Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • A third-party application's access to the Google Workspace domain's resources was revoked Informational Identity Threat Module

    An identity removed a third-party application's access to Google Workspace domain's resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An attacker might remove an application to impair the environment.
    Investigative actions: Check the Google Workspace Application settings to determine which actions were triggered. Investigate the source of the request and the user associated with it. Review the access control policies to determine if the removal of the application is allowed.
  • A third-party utility was copied to a different location Informational

    To evade detection, attackers may copy a third-party utility executable to a different location.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: Detection avoidance via file rename.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the third-party utility and try to see if it's benign.
  • A user accessed Okta's admin application Informational Identity Threat Module 1 variation

    An attempt to access Okta's admin management application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    Suspicious Okta Admin App Access Attempt

    Low overridden

    A user attempted to access the Okta Admin Application in a suspicious way. overridden

  • A user accessed an abnormal number of files on a remote shared folder Informational Identity Threat Module

    A user remotely accessed an abnormal number of files on a remote shared folder. This might indicate an attempt to collect data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect valuable data about the organization for exfiltration purposes.
    Investigative actions: Check for other suspicious activity made by the user at the time of the event. Go over the list of files and check if such user should have access to those files.
  • A user accessed an abnormal number of remote shared folders Informational Identity Threat Module 1 variation

    A user accessed an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Network Shared Drive (T1039)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect valuable data about the organization for exfiltration purposes.
    Investigative actions: Check for other suspicious activity made by the user at the time of the event. Inspect the shared folder and verify if the user should have accessed to that folder. Go over the list of files and check if such user should have access to those files.

    Variations

    A user accessed an abnormal number of remote shared folders for the first time

    Low overridden

    A user accessed for the first time to an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration. overridden

  • A user accessed an uncommon AppID Informational Identity Threat Module 5 variations

    A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to exfiltrate sensitive data.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.

    Variations

    A user accessed an uncommon external peer-to-peer service

    Informational overridden

    A user accessed an uncommon external peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon external file-sharing service

    Informational overridden

    A user accessed an uncommon external file-sharing service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon peer-to-peer service

    Informational overridden

    A user accessed an uncommon peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon file-sharing service

    Informational overridden

    A user accessed an uncommon file-sharing service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon VPN service

    Informational overridden

    A user connected to an unusual VPN service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to hide their online activity. overridden

  • A user accessed multiple time-consuming websites Informational Identity Threat Module

    A user was observed visiting multiple domains for personal reasons. Time theft happens when an employee is paid to work but did not actually work during that time. It might affect your business as it reduces the employee's efficiency.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Search Open Websites/Domains (T1593)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: A user may utilize work time for personal reasons.
    Investigative actions: Investigate the domains accessed and how popular they are in the organization. Verify that the user is not part of a department that visits these websites as part of their daily operations.
  • A user accessed multiple unusual resources via SSO Informational Identity Threat Module 3 variations

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Cloud Service Dashboard (T1538) Cloud Service Discovery (T1526)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.

    Variations

    A user accessed multiple resources via SSO using an anonymized proxy

    Medium overridden

    A user accessed multiple resources via SSO, using an anonymized proxy, that are unusual for this user. This may be indicative of a compromised account. overridden

    Suspicious user access to multiple resources via SSO

    Low overridden

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden

    Multiple Resource Access from a New IP via SSO

    Low overridden

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden

  • A user account was modified to password never expires Informational Identity Analytics 1 variation

    A user account was modified to password never expires.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain access to the account.
    Investigative actions: Confirm that the account is not a temporary account that could be exploited by an attacker. Verify this action with the user who performed the change. Ensure the organization has a strong password aging policy.

    Variations

    A sensitive account was modified to password never expires

    Low overridden

    A sensitive user account was modified to password never expires. This account is a sensitive account as part of a sensitive built-in Active Directory group. overridden

  • A user added a Windows firewall rule Informational Identity Threat Module

    A user added a new Windows Firewall rule. Adding a firewall rule may indicate an attempt to bypass controls limiting network usage or to disrupt network communications.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Firewall rules determine what traffic your firewall will block or allow. A malicious insider might want to change these rules in an attempt to bypass network limitations or disrupt network communication.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Check Windows Defender Firewall with Advanced Security for a new rule that was added. Check if the new rule was added to different machines as well.
  • A user attempted to bypass Okta MFA Low Identity Threat Module 1 variation

    A user may have attempted to bypass Okta MFA.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process (T1556) Multi-Factor Authentication Request Generation (T1621)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Contact the user who attempted to bypass MFA and ensure the request was legitimate. Check if the user successfully authenticated after the event.

