly seen IAM user
Low overridden
A cloud resource was modified by a newly seen IAM user. overridden
Unusual resource modification by newly seen IAM user from an uncommon IP
Low overridden
A cloud resource was modified by a newly seen IAM user. overridden
Unusual secret management activity Informational Cloud
A cloud Identity performed a secret management operation for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse exposed secrets to gain access to restricted cloud resources and applications.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive secret management operation that it shouldn't.Unusual sender IP subnet Informational Email 2 variations
This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Disguise the email's origin by spoofing the received header to appear as a trusted sender, impersonating a trusted source, aims to mislead recipients into disclosing private data or performing unsafe acts.Investigative actions: Review the email's received headers, to trace its path and spot spoofing signs. Examine the sender's IP address and domain reputation. Closely inspect the email content for malicious links, attachments, or requests for sensitive information. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Unusual sender IP subnet associated with infrastructure or tunneling services
Informational overridden
This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days. overridden
Unusual sender IP subnet associated with internal sender
Informational overridden
This IP address has not been observed in correlation with the sender's fully qualified domain name within the last 30 days. overridden
Unusual use of a 'SysInternals' tool Informational 3 variations
An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may leverage SysInternals tools for lateral movement, credential access, or to delete recovery backups to cause impact.Investigative actions: Check if the file is familiar to the user, if not, investigate further the source of it.Variations
Unusual use of a 'SysInternals' tool by a process with an invalid or non-standard signature
High overridden
An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden
Unusual use of a 'SysInternals' tool that can be used for offensive operations
High overridden
An attacker may be trying to avoid detection by using an obfuscated copy of SysInternals tools. overridden
A registry key related to SysInternals was modified by a known registry editor
Informational overridden
A registry key related to SysInternals was modified by a known registry editor to circumvent a EULA prompt. overridden
Unusual user account enablement Informational Identity Analytics 1 variation
A user enabled an account. This user does not usually enable user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may enable a user account to gain persistence.Investigative actions: Investigate the associated enabling event. Check if the user is authorized to enable accounts. Confirm that the account enablement was expected. If the account enablement seems suspicious, address it accordingly by disabling the account again, forcing a password change, or monitoring its activity.Variations
Unusual sensitive user account enablement
Low overridden
A user enabled a sensitive account. This user does not usually enable user accounts. overridden
Unusual user account unlock Informational Identity Analytics 1 variation
A user unlocked an account. This user does not usually unlock user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may unlock a user account to gain unauthorized access.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4625, 4776 events). Check if the user is authorized to unlock accounts. Confirm that the user unlock was expected. Monitor services that may be running with a user's credentials, resulting in lockouts.Variations
Unusual sensitive user account unlock
Low overridden
A user unlocked a sensitive account. This user does not usually unlock user accounts. overridden
Unusual user-agent for a cloud identity Informational Cloud 1 variation
A cloud identity has executed an API call with an unusual user-agent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Evade detection by using non-standard tools or scripts.Investigative actions: Examine the recent actions of the user for any abnormal or unauthorized behavior. Verify if the user intentionally used a new device or tool.Variations
Unusual user-agent for a cloud identity by a compromised AWS access key
Medium overridden
A cloud identity has executed an API call with an unusual user-agent. overridden
Unusual weak authentication by user Informational Identity Analytics
A user account authenticated to a host via NTLMv1 or LM authentication for the first time in the past 30 days. This may be indicative of an NTLM downgrade attackA downgrade attack may force the client to authenticate with a weaker hash/protocol (such as NTLMv1 or even LM) instead of NTLMv2.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material (T1550)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage.Unverified domain added to Azure AD Informational Identity Threat Module 1 variation
A new unverified domain was added to Azure AD.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.Investigative actions: Check if the new domain is known for the organization. Check whether the user changing the configuration is permitted. Monitor network activity to and from the added domain.Variations
Rare unverified domain addition to Azure AD
Low overridden
A new unverified domain was added to Azure AD. overridden
Upload pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.Usage of homograph characters detected in an email Informational Email
Detected characters resembling Latin letters within an email's subject and/or body.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656) Masquerading (T1036)Required data: Microsoft 365 EmailsDetector tags: EvasionAttacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Usage of homograph characters detected in an email attachment(s) name Informational Email 1 variation
Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Evasion, PhishingAttacker's goals: Evade file scanner defenses, tricking recipients into running malicious attachments.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. Scrutinize the attachments related to the email message. Monitor file-related actions taken related to the attachment.Variations
