Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapA third-party application's access to the Google Workspace domain's resources was revoked Informational Identity Threat Module
An identity removed a third-party application's access to Google Workspace domain's resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An attacker might remove an application to impair the environment.Investigative actions: Check the Google Workspace Application settings to determine which actions were triggered. Investigate the source of the request and the user associated with it. Review the access control policies to determine if the removal of the application is allowed.A third-party utility was copied to a different location Informational
To evade detection, attackers may copy a third-party utility executable to a different location.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: Detection avoidance via file rename.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the third-party utility and try to see if it's benign.A user accessed Okta's admin application Informational Identity Threat Module 1 variation
An attempt to access Okta's admin management application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).Variations
Suspicious Okta Admin App Access Attempt
Low overridden
A user attempted to access the Okta Admin Application in a suspicious way. overridden
A user accessed an abnormal number of files on a remote shared folder Informational Identity Threat Module
A user remotely accessed an abnormal number of files on a remote shared folder. This might indicate an attempt to collect data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: File and Directory Discovery (T1083)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect valuable data about the organization for exfiltration purposes.Investigative actions: Check for other suspicious activity made by the user at the time of the event. Go over the list of files and check if such user should have access to those files.A user accessed an abnormal number of remote shared folders Informational Identity Threat Module 1 variation
A user accessed an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Network Shared Drive (T1039)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect valuable data about the organization for exfiltration purposes.Investigative actions: Check for other suspicious activity made by the user at the time of the event. Inspect the shared folder and verify if the user should have accessed to that folder. Go over the list of files and check if such user should have access to those files.Variations
A user accessed an abnormal number of remote shared folders for the first time
Low overridden
A user accessed for the first time to an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration. overridden
A user accessed an uncommon AppID Informational Identity Threat Module 5 variations
A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to exfiltrate sensitive data.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Variations
A user accessed an uncommon external peer-to-peer service
Informational overridden
A user accessed an uncommon external peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon external file-sharing service
Informational overridden
A user accessed an uncommon external file-sharing service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon peer-to-peer service
Informational overridden
A user accessed an uncommon peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon file-sharing service
Informational overridden
A user accessed an uncommon file-sharing service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon VPN service
Informational overridden
A user connected to an unusual VPN service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to hide their online activity. overridden
A user accessed multiple time-consuming websites Informational Identity Threat Module
A user was observed visiting multiple domains for personal reasons. Time theft happens when an employee is paid to work but did not actually work during that time. It might affect your business as it reduces the employee's efficiency.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Search Open Websites/Domains (T1593)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: A user may utilize work time for personal reasons.Investigative actions: Investigate the domains accessed and how popular they are in the organization. Verify that the user is not part of a department that visits these websites as part of their daily operations.A user accessed multiple unusual resources via SSO Informational Identity Threat Module 3 variations
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Cloud Service Dashboard (T1538) Cloud Service Discovery (T1526)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.Investigative actions: Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.Variations
A user accessed multiple resources via SSO using an anonymized proxy
Medium overridden
A user accessed multiple resources via SSO, using an anonymized proxy, that are unusual for this user. This may be indicative of a compromised account. overridden
Suspicious user access to multiple resources via SSO
Low overridden
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden
Multiple Resource Access from a New IP via SSO
Low overridden
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden
A user account was modified to password never expires Informational Identity Analytics 1 variation
A user account was modified to password never expires.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain access to the account.Investigative actions: Confirm that the account is not a temporary account that could be exploited by an attacker. Verify this action with the user who performed the change. Ensure the organization has a strong password aging policy.Variations
A sensitive account was modified to password never expires
Low overridden
A sensitive user account was modified to password never expires. This account is a sensitive account as part of a sensitive built-in Active Directory group. overridden
A user added a Windows firewall rule Informational Identity Threat Module
A user added a new Windows Firewall rule. Adding a firewall rule may indicate an attempt to bypass controls limiting network usage or to disrupt network communications.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Firewall rules determine what traffic your firewall will block or allow. A malicious insider might want to change these rules in an attempt to bypass network limitations or disrupt network communication.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Check Windows Defender Firewall with Advanced Security for a new rule that was added. Check if the new rule was added to different machines as well.A user attempted to bypass Okta MFA Low Identity Threat Module 1 variation