    Variations

    A successful bypass of Okta MFA

    Low overridden

    Suspicious MFA bypass attempt in Okta. overridden

  • A user authenticated with weak NTLM to multiple hosts Informational Identity Analytics

    A user account authenticated to multiple hosts via NTLMv1 or LM authentication for the first time in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material (T1550)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage. Investigate the mentioned user for additional suspicious activity.
  • A user certificate was issued with a mismatch Informational Identity Analytics 1 variation

    A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.
    Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.

    Variations

    Suspicious certificate issuance with a mismatch

    Low overridden

    A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden

  • A user changed the Windows system time Informational Identity Threat Module

    A user changed the Windows system time. This may be indicative of a malicious activity and may affect authentication from the source machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: System Time Discovery (T1124)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: A malicious insider might change their Windows system time. This action might affect the machine's ability to authenticate to the domain.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.
  • A user connected a USB storage device for the first time Informational Identity Threat Module

    A user connected a USB storage device for the first time in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • A user connected a new USB storage device to a host Informational Identity Threat Module

    A user connected a new USB storage device that was not seen for this user and host in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device-related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • A user connected a new USB storage device to multiple hosts Low Identity Threat Module

    A user connected a new USB storage device to multiple endpoints.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • A user connected from a new country Informational Identity Analytics 1 variation

    A user connected from an unusual country that the user has not connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    A user connected from a new country - suspicious characteristics detected

    Low overridden

    The user connected from a country they have not accessed from previously, which may indicate potential account compromise due to unusual or suspicious characteristics. overridden

  • A user connected to a VPN from a new country Informational Identity Analytics 1 variation

    A user connected to a VPN from an unusual country that the user has not connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.

    Variations

    A user connected to a VPN from a suspicious country

    Low overridden

    A user connected to a VPN service from an unusual country. This may indicate the account was compromised. overridden

  • A user created a pfx file for the first time Informational Identity Analytics 1 variation

    A user created a pfx file for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may export certificates to pfx files to use them for authentication, persistence or NTLM extraction.
    Investigative actions: Check if the pfx creation is legitimate for the user (testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).

    Variations

    A user created a pfx in a suspicious folder for the first time

    Low overridden

    A user created a pfx in a suspicious folder which is publicly accessible, for the first time. overridden

  • A user created an abnormal password-protected archive Informational Identity Threat Module

    A user created an abnormal password-protected archive using an archive program.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the command line executed is normal for the process and user performing it. Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for password-protected archive file creation.
  • A user enabled a default local account Informational Identity Analytics 2 variations

    A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001) Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain access to the account and escalate privileges.
    Investigative actions: Check what rights and permissions were granted to the user. Verify this action with the user who performed the change. Follow actions and activities of the newly enabled default account.

    Variations

    A user enabled the Windows DefaultAccount

    Low overridden

    A user enabled the Windows DefaultAccount. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden

    A user enabled the Windows default Guest account

    Low overridden

    A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden

  • A user established an SMB connection to multiple hosts Informational Identity Analytics 2 variations

    A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries can effectively map out and strategize their lateral movement within a network by leveraging diverse protocols for reconnaissance.
    Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts. Look for the process that initiated this activity on the remote host. Check if the user is authorized to perform such activity.

    Variations

    A user established an SMB connection to multiple hosts for the first time

    Medium overridden

    A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account. overridden

    A user performed an abnormal SMB activity to multiple hosts

    Low overridden

    A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account. overridden

  • A user executed multiple LDAP enumeration queries Informational Identity Analytics 1 variation

    A user executed multiple LDAP enumeration queries.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server)
    Attacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.
    Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.

    Variations

    A user executed suspicious LDAP enumeration queries

    Low overridden

    A user executed multiple LDAP enumeration queries. overridden

  • A user logged in at an unusual time via SSO Informational Identity Analytics 1 variation

    A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check the login of the user. Check further actions done by the account (e.g. creating files in suspicious locations, creating users, elevating permissions, etc.). Check if the user accessing remote resources or connecting to other services. Check if the user is logging in from an unusual time zone while traveling. Check if the user usually logs in from this country.

    Variations

    Google Workspace - A user logged in at an unusual time via SSO

    Informational overridden

    A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised. overridden

  • A user logged in at an unusual time via VPN Informational Identity Analytics

    A user connected to a VPN on a day and hour, which is unusual for this user. This may indicate that the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check the amount of traffic and how long it continues. Follow further actions done by the user.
  • A user logged in from an abnormal country or ASN Informational Identity Analytics 1 variation

    A user logged in from an unusual country or ASN. This may indicate that the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country. Check for any other suspicious activity related to the account. Check other ASNs and Countries that the user logged in from. Look for additional login attempts.