Usage of homograph characters detected in an email attachment(s) extension
Low overridden
Detected non-latin characters within an email attachment's extension(s).Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers. overridden
Usage of homograph characters detected in an email's from header Informational Email
Detected characters resembling Latin letters within an email's From header.This could indicate an attempt to impersonate a well-known brand or impersonate someone's identity.This could also be used as a method to evade text scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: EvasionAttacker's goals: Impersonate known legitimate brands or evade defenses, tricking recipients into clicking on malicious links or attachments.Investigative actions: Check the characters in the email address for any characters that might look slightly different. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.User accessed SaaS resource via anonymous link Informational Identity Threat Module 2 variations
A user accessed a SaaS resource via an anonymous link.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker is attempting to collect sensitive data.Investigative actions: Check the IP address from which the access originated. Examine the file that was accessed for any sensitive indicators. Follow further actions taken, such as downloading files.Variations
External user accessed a sensitive SaaS file via anonymous link
Low overridden
An external user accessed a sensitive SaaS file via an anonymous link. overridden
User accessed a public Google Drive document
Informational overridden
A user accessed a Google Drive document that is public on the web. overridden
User accessed multiple O365 AIP sensitive files Informational Identity Threat Module
A user accessed multiple O365 AIP sensitive files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Data from Local System (T1005)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to collect sensitive information.Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Check what sensitivity labels are detected and how suspicious they are. Examine the user's account history for suspicious behavior.User account delegation change Informational Identity Analytics 2 variations
A user account was modified with delegation to a service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to control an Active Directory environment.Investigative actions: Verify this action with the user who performed the change. Check if the account modified is a service account. Follow actions by the user, including TGT and TGS requests. Monitor for anomalous Kerberos activity.Variations
User account delegation to KRBTGT
High overridden
A user account was modified with delegation to the KRBTGT service. overridden
User account delegation to a DC
Low overridden
A user account was modified with delegation to a service on a domain controller. overridden
User added SID History to an account Informational Identity Analytics 1 variation
A user added SID history to an account. This may be indicative of a user's migration between domains or a SID injection attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Access Token Manipulation: SID-History Injection (T1134.005)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may use SID history to escalate privileges and bypass access controls.Investigative actions: Verify if migration between domains was involved. Search for suspicious actions by the user, such as forged Kerberos tickets.Variations
Suspicious SID History Addition
Medium overridden
A user added SID history to an account. The account was not migrated between domains, which may indicate a SID injection attack. overridden
User added a new device to Okta Verify instance Informational Identity Threat Module 1 variation
The user has successfully registered a new device with the Okta Verify application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: Attackers may exploit the device registration process in Okta by registering unauthorized devices, thereby gaining access to sensitive resources and user accounts within an organization.Investigative actions: Reach out to the user responsible for the device registration to confirm its legitimacy. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN). Make sure the IP address is not showing any abnormal activity. Monitor the activity from the new registered device and ensure that it matches the user's normal activity.Variations
Suspicious device enrollment to Okta
Low overridden
A new device was registered on Okta with suspicious characteristics, which increased the alert severity. overridden
User added to a group and removed Informational Identity Analytics 2 variations
A user was added to an Active Directory group and removed within a short period of time, which may be a sign of compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate permissions and establish persistence.Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Check for any suspicious actions performed by the added user. Check for a possible compromise of the initiating user.Variations
Rare privileged group addition and removal
Medium overridden
A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden
User added to a privileged group and removed
Low overridden
A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden
User added to the SMS Admins local group Low Identity Analytics 1 variation
A user was added to the SMS Admins local group. This may indicate a potential attack targeting the Microsoft Configuration Manager infrastructure.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.Variations
User added to the SMS Admins group and removed
Medium overridden
A user was added to the SMS Admins group and removed within a short period of time, which may be a sign of compromise. overridden
User and Group Enumeration via SAMR Informational
The endpoint performed unfamiliar SAMR querying activity to a domain controller.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may enumerate users and groups to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC-based services to multiple hosts. Check if there are any other suspicious activities originating from the same machine.User attempted to connect from a suspicious country Informational Identity Analytics 1 variation
A user connected from an unusual country. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