A user may have attempted to bypass Okta MFA.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process (T1556) Multi-Factor Authentication Request Generation (T1621)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Contact the user who attempted to bypass MFA and ensure the request was legitimate. Check if the user successfully authenticated after the event.Variations
A successful bypass of Okta MFA
Low overridden
Suspicious MFA bypass attempt in Okta. overridden
A user authenticated with weak NTLM to multiple hosts Informational Identity Analytics
A user account authenticated to multiple hosts via NTLMv1 or LM authentication for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material (T1550)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage. Investigate the mentioned user for additional suspicious activity.A user certificate was issued with a mismatch Informational Identity Analytics 1 variation
A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.Variations
Suspicious certificate issuance with a mismatch
Low overridden
A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden
A user changed the Windows system time Informational Identity Threat Module
A user changed the Windows system time. This may be indicative of a malicious activity and may affect authentication from the source machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Time Discovery (T1124)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: A malicious insider might change their Windows system time. This action might affect the machine's ability to authenticate to the domain.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.A user connected a USB storage device for the first time Informational Identity Threat Module
A user connected a USB storage device for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.A user connected a new USB storage device to a host Informational Identity Threat Module
A user connected a new USB storage device that was not seen for this user and host in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device-related process and file events to determine if it was used for legitimate purposes or malicious activity.A user connected a new USB storage device to multiple hosts Low Identity Threat Module
A user connected a new USB storage device to multiple endpoints.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.A user connected from a new country Informational Identity Analytics 1 variation
A user connected from an unusual country that the user has not connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
A user connected from a new country - suspicious characteristics detected
Low overridden
The user connected from a country they have not accessed from previously, which may indicate potential account compromise due to unusual or suspicious characteristics. overridden
A user connected to a VPN from a new country Informational Identity Analytics 1 variation
A user connected to a VPN from an unusual country that the user has not connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.Variations
A user connected to a VPN from a suspicious country
Low overridden
A user connected to a VPN service from an unusual country. This may indicate the account was compromised. overridden
A user created a pfx file for the first time Informational Identity Analytics 1 variation
A user created a pfx file for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may export certificates to pfx files to use them for authentication, persistence or NTLM extraction.Investigative actions: Check if the pfx creation is legitimate for the user (testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).Variations
A user created a pfx in a suspicious folder for the first time
Low overridden
A user created a pfx in a suspicious folder which is publicly accessible, for the first time. overridden
A user created an abnormal password-protected archive Informational Identity Threat Module
A user created an abnormal password-protected archive using an archive program.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the command line executed is normal for the process and user performing it. Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for password-protected archive file creation.A user enabled a default local account Informational Identity Analytics 2 variations
A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001) Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain access to the account and escalate privileges.Investigative actions: Check what rights and permissions were granted to the user. Verify this action with the user who performed the change. Follow actions and activities of the newly enabled default account.Variations
A user enabled the Windows DefaultAccount
Low overridden
A user enabled the Windows DefaultAccount. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden
A user enabled the Windows default Guest account
Low overridden
A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden
A user established an SMB connection to multiple hosts Informational Identity Analytics 2 variations
A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries can effectively map out and strategize their lateral movement within a network by leveraging diverse protocols for reconnaissance.Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts. Look for the process that initiated this activity on the remote host. Check if the user is authorized to perform such activity.Variations
A user established an SMB connection to multiple hosts for the first time
Medium overridden
A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account. overridden
A user performed an abnormal SMB activity to multiple hosts
Low overridden
A user established an SMB connection to multiple hosts. This might indicate an enumeration attempt by a compromised account. overridden
A user executed multiple LDAP enumeration queries Informational Identity Analytics 1 variation
A user executed multiple LDAP enumeration queries.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server)Attacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.Variations
A user executed suspicious LDAP enumeration queries
Low overridden
A user executed multiple LDAP enumeration queries. overridden
A user logged in at an unusual time via SSO Informational Identity Analytics 1 variation
A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOneAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Check the login of the user. Check further actions done by the account (e.g. creating files in suspicious locations, creating users, elevating permissions, etc.). Check if the user accessing remote resources or connecting to other services. Check if the user is logging in from an unusual time zone while traveling. Check if the user usually logs in from this country.Variations