    Variations

    A service account successfully logged in from a new country or ASN

    Low overridden

    A service account successfully logged in to an internet facing server from an unusual country or ASN. This may indicate that the account was compromised. overridden

  • A user logged in to the AWS console for the first time Informational Cloud 1 variation

    A user logged in to the AWS console for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.
    Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.

    Variations

    A non-user identity logged in to the AWS console for the first time

    Medium overridden

    A non-user identity logged in to the AWS console for the first time. overridden

  • A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations

    A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.

    Variations

    Rare user authentication with a certificate via Schannel

    Low overridden

    A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

    Abnormal authentication with a certificate via Schannel

    Informational overridden

    An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

  • A user modified an Okta MFA factor Informational Identity Threat Module 1 variation

    An Okta MFA factor was modified by a user, suggesting a potential compromise of the account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Contact the user and ensure the operation was legitimate. Check if the user modifies more factors. If the user activates a weak factor, check for abnormal successful sign-ins from different countries and times. If the user deactivates a strong factor, check if he authenticates with unusual factors and checks for abnormal successful sign-ins from different countries and times.

    Variations

    Abnormal Okta MFA Factor Authentication Modification

    Low overridden

    An OKTA MFA factor was modified by a user with suspicious conditions. overridden

  • A user modified an Okta network zone Informational Identity Threat Module 2 variations

    An Okta network zone was modified by a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker may attempt to modify an Okta network zone to weaken an organization's security controls.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other network zones have been changed or removed.

    Variations

    The user has made an unusual modification to the Okta Network zone

    Medium overridden

    An atypical modification to the Okta Network zone has been performed by the user. overridden

    A user modified an Okta network zone with suspicious characteristics

    Low overridden

    An Okta network zone was modified by a user with suspicious characteristics. overridden

  • A user modified an Okta policy rule Informational Identity Threat Module 1 variation

    An Okta policy rule was modified by a user, suggesting a potential compromise of the account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.

    Variations

    A user modified an Okta policy rule with suspicious characteristics

    Low overridden

    An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden

  • A user modified the CA audit policy Low Identity Analytics

    This may indicate that an attacker is attempting to cover their tracks before an AD CS attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable Windows Event Logging (T1562.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to cover their tracks before an AD CS attack.
    Investigative actions: Check the user account modifying the CA audit policy and verify its activity. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Examine recent activity from the user account, including logon patterns and privilege changes. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.
  • A user observed and reported unusual activity in Okta Informational Identity Threat Module 2 variations

    A user observed and reported unusual activity in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.
    Investigative actions: Investigate the original event that was reported as suspicious. Contact the user and understand why he reported the activity as suspicious. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.

    Variations

    Multiple users have reported the same suspicious activity

    Medium overridden

    Unusual activity in Okta reported about an IP not linked to an EDR agent, the operation is rare and flagged by multiple users. overridden

    Unusual activity in Okta was reported by a user along with suspicious characteristics

    Low overridden

    A user observed and reported unusual activity in Okta. overridden

  • A user performed suspiciously massive file activity Informational Identity Threat Module 1 variation

    A user generated massive file activity by size or distinct file count.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001) Data Staged: Remote Data Staging (T1074.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.

    Variations

    A user performed suspiciously large file activities over 1 GB in a short period of time

    Low overridden

    A user generated massive file activity by size or distinct file count. overridden

  • A user printed an unusual number of files Informational Identity Threat Module

    A user printed an unusual number of files. This may be indicative of malicious activity and an attempt to exfiltrate data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Physical Medium (T1052)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: In an attempt to exfiltrate data, a malicious insider might print an unusual number of files.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.
  • A user queried AD CS objects via LDAP Informational Identity Analytics 1 variation

    A user queried AD CS objects via LDAP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time). Investigate the LDAP search query for any suspicious indicators.

    Variations

    A user enumerated AD CS objects using suspicious LDAP query

    Low overridden

    A user enumerated AD CS objects using suspicious LDAP query. overridden

  • A user received multiple weakly encrypted service tickets Informational Identity Analytics 1 variation

    A user received multiple weakly encrypted service tickets. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Abnormal issuance of weakly encrypted service tickets to a user

    Low overridden

    A user received multiple weakly encrypted service tickets. This is typically a sign of a Kerberoasting attack. overridden

  • A user rejected an SSO request from an unusual country Low Identity Analytics

    A user rejected an SSO authentication request from an abnormal country.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Okta
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Verify the reject cause of the MFA attempts. Check to see if the user has successfully authenticated around the time of the alert, and confirm it's a legitimate login. Verify the authentication attempt from the rare country is benign.
  • A user requested multiple service tickets Informational Identity Analytics 1 variation