User successfully connected from a suspicious country
Low overridden
A user successfully connected from an unusual country. This may indicate the account was compromised. overridden
User collected remote shared files in an archive Low Identity Threat Module
Multiple files from remote shares were archived in a local file. This may indicate collection of data and staging before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for remote archive file activity.User discovery via WMI query execution Informational 3 variations
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Windows Management Instrumentation (T1047) System Owner/User Discovery (T1033) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attacker or malware can use WMI queries to discover host users and enumerate a huge amount of information.Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.Variations
User discovery via WMI query execution by an unsigned process
Low overridden
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden
User modification via WMIC query execution
Low overridden
Attackers or malware may use WMI queries to modify the users of a host, and potentially its owner. overridden
User discovery via WMIC query execution
Informational overridden
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden
User exported multiple messages in Microsoft Teams via Graph API Informational Identity Threat Module 3 variations
A user exported multiple messages in Microsoft Teams via Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage messages extraction from Microsoft Teams to collect sensitive data.Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.Variations
User exported multiple chats in Microsoft Teams via Graph API
Low overridden
A user exported multiple messages in Microsoft Teams via Graph API. overridden
User exported multiple messages in Microsoft Teams via Graph API by a privileged user for the first time
Low overridden
A user exported multiple messages in Microsoft Teams via Graph API. overridden
User exported multiple messages in Microsoft Teams via Graph API from a first seen ASN
Low overridden
A user exported multiple messages in Microsoft Teams via Graph API. overridden
User installed an application in Microsoft Teams via Graph API Informational Identity Threat Module 1 variation
A user who rarely uses the Graph API to install Microsoft Teams applications has installed one using it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Cloud Application Integration (T1671)Required data: Microsoft Graph LogsDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.Investigative actions: Verify the user's role and typical usage of Microsoft Graph API. Check if the user's account has recently logged in from unusual locations or devices. Review recent email and chat activity to identify any phishing or suspicious messages sent. Examine the Graph API call logs to see what actions were performed and their timestamps. Correlate with endpoint logs to detect any malware or suspicious processes running on the user's device. Check for signs of account compromise, such as password changes or MFA bypass attempts. Follow further actions done by the account.Variations
User installed an application in Microsoft Teams via Graph API from a first seen ASN
Low overridden
A user who rarely uses the Graph API to install Microsoft Teams applications has installed one using it. overridden
User moved Exchange sent messages to deleted items Informational Identity Threat Module Email 1 variation
A user moved sent messages to deleted items in Exchange.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal: Clear Mailbox Data (T1070.008)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to hide newly sent email messages for evasion purposes.Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.Variations
Sensitive Exchange sent messages moved to deleted items from unusual source
Low overridden
A user moved sensitive sent messages to deleted items in Exchange. overridden
User sent messages in Microsoft Teams to multiple conversations via Graph API Informational Identity Threat Module 1 variation
A user who rarely uses the Graph API for Microsoft Teams messaging sent multiple messages using it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Internal Spearphishing (T1534)Required data: Microsoft Graph LogsDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage a compromised user account to send phishing or malicious messages via Graph API to multiple recipients, aiming to propagate the attack while evading detection.Investigative actions: Verify the user's role and typical usage of Microsoft Graph API. Check if the user's account has recently logged in from unusual locations or devices. Review recent email and chat activity to identify any phishing or suspicious messages sent. Examine the Graph API call logs to see what actions were performed and their timestamps. Correlate with endpoint logs to detect any malware or suspicious processes running on the user's device. Check for signs of account compromise, such as password changes or MFA bypass attempts. Follow further actions done by the account.Variations
User sent messages in Microsoft Teams to several conversations via Graph API with suspicious characteristics
Low overridden
A user who rarely uses the Graph API for Microsoft Teams messaging sent multiple messages using it. overridden
User set insecure CA registry setting for global SANs Low Identity Analytics
A user enabled the EDITF_ATTRIBUTESUBJECTALTNAME2 registry flag, allowing custom Subject Alternative Names (SANs) to be specified on all certificate templates. This could enable attackers to bypass security controls by requesting certificates with user-defined SANs.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: This flag can allow an attacker to obtain a certificate with higher privileges and escalate to Domain Admin.Investigative actions: Confirm whether the registry change was authorized by the user or system administrator. Monitor certificate enrollments with Subject Alternate Names. Restore the secure configuration by disabling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag and enforcing strict certificate policies. Investigate any unusual authentication attempts or certificates issued to high-privilege users or accounts.User signed in to an application via Power Automate for the first time Informational Identity Threat Module 1 variation