Google Workspace - A user logged in at an unusual time via SSO
Informational overridden
A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised. overridden
A user logged in at an unusual time via VPN Informational Identity Analytics
A user connected to a VPN on a day and hour, which is unusual for this user. This may indicate that the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Check the amount of traffic and how long it continues. Follow further actions done by the user.A user logged in from an abnormal country or ASN Informational Identity Analytics 1 variation
A user logged in from an unusual country or ASN. This may indicate that the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country. Check for any other suspicious activity related to the account. Check other ASNs and Countries that the user logged in from. Look for additional login attempts.Variations
A service account successfully logged in from a new country or ASN
Low overridden
A service account successfully logged in to an internet facing server from an unusual country or ASN. This may indicate that the account was compromised. overridden
A user logged in to the AWS console for the first time Informational Cloud 1 variation
A user logged in to the AWS console for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.Variations
A non-user identity logged in to the AWS console for the first time
Medium overridden
A non-user identity logged in to the AWS console for the first time. overridden
A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations
A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Elevate permissions and establish persistence.Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.Variations
Rare user authentication with a certificate via Schannel
Low overridden
A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
Abnormal authentication with a certificate via Schannel
Informational overridden
An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
A user modified an Okta MFA factor Informational Identity Threat Module 1 variation
An Okta MFA factor was modified by a user, suggesting a potential compromise of the account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Contact the user and ensure the operation was legitimate. Check if the user modifies more factors. If the user activates a weak factor, check for abnormal successful sign-ins from different countries and times. If the user deactivates a strong factor, check if he authenticates with unusual factors and checks for abnormal successful sign-ins from different countries and times.Variations
Abnormal Okta MFA Factor Authentication Modification
Low overridden
An OKTA MFA factor was modified by a user with suspicious conditions. overridden
A user modified an Okta network zone Informational Identity Threat Module 2 variations
An Okta network zone was modified by a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker may attempt to modify an Okta network zone to weaken an organization's security controls.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other network zones have been changed or removed.Variations
The user has made an unusual modification to the Okta Network zone
Medium overridden
An atypical modification to the Okta Network zone has been performed by the user. overridden
A user modified an Okta network zone with suspicious characteristics
Low overridden
An Okta network zone was modified by a user with suspicious characteristics. overridden
A user modified an Okta policy rule Informational Identity Threat Module 1 variation
An Okta policy rule was modified by a user, suggesting a potential compromise of the account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.Variations
A user modified an Okta policy rule with suspicious characteristics
Low overridden
An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden
A user modified the CA audit policy Low Identity Analytics
This may indicate that an attacker is attempting to cover their tracks before an AD CS attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable Windows Event Logging (T1562.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to cover their tracks before an AD CS attack.Investigative actions: Check the user account modifying the CA audit policy and verify its activity. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Examine recent activity from the user account, including logon patterns and privilege changes. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.A user observed and reported unusual activity in Okta Informational Identity Threat Module 2 variations
A user observed and reported unusual activity in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.Investigative actions: Investigate the original event that was reported as suspicious. Contact the user and understand why he reported the activity as suspicious. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.Variations
Multiple users have reported the same suspicious activity
Medium overridden
Unusual activity in Okta reported about an IP not linked to an EDR agent, the operation is rare and flagged by multiple users. overridden
Unusual activity in Okta was reported by a user along with suspicious characteristics
Low overridden
A user observed and reported unusual activity in Okta. overridden
A user performed suspiciously massive file activity Informational Identity Threat Module 1 variation
A user generated massive file activity by size or distinct file count.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001) Data Staged: Remote Data Staging (T1074.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.Variations
A user performed suspiciously large file activities over 1 GB in a short period of time
Low overridden
A user generated massive file activity by size or distinct file count. overridden
A user printed an unusual number of files Informational Identity Threat Module
A user printed an unusual number of files. This may be indicative of malicious activity and an attempt to exfiltrate data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium (T1052)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: In an attempt to exfiltrate data, a malicious insider might print an unusual number of files.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.A user queried AD CS objects via LDAP Informational Identity Analytics 1 variation