    A user requested multiple service tickets. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Abnormal issuance of service tickets to a user

    Low overridden

    A user requested multiple service tickets. This is typically a sign of a Kerberoasting attack. overridden

  • A user sent multiple TGT requests to irregular service Low Identity Analytics 2 variations

    A user sent multiple TGT requests to services other than KRBTGT and KADMIN. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    A user sent an excessive number of TGT requests to irregular services

    Medium overridden

    A user sent multiple TGT requests to services other than KRBTGT and KADMIN. This is typically a sign of a Kerberoasting attack. overridden

    A user sent a TGT request to irregular service

    Informational overridden

    A user sent a TGT request to a service other than KRBTGT and KADMIN. This might indicate an attempt to perform a Kerberoasting attack. overridden

  • A user took numerous screenshots Informational Identity Threat Module

    A user took numerous screenshots. A valuable organization's information may have been collected in this way.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Screen Capture (T1113) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether this activity fits the user profile. Check for any other suspicious activity related to the host and the user involved in the alert. Check if there was a suspicious file upload following the massive screenshot activity. Check whether other users in the organization used the same process for file activity.
  • A user uploaded malware to SharePoint or OneDrive Low Identity Threat Module 2 variations

    A user uploaded a file that was classified as malware to SharePoint or OneDrive.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Taint Shared Content (T1080) User Execution: Malicious File (T1204.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may upload malware to a shared location to gain execution and move laterally.
    Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the file that was uploaded for any malicious indicators. Follow further actions done by the account.

    Variations

    A user uploaded malware to SharePoint or OneDrive with suspicious characteristics

    Medium overridden

    A user uploaded a file that was classified as malware to SharePoint or OneDrive with some additional suspicious characteristics. overridden

    A user uploaded a malicious payload to SharePoint or OneDrive

    Informational overridden

    A user uploaded a file that was classified as malware to SharePoint or OneDrive. The file was labelled as malicious by Microsoft's file scanning engine. overridden

  • A user was added to a Windows security group Informational Identity Analytics 4 variations

    A user was added to a Windows security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added a member to a Windows privileged group for the first time

    Medium overridden

    A user was added to a Windows security privileged group. overridden

    User added to a Windows privileged group

    Low overridden

    A user was added to a Windows security privileged group. overridden

    User removed from a Windows privileged group

    Informational overridden

    A user was removed from a Windows security privileged group. overridden

    A user was removed from a Windows security group

    Informational overridden

    A user was removed from a Windows security group. overridden

  • ADFS DKM Key Access Low Identity Threat Module

    ADFS DKM key attribute (thumbnailphoto) access in AD container, potential Golden SAML token forging attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: The attack goal is to forge a valid SAML token to impersonate any user and gain persistent, unauthorized access to cloud resources, effectively bypassing MFA and standard security controls.
    Investigative actions: Check for recent changes to the SAML signing certificate on both the Identity Provider and the Service Provider to rule out a configuration drift or expiration issue. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • AI model discovery Low Cloud

    A cloud identity listed available AI models. This behavior often suggests reconnaissance on AI models and potential misuse.MITRE ATLAS Technique: AML.T0007 - Discover ML Artifacts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Gather information about AI models in the environment.
    Investigative actions: Determine which AI models were enumerated. Monitor the usage of affected AI models to detect potential misuse, such as unusual or excessive access attempts. Investigate any unusual activity originating from the suspected identity.
  • AI safeguards deletion attempt Informational Cloud 1 variation

    A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log Azure Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.
    Investigative actions: Examine which AI models were affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    AI safeguards were successfully deleted

    Low overridden

    A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden

  • AI safeguards were modified Informational Cloud 2 variations

    A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log Azure Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.
    Investigative actions: Examine changed safeguards filters and determine which AI models were affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    Unusual modification of AI safeguards

    Low overridden

    A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden

    AI safeguards were created or modified

    Informational overridden

    A cloud identity created or modified AI safeguards. overridden

  • AI-determined combination of risky alerts under the same actor process Informational 1 variation

    Multiple alerts likely to be associated with an incident were identified under the same actor process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Attacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.
    Investigative actions: Investigate the actor process of these alerts. Track down other suspicious activity under this actor process.