A user signed in to an application via Power Automate for the first time. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)ATT&CK techniques: Valid Accounts (T1078) Automated Exfiltration (T1020)Required data: AzureADAttacker's goals: Use automation flows to automate data exfiltration, C2 communication, lateral movement and evade DLP solutions.Investigative actions: Check if this was a desired behavior as part of the automation flow. Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Look for signs of different data exfiltration via email, shared links or uploads to online storage.Variations
User signed in to an uncommon application via Power Automate for the first time
Low overridden
A user signed in to an uncommon application via Power Automate for the first time. This may be indicative of a compromised account. overridden
VM Detection attempt Informational
A script has executed commands that can be used to detect VM environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.Investigative actions: Review the script for additional malicious actions. Check for any additional alerts raised within the same context of the script.VM Detection attempt on Linux Informational 2 variations
A Process executed a command and/or accessed a file that can be used to detect VM environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Discovery (TA0007)ATT&CK techniques: Virtualization/Sandbox Evasion: System Checks (T1497.001)Required data: XDR AgentAttacker's goals: Avoid malware analysis by identifying execution from within sandboxes and virtual machines.Investigative actions: Review the process for additional malicious actions. Check for any additional alerts raised within the same context of the script.Variations
VM Detection attempt on Linux with further reconnaissance commands
Medium overridden
A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden
VM Detection attempt on Linux using an unpopular technique
Low overridden
A Process executed a command and/or accessed a file that can be used to detect VM environments. overridden
VPN Login Password Spray Informational Identity Analytics 2 variations
An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Analyze the time intervals between login attempts to check for patterns indicative of a password spraying attack. Investigate the cause of the login failures (e.g. incorrect passwords, account lockouts, other factors). Review the geographic regions behind the failed login attempts. Investigate if a successful login was made after unsuccessful attempts. Cross-reference the IP address with threat intelligence sources to see if it is associated with known malicious activity.Variations
Successful VPN Password Spray Threat Detected with unusual characteristics
Medium overridden
An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden
VPN login password spray with unusual characteristics
Low overridden
An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden
VPN access with an abnormal operating system Informational Identity Analytics 2 variations
A user accessed a VPN with an abnormal operating system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use a legitimate user and connect to a VPN service to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.Variations
VPN access with a suspicious operating system
Medium overridden
A user accessed a VPN with an abnormal operating system. overridden
VPN access from an abnormal operating system with suspicious characteristics
Low overridden
A user accessed a VPN from an abnormal operating system with some more suspicious characteristics that flagged this login attempt as a suspicious login. overridden
VPN login Brute-Force attempt Informational Identity Analytics 2 variations
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force (T1110) Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: An attacker attempts to gain access to the account.Investigative actions: Verify successful connections by the user account, as these can indicate the attacker managed to guess the credentials. Analyze login patterns for abnormal times, locations, or IPs for suspicious activity. Look for VPN login attempts from countries where the organization does not typically operate. Cross-reference the IP addresses with threat intelligence sources. Follow further actions taken by the account.Variations
Successful VPN Login Brute Force
Low overridden
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden
VPN login brute-force attempt with suspicious characteristics
Low overridden
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden
VPN login attempt by a honey user Low Identity Analytics 1 variation
A VPN login attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Global Protect Third-Party VPNsDetector tags: Honey User AnalyticsAttacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.Variations
Abnormal VPN login by a honey user
Medium overridden
A VPN login attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity. overridden
VPN login by a dormant user Informational Identity Analytics
A dormant user logged on to a VPN service after having been unused for a month or longer.This may indicate the account is misused by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use a compromised user account which has not been used for a long while, and therefore is less likely to be noticed.Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check if the user initiated other logins aside from a VPN login. Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.VPN login by a service account Low Identity Analytics 1 variation
A service account attempted to log in to a VPN service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network and access privileged resources.Investigative actions: See whether the service authentication was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Rare VPN login by an administrative service account
Medium overridden
An administrative service account attempted to log in to a VPN service. overridden
VPN login with a machine account Informational Identity Analytics 1 variation
A machine account successfully logged in to a VPN service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network and access privileged resources.Investigative actions: See whether the service login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Rare VPN login with a machine account
Low overridden