A user queried AD CS objects via LDAP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: File and Directory Discovery (T1083) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might look for AD CS servers, certificate templates or request certificates. With the wrong setting or loose vulnerable templates or enabled enrollment, the attacker will be able to authenticate as users on the network.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time). Investigate the LDAP search query for any suspicious indicators.Variations
A user enumerated AD CS objects using suspicious LDAP query
Low overridden
A user enumerated AD CS objects using suspicious LDAP query. overridden
A user received multiple weakly encrypted service tickets Informational Identity Analytics 1 variation
A user received multiple weakly encrypted service tickets. This is typically a sign of a Kerberoasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.Variations
Abnormal issuance of weakly encrypted service tickets to a user
Low overridden
A user received multiple weakly encrypted service tickets. This is typically a sign of a Kerberoasting attack. overridden
A user rejected an SSO request from an unusual country Low Identity Analytics
A user rejected an SSO authentication request from an abnormal country.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: OktaAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Verify the reject cause of the MFA attempts. Check to see if the user has successfully authenticated around the time of the alert, and confirm it's a legitimate login. Verify the authentication attempt from the rare country is benign.A user requested multiple service tickets Informational Identity Analytics 1 variation
A user requested multiple service tickets. This is typically a sign of a Kerberoasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.Variations
Abnormal issuance of service tickets to a user
Low overridden
A user requested multiple service tickets. This is typically a sign of a Kerberoasting attack. overridden
A user sent multiple TGT requests to irregular service Low Identity Analytics 2 variations
A user sent multiple TGT requests to services other than KRBTGT and KADMIN. This is typically a sign of a Kerberoasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.Variations
A user sent an excessive number of TGT requests to irregular services
Medium overridden
A user sent multiple TGT requests to services other than KRBTGT and KADMIN. This is typically a sign of a Kerberoasting attack. overridden
A user sent a TGT request to irregular service
Informational overridden
A user sent a TGT request to a service other than KRBTGT and KADMIN. This might indicate an attempt to perform a Kerberoasting attack. overridden
A user took numerous screenshots Informational Identity Threat Module
A user took numerous screenshots. A valuable organization's information may have been collected in this way.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Screen Capture (T1113) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether this activity fits the user profile. Check for any other suspicious activity related to the host and the user involved in the alert. Check if there was a suspicious file upload following the massive screenshot activity. Check whether other users in the organization used the same process for file activity.A user uploaded malware to SharePoint or OneDrive Low Identity Threat Module 2 variations
A user uploaded a file that was classified as malware to SharePoint or OneDrive.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Taint Shared Content (T1080) User Execution: Malicious File (T1204.002)Required data: Office 365 AuditAttacker's goals: An attacker may upload malware to a shared location to gain execution and move laterally.Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the file that was uploaded for any malicious indicators. Follow further actions done by the account.Variations
A user uploaded malware to SharePoint or OneDrive with suspicious characteristics
Medium overridden
A user uploaded a file that was classified as malware to SharePoint or OneDrive with some additional suspicious characteristics. overridden
A user uploaded a malicious payload to SharePoint or OneDrive
Informational overridden
A user uploaded a file that was classified as malware to SharePoint or OneDrive. The file was labelled as malicious by Microsoft's file scanning engine. overridden
A user was added to a Windows security group Informational Identity Analytics 4 variations
A user was added to a Windows security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Privilege escalation using a valid account.Investigative actions: Check the user who added the account to the group and verify its activity.Variations
User added a member to a Windows privileged group for the first time
Medium overridden
A user was added to a Windows security privileged group. overridden
User added to a Windows privileged group
Low overridden
A user was added to a Windows security privileged group. overridden
User removed from a Windows privileged group
Informational overridden
A user was removed from a Windows security privileged group. overridden
A user was removed from a Windows security group
Informational overridden
A user was removed from a Windows security group. overridden
ADFS DKM Key Access Low Identity Threat Module
ADFS DKM key attribute (thumbnailphoto) access in AD container, potential Golden SAML token forging attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Federation Services AnalyticsAttacker's goals: The attack goal is to forge a valid SAML token to impersonate any user and gain persistent, unauthorized access to cloud resources, effectively bypassing MFA and standard security controls.Investigative actions: Check for recent changes to the SAML signing certificate on both the Identity Provider and the Service Provider to rule out a configuration drift or expiration issue. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).AI model discovery Low Cloud
A cloud identity listed available AI models. This behavior often suggests reconnaissance on AI models and potential misuse.MITRE ATLAS Technique: AML.T0007 - Discover ML Artifacts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Gather information about AI models in the environment.Investigative actions: Determine which AI models were enumerated. Monitor the usage of affected AI models to detect potential misuse, such as unusual or excessive access attempts. Investigate any unusual activity originating from the suspected identity.AI safeguards deletion attempt Informational Cloud 1 variation
A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit Log Azure Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.Investigative actions: Examine which AI models were affected. Investigate any unusual activity originating from the suspected identity.Variations
AI safeguards were successfully deleted
Low overridden
A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden
AI safeguards were modified Informational Cloud 2 variations
A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit Log Azure Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.Investigative actions: Examine changed safeguards filters and determine which AI models were affected. Investigate any unusual activity originating from the suspected identity.Variations
Unusual modification of AI safeguards
Low overridden
A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden
AI safeguards were created or modified
Informational overridden
A cloud identity created or modified AI safeguards. overridden
AI-determined combination of risky alerts under the same actor process Informational 1 variation
Multiple alerts likely to be associated with an incident were identified under the same actor process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204) Native API (T1106)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsAttacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.Investigative actions: Investigate the actor process of these alerts. Track down other suspicious activity under this actor process.Variations
AI-determined combination of risky alerts under the same actor process: LDAP traffic from non-standard process with SMB traffic from non-standard process
Medium overridden
A non-standard process communicated over LDAP ports, combined with SMB traffic from a non-standard process under the same actor process. This combination may indicate an attacker performing Active Directory enumeration while leveraging SMB for lateral movement or discovery. overridden
AI-determined combination of risky alerts under the same causality Informational
Multiple alerts likely to be associated with an incident were identified under the same causality.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204) Native API (T1106)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsDetector tags: AI Insight Fusion AnalyticsAttacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.Investigative actions: Investigate the causality of these alerts. Track down other suspicious activity under this causality.AWS Backup recovery point deletion Informational Cloud
An attempt was made to delete an AWS Backup recovery point.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit LogAttacker's goals: Adversaries may delete backup recovery points to prevent system recovery after compromise.Investigative actions: Identify the deleted recovery point and its associated resource. Investigate the identity that performed the deletion and review recent related activity.AWS Bedrock model invocation logging deletion Low Cloud 2 variations
A cloud identity deleted the model invocation logging.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Avoid detection by limiting collected data from models.Investigative actions: Investigate any unusual activity originating from the suspected identity.Variations
AWS Bedrock model invocation logging deletion by an identity with administrative activity
Informational overridden
A cloud identity with administrative activity deleted the model invocation logging. overridden
AWS Bedrock model invocation logging was successfully deleted
Low overridden
A cloud identity successfully deleted the model invocation logging. overridden
AWS CloudTrail has been stopped Informational Cloud 2 variations
A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Verify whether the identity attempted to stop trail logging. Determine if additional trails continue to log activity.Variations
AWS CloudTrail has been stopped
Medium overridden
A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden
AWS CloudTrail has been stopped
Low overridden
A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden
AWS CloudTrail modification Informational Cloud 2 variations
An identity updated a CloudTrail trail configuration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Review the activity of the identity that modified the trail's configuration. Check which trail is affected by this change. Verify whether a new destination has been set for log archiving.Variations
AWS CloudTrail modification
Medium overridden
An identity updated a CloudTrail trail configuration. overridden
AWS CloudTrail modification
Low overridden
An identity updated a CloudTrail trail configuration. overridden
AWS CloudWatch log group deletion Informational Cloud
An AWS CloudWatch log group was deleted, this action permanently deletes all the archives associated with this group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: An attacker may change the configuration of the affected resource to remain undetected.Investigative actions: Check why the identity deleted the log group. Check what resources were affected by this change.AWS CloudWatch log stream deletion Informational Cloud
An AWS CloudWatch log stream was deleted, this action permanently deletes all the archives associated with this stream.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: An attacker may change the configuration of the affected resource to remain undetected.Investigative actions: Check why the identity deleted the log stream. Check which resource is affected by this change.AWS Config Recorder stopped Informational Cloud
Configuration Recorder was stopped for a resource in AWS Config.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: An attacker may change the configuration of the affected resource to remain undetected.Investigative actions: Check the identity which stopped the configuration recording. Check what resources are affected by this change.AWS EBS discovery operation Informational Cloud
AWS EBS discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Storage Object Discovery (T1619)Required data: AWS Audit LogAttacker's goals: Locate valuable data, understand storage configurations, and identify snapshots that can be copied or shared. Support data exfiltration, lateral movement, or persistence through volume or snapshot manipulation.Investigative actions: Verify if the identity typically queries EBS volumes or snapshots in this environment. Check whether this activity is part of expected workflows (e.g., backup validation, provisioning) or appears anomalous. Review surrounding activity for other discovery calls to assess broader enumeration behavior. Examine whether the activity was followed by potential exfiltration steps, such as copying a snapshot cross-region or sharing it externally.AWS EBS enumeration activity Informational Cloud
EBS volume and snapshot enumeration activity, potentially indicating block storage reconnaissance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Identify existing EBS volumes and snapshots to understand what storage resources are available and in use. Assess if snapshots are shared with other accounts or publicly accessible. Identify potential data exfiltration paths or targets.Investigative actions: Review which EBS API calls were executed and their frequency. Analyze the identity performing the actions. Inspect sharing or access configurations of enumerated snapshots.AWS EBS snapshot deletion Informational Cloud