    Variations

    AI-determined combination of risky alerts under the same actor process: LDAP traffic from non-standard process with SMB traffic from non-standard process

    Medium overridden

    A non-standard process communicated over LDAP ports, combined with SMB traffic from a non-standard process under the same actor process. This combination may indicate an attacker performing Active Directory enumeration while leveraging SMB for lateral movement or discovery. overridden

  • AI-determined combination of risky alerts under the same causality Informational

    Multiple alerts likely to be associated with an incident were identified under the same causality.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: AI Insight Fusion Analytics
    Attacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.
    Investigative actions: Investigate the causality of these alerts. Track down other suspicious activity under this causality.
  • AWS Backup recovery point deletion Informational Cloud

    An attempt was made to delete an AWS Backup recovery point.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete backup recovery points to prevent system recovery after compromise.
    Investigative actions: Identify the deleted recovery point and its associated resource. Investigate the identity that performed the deletion and review recent related activity.
  • AWS Bedrock model invocation logging deletion Low Cloud 2 variations

    A cloud identity deleted the model invocation logging.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Avoid detection by limiting collected data from models.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.

    Variations

    AWS Bedrock model invocation logging deletion by an identity with administrative activity

    Informational overridden

    A cloud identity with administrative activity deleted the model invocation logging. overridden

    AWS Bedrock model invocation logging was successfully deleted

    Low overridden

    A cloud identity successfully deleted the model invocation logging. overridden

  • AWS CloudTrail has been stopped Informational Cloud 2 variations

    A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Verify whether the identity attempted to stop trail logging. Determine if additional trails continue to log activity.

    Variations

    AWS CloudTrail has been stopped

    Medium overridden

    A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden

    AWS CloudTrail has been stopped

    Low overridden

    A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden

  • AWS CloudTrail modification Informational Cloud 2 variations

    An identity updated a CloudTrail trail configuration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Review the activity of the identity that modified the trail's configuration. Check which trail is affected by this change. Verify whether a new destination has been set for log archiving.

    Variations

    AWS CloudTrail modification

    Medium overridden

    An identity updated a CloudTrail trail configuration. overridden

    AWS CloudTrail modification

    Low overridden

    An identity updated a CloudTrail trail configuration. overridden

  • AWS CloudWatch log group deletion Informational Cloud

    An AWS CloudWatch log group was deleted, this action permanently deletes all the archives associated with this group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log group. Check what resources were affected by this change.
  • AWS CloudWatch log stream deletion Informational Cloud

    An AWS CloudWatch log stream was deleted, this action permanently deletes all the archives associated with this stream.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log stream. Check which resource is affected by this change.
  • AWS Config Recorder stopped Informational Cloud

    Configuration Recorder was stopped for a resource in AWS Config.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check the identity which stopped the configuration recording. Check what resources are affected by this change.
  • AWS EBS discovery operation Informational Cloud

    AWS EBS discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Storage Object Discovery (T1619)
    Required data: AWS Audit Log
    Attacker's goals: Locate valuable data, understand storage configurations, and identify snapshots that can be copied or shared. Support data exfiltration, lateral movement, or persistence through volume or snapshot manipulation.
    Investigative actions: Verify if the identity typically queries EBS volumes or snapshots in this environment. Check whether this activity is part of expected workflows (e.g., backup validation, provisioning) or appears anomalous. Review surrounding activity for other discovery calls to assess broader enumeration behavior. Examine whether the activity was followed by potential exfiltration steps, such as copying a snapshot cross-region or sharing it externally.
  • AWS EBS enumeration activity Informational Cloud

    EBS volume and snapshot enumeration activity, potentially indicating block storage reconnaissance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Identify existing EBS volumes and snapshots to understand what storage resources are available and in use. Assess if snapshots are shared with other accounts or publicly accessible. Identify potential data exfiltration paths or targets.
    Investigative actions: Review which EBS API calls were executed and their frequency. Analyze the identity performing the actions. Inspect sharing or access configurations of enumerated snapshots.
  • AWS EBS snapshot deletion Informational Cloud

    An attempt was made to delete an EBS snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system.
    Investigative actions: Identify the deleted snapshot and its associated resource. Investigate the identity that performed the deletion and review recent related activity.
  • AWS EC2 discovery operation Informational Cloud 3 variations

    AWS EC2 discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Gather information about instances to identify targets and understand the environment. Plan lateral movement or privilege escalation.
    Investigative actions: Verify if the identity is authorized to perform EC2 queries and whether this activity aligns with its normal behavior. Check if there were related API calls before or after this event. Determine if the activity is part of a scheduled task or an unexpected manual request. Investigate whether this was followed by any actions that could indicate lateral movement.

    Variations

    AWS VPC discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

    AWS Site-to-Site VPN discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

    AWS PrivateLink discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

  • AWS EC2 infrastructure enumeration activity Informational Cloud

    EC2 infrastructure enumeration activity detected within a specific AWS region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover EC2 resources and network setup to find potential weaknesses or targets. Use the gathered information to enable lateral movement, privilege escalation, or data exfiltration.
    Investigative actions: Identify and review the specific EC2 enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.
  • AWS EC2 instance exported into S3 Informational Cloud

    A running or stopped instance was exported to an Amazon S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Data Detection & Response
    Attacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.
    Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.
  • AWS Flow Logs deletion Informational Cloud

    A cloud identity has deleted one or more Flow Logs records.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate information.
    Investigative actions: Check if the Identity intended to delete the Flow Logs record/s. Check what VPC is affected by this.
  • AWS Guard-Duty detector deletion Low Cloud

    AWS Guard-Duty detector was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: This action may assist an attacker to evade detection.
    Investigative actions: Check why the identity deleted the detector. Check what resources are relevant to the deleted detector.
  • AWS IAM account discovery operation Informational Cloud

    AWS IAM account discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Understand the IAM structure and relationships between users, roles, and groups to identify high-privilege identities or misconfigurations. Identify identities or roles that can be used to escalate privileges or gain broader access.
    Investigative actions: Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address. Check if the operation is followed by or correlated with other enumeration actions.
  • AWS IAM permission groups discovery operation Informational Cloud 1 variation

    AWS IAM permission groups discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Cloud Groups (T1069.003)
    Required data: AWS Audit Log
    Attacker's goals: Understand the IAM structure and relationships between users, groups, and roles. Identify high-privilege identities or misconfigurations for privilege escalation.
    Investigative actions: Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address. Check if the operation is followed by or correlated with other enumeration actions.

    Variations

    Unusual AWS IAM permission groups discovery operation

    Informational overridden

    First execution of an AWS IAM permission groups discovery operation by a non-user identity. overridden

  • AWS IAM resource group deletion Informational Cloud

    An AWS IAM resource group was deleted, this action may affect the permissions of the members of the deleted group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may interrupt the availability of an account, this may revoke access to the account.
    Investigative actions: Check what members were affected by this action.
  • AWS Lambda discovery operation Informational Cloud

    AWS Lambda discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate functions, gather configuration and trigger details, and identify attached roles or permissions. Assess potential entry points, understand execution context, and plan privilege escalation or function tampering.
    Investigative actions: Verify if the identity is expected to access Lambda configuration or code metadata. Check if this API call was part of a broader enumeration pattern. Determine whether the activity aligns with typical deployment or monitoring behavior, or if it appears manual or anomalous. Investigate whether this was followed by any actions that could indicate lateral movement.
  • AWS Lambda infrastructure enumeration activity Informational Cloud

    Lambda infrastructure enumeration activity detected within a specific AWS region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover deployed functions and their configurations. Assess IAM policies, event triggers, and execution limits to evaluate privilege levels and potential abuse paths. Enumerate metadata for potential weaknesses or sensitive data.
    Investigative actions: Identify and review the specific Lambda enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.
  • AWS Password Policy Discovery Informational Cloud

    A cloud identity has viewed the AWS account password policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Password Policy Discovery (T1201)
    Required data: AWS Audit Log
    Attacker's goals: Obtaining the account password policy facilitates password brute-force attacks and enables lateral movement.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • AWS RDS cluster deletion Informational Cloud

    A previously provisioned DB cluster (RDS) was deleted.When a DB cluster is being deleted, all automated backups for that DB cluster are deleted and can't be recovered.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Destruction of data.
    Investigative actions: Check which cluster was deleted. Check if there are any manual backups for that cluster (as they are not affected by this action).
  • AWS S3 Buckets enumeration activity Informational Cloud

    Enumeration of S3 buckets, suggesting potential cloud storage reconnaissance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover available S3 buckets in the environment. Enumerate objects within buckets to determine the type and structure of stored data. Evaluate public access configurations of buckets to identify potential exposure or misconfigurations.
    Investigative actions: Identify the identity performing the calls and determine if this behavior aligns with their typical access patterns. Check access control policies and public access settings on the enumerated buckets for misconfigurations or unauthorized access attempts.
  • AWS S3 bucket was exposed to public access Low Cloud 2 variations

    AWS bucket was publicly shared.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the identity intended to change the state of the bucket to public. Change the bucket or ACL policy for bucket. Restrict permissions for the identity if needed.

    Variations

    AWS S3 bucket was exposed to public access by admin cloud identity

    Informational overridden

    AWS bucket was publicly shared. overridden

    AWS S3 bucket was exposed to public access containing sensitive information

    High overridden

    AWS bucket was publicly shared. overridden

  • AWS S3 discovery operation Informational Cloud

    AWS S3 discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Storage Object Discovery (T1619)
    Required data: AWS Audit Log
    Attacker's goals: Identify accessible buckets, enumerate their contents, and assess permissions or public exposure. Locate sensitive data, evaluate exfiltration paths, and plan privilege escalation or misconfiguration abuse.
    Investigative actions: Verify if the identity normally interacts with S3 in this environment. Check whether the activity was part of a legitimate application or automated process or if it appears interactive or out-of-pattern. Look for signs of broad enumeration, such as listing multiple buckets or traversing objects across different buckets. Investigate whether the accessed bucket or objects contain sensitive data or are configured for public or cross-account access. Correlate with other actions to determine if data was accessed, exfiltrated, or altered.
  • AWS SES account sending settings modified Informational Cloud

    AWS SES account sending settings were modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to confidential emails of an organization. Compromise the organization's cloud Email infrastructure.
    Investigative actions: Check whether the SES Email sending setting modification was intentional.
  • AWS SSM parameters discovery Informational Cloud 1 variation

    An attempt was made to list parameters stored in AWS SSM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in SSM parameter store.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS SSM parameters discovery

    Informational overridden

    An attempt was made to list parameters stored in AWS SSM. overridden

  • AWS SSM parameters retrieval Informational Cloud 2 variations

    An attempt was made to retrieve parameters stored in AWS SSM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS SSM parameter store.
    Investigative actions: Investigate the purpose of the encrypted parameter and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.

    Variations

    AWS SSM encrypted parameters retrieval

    Informational overridden

    An attempt was made to retrieve encrypted parameters stored in AWS SSM. overridden

    Unusual AWS SSM parameters retrieval

    Informational overridden

    An attempt was made to retrieve parameters stored in AWS SSM. overridden

  • AWS SSM send command attempt Informational Cloud 2 variations

    An identity executed an AWS SSM Document.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Cloud Administration Command (T1651)
    Required data: AWS Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.
    Investigative actions: Examine the code in the SSM document, and the target objects. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant targets.

    Variations

    AWS SSM SendCommand targeting multiple instances

    Low overridden

    An identity executed an AWS SSM Document. overridden

    Unusual AWS SSM send command

    Low overridden

    An identity executed an AWS SSM Document. overridden

  • AWS STS temporary credentials were generated Informational Cloud

    AWS STS temporary credentials were generated for an AWS identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Trusted Relationship (T1199) Forge Web Credentials (T1606)
    Required data: AWS Audit Log
    Attacker's goals: Gain access and persistence to AWS account.
    Investigative actions: Check which operation executed with the new credentials.
  • AWS Secrets Manager Access Informational Cloud 1 variation

    An attempt was made to retrieve secrets from AWS Secrets Manager.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.
    Investigative actions: Investigate the secret's purpose and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.

    Variations

    Unusual AWS Secrets Manager Access

    Informational overridden

    An attempt was made to retrieve secrets from AWS Secrets Manager. overridden

  • AWS Secrets Manager discovery Informational Cloud 1 variation

    An attempt was made to list secrets from AWS Secrets Manager.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS Secrets Manager discovery

    Informational overridden

    An attempt was made to list secrets from AWS Secrets Manager. overridden

  • AWS Security Service Enumeration Informational Cloud 1 variation

    AWS security service enumeration activity, potentially indicating reconnaissance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Software Discovery (T1518) Software Discovery: Security Software Discovery (T1518.001) Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Reconnaissance of security defenses to assess and identify exploitable weaknesses.
    Investigative actions: Review which API calls were executed and their frequency. Analyze the identity performing the actions. Inspect configurations of enumerated services.

    Variations

    AWS Multiple Security Services Enumeration

    Informational overridden

    AWS security service enumeration activity, potentially indicating reconnaissance. overridden

  • AWS SecurityHub findings were modified Informational Cloud

    AWS SecurityHub findings were modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal (T1070)
    Required data: AWS Audit Log
    Attacker's goals: Bypass security measures implemented by AWS SecurityHub.
    Investigative actions: Check the current AWS SecurityHub settings and verify they are configured properly.
  • AWS Storage Gateway enumeration Informational Cloud

    An AWS Storage Gateway was enumerated.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate the organizational structure to plan lateral movement.
    Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.
  • AWS Storage Gateway file share enumeration Informational Cloud

    AWS Storage Gateway file shares were enumerated.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate the organizational structure to plan lateral movement.
    Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.
  • AWS Transfer Family server created Informational Cloud 1 variation

    A cloud identity created server using AWS Transfer Family service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Attacker is trying to exfiltrate data out of AWS storage services.
    Investigative actions: Check if the AWS Transfer Family service is used by your organization. Check if {identity_name} created a server using this service before. Check which storage instances were affected by {transfer_server_id} server.

    Variations

    Unusual cloud transfer service activity

    Low overridden

    A cloud identity created server using AWS Transfer Family service. overridden

  • AWS config resource deletion Informational Cloud

    An AWS config resource deletion this includes:Config rule, organization rule, configuration recorder, remediation configuration, conformance pack, configuration aggregator, delivery channel, retention configuration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may modify Config configuration to evade detection.
    Investigative actions: Check why the identity deleted the configuration. Check what resources are relevant to the deleted config.
  • AWS console login without MFA Informational Cloud

    An identity logged in to the AWS console without MFA.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)
    Required data: AWS Audit Log
    Attacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.
    Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.
  • AWS data asset shared public Low Cloud

    A data asset was publicly shared.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.
  • AWS network ACL rule creation Informational Cloud

    An AWS network ACL rule was created with a specific rule number.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Exfiltration (TA0010)
    ATT&CK techniques: External Remote Services (T1133) Exfiltration Over Alternative Protocol (T1048)
    Required data: AWS Audit Log
    Attacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.
    Investigative actions: Check the VPC affected by this change. Verify the rule number (as rules are applied in order). Determine whether the rule is ingress or egress.
  • AWS network ACL rule deletion Informational Cloud

    An AWS network ACL rule was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.
    Investigative actions: Identify which VPC and associated resources are affected. Check the rule number, as ACL rules are evaluated in order. Determine whether the rule is ingress or egress.
  • AWS principals discovery Informational Cloud

    A cloud identity has enumerated principals.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Obtaining a list of principals that could be targeted for lateral movement.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • AWS resource discovery Informational Cloud

    A cloud identity has enumerated resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Obtaining a list of resources that could be targeted for lateral movement.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • AWS root account activity Informational Cloud

    The AWS root account has successfully performed an operation in the project.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Use legitimate credentials of a cloud account to access resources.
    Investigative actions: Look for any signs the Root user is compromised. Determine if the Root credentials need to be changed.
  • AWS support case creation Informational Cloud

    A cloud identity has created a new case in AWS support.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Manipulation (T1098)
    Required data: AWS Audit Log
    Attacker's goals: Obtaining a list of resources that could be targeted for lateral movement or convincing AWS's support to perform actions on their behalf.
    Investigative actions: Investigate any unusual activity originating from the suspected identity. View the contents of the newly created case {case_id} .
  • AWS user creation Informational Cloud

    A new AWS user was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account: Cloud Account (T1136.003)
    Required data: AWS Audit Log
    Attacker's goals: Maintaining persistence by creating backdoor users or malicious resources, ensuring ongoing access even if their initial entry is detected.
    Investigative actions: Check which user was created. Investigate the created user role and permissions. Verify the user who created the new identity is aware of this action. Be aware of any suspicious activity originating from the new user.
  • AWS web ACL deletion Informational Cloud 1 variation

    Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: To impair defense, this may assist data exfiltration.
    Investigative actions: Verify if the identity intended to delete the Web ACL. Check what resources are affected by the Web ACL deletion.

    Variations

    Successful AWS web ACL deletion by a non-admin identity

    Low overridden

    Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted. overridden

  • Abnormal Allocation of compute resources in multiple regions Informational Cloud 4 variations

    An identity allocated an unusual compute resource pool, suspected as mining activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)
    ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Leverage cloud compute resources to generate virtual currency.
    Investigative actions: Verify that the identity creating the resources is legitimate. Check for unusual behavior from this identity, including potential compromise (e.g., exposed access keys or service accounts).

    Variations

    Abnormal Unusual allocation of compute resources in multiple regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Suspicious allocation of compute resources in multiple regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Allocation of compute resources in a high number of regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Allocation of compute resources in multiple regions by an unusual identity

    Low overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

  • Abnormal Communication to a Rare Domain Informational 3 variations

    An abnormal communication was seen from an internal entity to a rare domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR C2 Detection
    Attacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.
    Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.

    Variations

    Abnormal Communication to a Rare Domain With a Port Commonly Used by Attack Platforms

    Low overridden

    An abnormal communication was seen from an internal entity to a rare domain. overridden

    Abnormal Communication to a Rare Domain to a Suspicious Autonomous System (AS)

    Informational overridden

    An abnormal communication was seen from an internal entity to a rare domain. overridden

    Abnormal Communication to a Rare Domain With a Less Common Port

    Informational overridden

    An abnormal communication was seen from an internal entity to a rare domain. overridden