A machine account successfully logged in to a VPN service. overridden
Vulnerable certificate template loaded Informational Identity Analytics 2 variations
A possible misconfigured certificate template was loaded by Certificate Services. This may indicate potential certificate template abuse.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Authentication Certificates (T1649)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to exploit AD CS misconfigurations to obtain certificates that can be used for credential theft and privilege escalation.Investigative actions: Review the AD CS configuration for vulnerable templates and EKU settings. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Look for signs of certificate template enumeration via LDAP. Inspect certificates issued to privileged accounts. Check for abnormal PKINIT authentication or elevated Kerberos tickets.Variations
First detection of AD CS ESC vulnerability in certificate template
Medium overridden
A misconfigured certificate template vulnerable to an AD CS ESC attack was loaded by Certificate Services for the first time. This may indicate potential certificate template abuse. overridden
Certificate template vulnerable to AD CS ESC attack
Low overridden
A misconfigured certificate template vulnerable to an AD CS ESC attack was loaded by Certificate Services. This may indicate potential certificate template abuse. overridden
Wbadmin deleted files in quiet mode High
Wbadmin was used to delete files in quiet mode.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: XDR AgentAttacker's goals: Adversaries may delete the backup catalog to prevent recovery of a corrupted system.Investigative actions: Check if the delete action was legitimate and performed by an authorized user.Weakly-Encrypted Kerberos TGT Response Informational 1 variation
A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process: Domain Controller Authentication (T1556.001)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Manipulate the domain controller authentication process to bypass standard authentication and gain access to hosts and resources in environments relying on single-factor authentication.Investigative actions: Identify the user or entity that requested the TGT during the alert timeframe. Determine whether a legitimate service or application requested weak Kerberos encryption. Verify whether the domain controller is patched against the Skeleton Key vulnerability (CVE-2016-1567).Variations
Abnormal Weakly-Encrypted Kerberos TGT Response
Low overridden
A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack. overridden
Weakly-Encrypted Kerberos Ticket Requested Low 1 variation
A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes and is typically a sign of a Kerberoasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.Variations
Weakly-Encrypted Kerberos Ticket Requested on a sensitive server
Medium overridden
A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes and is typically a sign of a Kerberoasting attack. This action occurred on a sensitive server, which may indicate a malicious activity. overridden
Web server CGO executed a process following a potential Webshell dropped Informational
A process was executed by a web server CGO following a potential drop of a webshell file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 4 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.Web server CGO executed an uncommon process Informational 1 variation
An uncommon process was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR AgentDetector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the executed process is malicious or executes a suspicious action.Variations
Web server CGO executed a LOLBIN process with direct IP in the command line
High overridden
A LOLBIN process with a direct IP in the command line was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit. overridden
WebDAV drive mounted from net.exe over HTTPS Informational
Attackers may mount a WebDAV drive over HTTPS to upload files to and download files from a compromised machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: XDR AgentAttacker's goals: Attackers might use WebDAV as a C&C or exfiltration channel to evade detection and firewall rules.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.Well-known brand in sender headers with header inconsistencies Informational Email
Sender headers include a well-known brand with header inconsistencies indicating possible impersonation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Brand ImpersonationAttacker's goals: Impersonate known legitimate brands or other technological entities to trick recipients into disclosing information or executing malicious code unwillingly.Investigative actions: Identify the specific emails responsible for the accumulation of these alerts. Review their headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Review the email headers and metadata of each flagged email to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Engage potentially affected users to understand if any actions were taken in response to these emails, which could increase the overall risk. Document and escalate findings in case this is a broader phenomenon.Windows CGO, actor and action processes with anomalous characteristics Informational 2 variations
Windows CGO, actor and action processes with anomalous characteristics.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentDetector tags: Process Anomaly AnalyticsAttacker's goals: Processes anomalous characteristics which commonly appear in malicious activities.Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the CGO and actor processes that executed the process and check if they are malicious.Variations
Windows CGO, actor and action processes with anomalous characteristics by an untrusted CGO
Low overridden
Windows CGO, actor and action processes with anomalous characteristics by an untrusted CGO. overridden
Windows CGO, actor and action processes with highly anomalous characteristics
Low overridden
Windows CGO, actor and action processes with anomalous characteristics. overridden
Windows CGO, actor process and action module with anomalous characteristics Informational 1 variation