An attempt was made to delete an EBS snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit LogAttacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system.Investigative actions: Identify the deleted snapshot and its associated resource. Investigate the identity that performed the deletion and review recent related activity.AWS EC2 discovery operation Informational Cloud 3 variations
AWS EC2 discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Gather information about instances to identify targets and understand the environment. Plan lateral movement or privilege escalation.Investigative actions: Verify if the identity is authorized to perform EC2 queries and whether this activity aligns with its normal behavior. Check if there were related API calls before or after this event. Determine if the activity is part of a scheduled task or an unexpected manual request. Investigate whether this was followed by any actions that could indicate lateral movement.Variations
AWS VPC discovery operation
Informational overridden
AWS EC2 discovery operation. overridden
AWS Site-to-Site VPN discovery operation
Informational overridden
AWS EC2 discovery operation. overridden
AWS PrivateLink discovery operation
Informational overridden
AWS EC2 discovery operation. overridden
AWS EC2 infrastructure enumeration activity Informational Cloud
EC2 infrastructure enumeration activity detected within a specific AWS region.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover EC2 resources and network setup to find potential weaknesses or targets. Use the gathered information to enable lateral movement, privilege escalation, or data exfiltration.Investigative actions: Identify and review the specific EC2 enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.AWS EC2 instance exported into S3 Informational Cloud
A running or stopped instance was exported to an Amazon S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.AWS Flow Logs deletion Informational Cloud
A cloud identity has deleted one or more Flow Logs records.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Exfiltrate information.Investigative actions: Check if the Identity intended to delete the Flow Logs record/s. Check what VPC is affected by this.AWS Guard-Duty detector deletion Low Cloud
AWS Guard-Duty detector was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: This action may assist an attacker to evade detection.Investigative actions: Check why the identity deleted the detector. Check what resources are relevant to the deleted detector.AWS IAM account discovery operation Informational Cloud
AWS IAM account discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Understand the IAM structure and relationships between users, roles, and groups to identify high-privilege identities or misconfigurations. Identify identities or roles that can be used to escalate privileges or gain broader access.Investigative actions: Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address. Check if the operation is followed by or correlated with other enumeration actions.AWS IAM permission groups discovery operation Informational Cloud 1 variation
AWS IAM permission groups discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Cloud Groups (T1069.003)Required data: AWS Audit LogAttacker's goals: Understand the IAM structure and relationships between users, groups, and roles. Identify high-privilege identities or misconfigurations for privilege escalation.Investigative actions: Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address. Check if the operation is followed by or correlated with other enumeration actions.Variations
Unusual AWS IAM permission groups discovery operation
Informational overridden
First execution of an AWS IAM permission groups discovery operation by a non-user identity. overridden
AWS IAM resource group deletion Informational Cloud
An AWS IAM resource group was deleted, this action may affect the permissions of the members of the deleted group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: AWS Audit LogAttacker's goals: An attacker may interrupt the availability of an account, this may revoke access to the account.Investigative actions: Check what members were affected by this action.AWS Lambda discovery operation Informational Cloud
AWS Lambda discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Enumerate functions, gather configuration and trigger details, and identify attached roles or permissions. Assess potential entry points, understand execution context, and plan privilege escalation or function tampering.Investigative actions: Verify if the identity is expected to access Lambda configuration or code metadata. Check if this API call was part of a broader enumeration pattern. Determine whether the activity aligns with typical deployment or monitoring behavior, or if it appears manual or anomalous. Investigate whether this was followed by any actions that could indicate lateral movement.AWS Lambda infrastructure enumeration activity Informational Cloud
Lambda infrastructure enumeration activity detected within a specific AWS region.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover deployed functions and their configurations. Assess IAM policies, event triggers, and execution limits to evaluate privilege levels and potential abuse paths. Enumerate metadata for potential weaknesses or sensitive data.Investigative actions: Identify and review the specific Lambda enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.AWS Password Policy Discovery Informational Cloud
A cloud identity has viewed the AWS account password policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Password Policy Discovery (T1201)Required data: AWS Audit LogAttacker's goals: Obtaining the account password policy facilitates password brute-force attacks and enables lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.AWS RDS cluster deletion Informational Cloud
A previously provisioned DB cluster (RDS) was deleted.When a DB cluster is being deleted, all automated backups for that DB cluster are deleted and can't be recovered.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Destruction of data.Investigative actions: Check which cluster was deleted. Check if there are any manual backups for that cluster (as they are not affected by this action).AWS S3 Buckets enumeration activity Informational Cloud
Enumeration of S3 buckets, suggesting potential cloud storage reconnaissance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover available S3 buckets in the environment. Enumerate objects within buckets to determine the type and structure of stored data. Evaluate public access configurations of buckets to identify potential exposure or misconfigurations.Investigative actions: Identify the identity performing the calls and determine if this behavior aligns with their typical access patterns. Check access control policies and public access settings on the enumerated buckets for misconfigurations or unauthorized access attempts.AWS S3 bucket was exposed to public access Low Cloud 2 variations
AWS bucket was publicly shared.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the identity intended to change the state of the bucket to public. Change the bucket or ACL policy for bucket. Restrict permissions for the identity if needed.Variations
AWS S3 bucket was exposed to public access by admin cloud identity
Informational overridden
AWS bucket was publicly shared. overridden
AWS S3 bucket was exposed to public access containing sensitive information
High overridden
AWS bucket was publicly shared. overridden
AWS S3 discovery operation Informational Cloud
AWS S3 discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Storage Object Discovery (T1619)Required data: AWS Audit LogAttacker's goals: Identify accessible buckets, enumerate their contents, and assess permissions or public exposure. Locate sensitive data, evaluate exfiltration paths, and plan privilege escalation or misconfiguration abuse.Investigative actions: Verify if the identity normally interacts with S3 in this environment. Check whether the activity was part of a legitimate application or automated process or if it appears interactive or out-of-pattern. Look for signs of broad enumeration, such as listing multiple buckets or traversing objects across different buckets. Investigate whether the accessed bucket or objects contain sensitive data or are configured for public or cross-account access. Correlate with other actions to determine if data was accessed, exfiltrated, or altered.AWS SES account sending settings modified Informational Cloud
AWS SES account sending settings were modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AWS Audit LogAttacker's goals: Gain access to confidential emails of an organization. Compromise the organization's cloud Email infrastructure.Investigative actions: Check whether the SES Email sending setting modification was intentional.AWS SSM parameters discovery Informational Cloud 1 variation
An attempt was made to list parameters stored in AWS SSM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in SSM parameter store.Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.Variations
Unusual AWS SSM parameters discovery
Informational overridden
An attempt was made to list parameters stored in AWS SSM. overridden
AWS SSM parameters retrieval Informational Cloud 2 variations
An attempt was made to retrieve parameters stored in AWS SSM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in AWS SSM parameter store.Investigative actions: Investigate the purpose of the encrypted parameter and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.Variations
AWS SSM encrypted parameters retrieval
Informational overridden
An attempt was made to retrieve encrypted parameters stored in AWS SSM. overridden
Unusual AWS SSM parameters retrieval
Informational overridden
An attempt was made to retrieve parameters stored in AWS SSM. overridden
AWS SSM send command attempt Informational Cloud 2 variations
An identity executed an AWS SSM Document.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Cloud Administration Command (T1651)Required data: AWS Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.Investigative actions: Examine the code in the SSM document, and the target objects. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant targets.Variations
AWS SSM SendCommand targeting multiple instances
Low overridden
An identity executed an AWS SSM Document. overridden
Unusual AWS SSM send command
Low overridden
An identity executed an AWS SSM Document. overridden
AWS STS temporary credentials were generated Informational Cloud
AWS STS temporary credentials were generated for an AWS identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Trusted Relationship (T1199) Forge Web Credentials (T1606)Required data: AWS Audit LogAttacker's goals: Gain access and persistence to AWS account.Investigative actions: Check which operation executed with the new credentials.AWS Secrets Manager Access Informational Cloud 1 variation
An attempt was made to retrieve secrets from AWS Secrets Manager.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.Investigative actions: Investigate the secret's purpose and assess the sensitivity of its contents. Check if the access aligns with known workflows or automation, or if it indicates abnormal activity.Variations
Unusual AWS Secrets Manager Access
Informational overridden
An attempt was made to retrieve secrets from AWS Secrets Manager. overridden
AWS Secrets Manager discovery Informational Cloud 1 variation
An attempt was made to list secrets from AWS Secrets Manager.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.Variations
Unusual AWS Secrets Manager discovery
Informational overridden
An attempt was made to list secrets from AWS Secrets Manager. overridden
AWS Security Service Enumeration Informational Cloud 1 variation
AWS security service enumeration activity, potentially indicating reconnaissance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Software Discovery (T1518) Software Discovery: Security Software Discovery (T1518.001) Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Reconnaissance of security defenses to assess and identify exploitable weaknesses.Investigative actions: Review which API calls were executed and their frequency. Analyze the identity performing the actions. Inspect configurations of enumerated services.Variations
AWS Multiple Security Services Enumeration
Informational overridden
AWS security service enumeration activity, potentially indicating reconnaissance. overridden
AWS SecurityHub findings were modified Informational Cloud
AWS SecurityHub findings were modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: AWS Audit LogAttacker's goals: Bypass security measures implemented by AWS SecurityHub.Investigative actions: Check the current AWS SecurityHub settings and verify they are configured properly.AWS Storage Gateway enumeration Informational Cloud
An AWS Storage Gateway was enumerated.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Enumerate the organizational structure to plan lateral movement.Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.AWS Storage Gateway file share enumeration Informational Cloud
AWS Storage Gateway file shares were enumerated.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Enumerate the organizational structure to plan lateral movement.Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.AWS Transfer Family server created Informational Cloud 1 variation
A cloud identity created server using AWS Transfer Family service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Attacker is trying to exfiltrate data out of AWS storage services.Investigative actions: Check if the AWS Transfer Family service is used by your organization. Check if {identity_name} created a server using this service before. Check which storage instances were affected by {transfer_server_id} server.Variations
Unusual cloud transfer service activity
Low overridden
A cloud identity created server using AWS Transfer Family service. overridden
AWS config resource deletion Informational Cloud
An AWS config resource deletion this includes:Config rule, organization rule, configuration recorder, remediation configuration, conformance pack, configuration aggregator, delivery channel, retention configuration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: An attacker may modify Config configuration to evade detection.Investigative actions: Check why the identity deleted the configuration. Check what resources are relevant to the deleted config.AWS console login without MFA Informational Cloud
An identity logged in to the AWS console without MFA.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)Required data: AWS Audit LogAttacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.AWS data asset shared public Low Cloud
A data asset was publicly shared.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.AWS network ACL rule creation Informational Cloud
An AWS network ACL rule was created with a specific rule number.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: External Remote Services (T1133) Exfiltration Over Alternative Protocol (T1048)Required data: AWS Audit LogAttacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.Investigative actions: Check the VPC affected by this change. Verify the rule number (as rules are applied in order). Determine whether the rule is ingress or egress.AWS network ACL rule deletion Informational Cloud
An AWS network ACL rule was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.Investigative actions: Identify which VPC and associated resources are affected. Check the rule number, as ACL rules are evaluated in order. Determine whether the rule is ingress or egress.AWS principals discovery Informational Cloud
A cloud identity has enumerated principals.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Obtaining a list of principals that could be targeted for lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.AWS resource discovery Informational Cloud
A cloud identity has enumerated resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Obtaining a list of resources that could be targeted for lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.AWS root account activity Informational Cloud
The AWS root account has successfully performed an operation in the project.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Use legitimate credentials of a cloud account to access resources.Investigative actions: Look for any signs the Root user is compromised. Determine if the Root credentials need to be changed.AWS support case creation Informational Cloud
A cloud identity has created a new case in AWS support.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Manipulation (T1098)Required data: AWS Audit LogAttacker's goals: Obtaining a list of resources that could be targeted for lateral movement or convincing AWS's support to perform actions on their behalf.Investigative actions: Investigate any unusual activity originating from the suspected identity. View the contents of the newly created case {case_id} .AWS user creation Informational Cloud
A new AWS user was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account: Cloud Account (T1136.003)Required data: AWS Audit LogAttacker's goals: Maintaining persistence by creating backdoor users or malicious resources, ensuring ongoing access even if their initial entry is detected.Investigative actions: Check which user was created. Investigate the created user role and permissions. Verify the user who created the new identity is aware of this action. Be aware of any suspicious activity originating from the new user.AWS web ACL deletion Informational Cloud 1 variation
Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: To impair defense, this may assist data exfiltration.Investigative actions: Verify if the identity intended to delete the Web ACL. Check what resources are affected by the Web ACL deletion.Variations
Successful AWS web ACL deletion by a non-admin identity
Low overridden
Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted. overridden
Abnormal Allocation of compute resources in multiple regions Informational Cloud 4 variations
An identity allocated an unusual compute resource pool, suspected as mining activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Leverage cloud compute resources to generate virtual currency.Investigative actions: Verify that the identity creating the resources is legitimate. Check for unusual behavior from this identity, including potential compromise (e.g., exposed access keys or service accounts).Variations
Abnormal Unusual allocation of compute resources in multiple regions
High overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Abnormal Suspicious allocation of compute resources in multiple regions
High overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Abnormal Allocation of compute resources in a high number of regions
High overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Abnormal Allocation of compute resources in multiple regions by an unusual identity
Low overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Abnormal Communication to a Rare Domain Informational 3 variations
An abnormal communication was seen from an internal entity to a rare domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR C2 DetectionAttacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.Variations
Abnormal Communication to a Rare Domain With a Port Commonly Used by Attack Platforms
Low overridden
An abnormal communication was seen from an internal entity to a rare domain. overridden
Abnormal Communication to a Rare Domain to a Suspicious Autonomous System (AS)
Informational overridden
An abnormal communication was seen from an internal entity to a rare domain. overridden
Abnormal Communication to a Rare Domain With a Less Common Port
Informational overridden
An abnormal communication was seen from an internal entity to a rare domain. overridden