Windows CGO, actor process and action module with anomalous characteristics.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentAttacker's goals: Loading modules with anomalous characteristics that commonly appear in malicious activities.Investigative actions: Investigate the loaded image and check if it is malicious. Investigate the CGO process and actor process that loaded the module and check if they are malicious.Variations
Windows CGO, actor process and action module with very anomalous characteristics
Low overridden
Windows CGO, actor process and action module with anomalous characteristics. overridden
Windows Event Log was cleared using wevtutil.exe Low 2 variations
A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: XDR AgentAttacker's goals: Delete logs to cover tracks of the malicious activity, making it harder to perform analysis.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Security Event Log was cleared using wevtutil.exe
High overridden
A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis. overridden
A Sensitive Windows Event Log was cleared using wevtutil.exe
Medium overridden
A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis. overridden
Windows Installer exploitation for local privilege escalation Medium
The Windows installer (msiexec.exe) was likely exploited to run a malicious rollback script (.rbs file) instead of the original.Users should not be able to modify config.msi during the installation process, only SYSTEM should have access to it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Exploitation for Privilege Escalation (T1068)Required data: XDR AgentAttacker's goals: An attacker is attempting to gain SYSTEM privileges.Investigative actions: Investigate the actor process SID and path and whether it's benign or normal for this host. This action is not common, but allowed on Windows versions older than Windows 8. On those systems, check the file reputation for both the CGO and OS actor executables that ran the installation.Windows LOLBIN executable connected to a rare external host Medium 2 variations
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Connect to the attacker's Command and Control server.Investigative actions: Check the external address the process connects to.Variations
Windows LOLBIN executable connected to a rare external host on a newly activated agent
Low overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Windows LOLBIN executable connected to a rare external host
Medium overridden
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden
Windows event logs were cleared with PowerShell Informational 3 variations
Windows event logs were cleared or deleted with PowerShell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal: Clear Windows Event Logs (T1070.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may clear events from Windows event logs to remove traces of their malicious activity.Investigative actions: Validate if the script that was executed is from a legitimate IT activity. Look for additional suspicious actions that were executed on the host.Variations
Suspicious clear or delete security provider event logs with PowerShell
High overridden
Windows event logs were cleared or deleted with PowerShell. overridden
Suspicious clear or delete default providers event logs with PowerShell
Medium overridden
Windows event logs were cleared or deleted with PowerShell. overridden
Windows event logs were cleared with uncommon PowerShell command line
Low overridden
Windows event logs were cleared or deleted with PowerShell. overridden
WmiPrvSe.exe Rare Child Command Line Low 1 variation
A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators. Correlate the RPC call from the source host and understand what initiated it.Variations
WmiPrvSe.exe Rare Child Command Line
Medium overridden
A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker. overridden
Wscript/Cscript loads .NET DLLs Low
An unusual script loads .NET DLLs, possibly indicating JScriptToDotnet execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentAttacker's goals: Gain code execution on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Wsmprovhost.exe Rare Child Process Low
The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Windows Remote Management (T1021.006) Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR AgentAttacker's goals: Gain code execution on a remote host.Investigative actions: Investigate the processes being spawned from Wsmprovhost.exe on the host for malicious indicators. Correlate the initiator process (most likely PowerShell) to the source host and investigate it.X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations
This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)Required data: Microsoft 365 EmailsAttacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden
X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden
Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type
Informational overridden
X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden
Email identified by X-Forefront-Antispam-Report as a phishing attempt
Informational overridden
X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden
Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt
Informational overridden
X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden
Email flagged by X-Forefront-Antispam-Report as impersonating internal communication
Informational overridden
X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden
X-Forefront-Antispam-Report has strongly flagged this email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden
X-Forefront-Antispam-Report flagged this email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden
X-Forefront-Antispam-Report has flagged this email as a bulk email
Informational overridden
X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden
X-Forefront-Antispam-Report has flagged an internal email as spam
Informational overridden
X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden
X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity
Informational overridden
This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization
Informational overridden
X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain
Informational overridden
This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden
X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques
Informational overridden
X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden
X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand
Informational overridden
X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden