Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

155 alerts match the current filters. tactic: TA0001 ✕

Show ATT&CK heatmap
  • Possible webshell file written by a web server process Low 3 variations

    An uncommon file with a web file extension was created, written or renamed by a web server process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.

    Variations

    Possible webshell file written by a node web server process

    Informational overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

    Possible webshell file written by a web server process in an internet facing server

    Low overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

    Possible webshell file written by a web server process with connections from various sources and high web traffic

    Low overridden

    An uncommon file with a web file extension was created, written or renamed by a web server process. overridden

  • Potential Okta access limit breach Informational Identity Threat Module 1 variation

    A user surpassed Okta's rate limit, leading to an access limit violation. This could suggest a potential account takeover attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Initial Access (TA0001)
    ATT&CK techniques: Automated Collection (T1119) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    A breach in access limits within Okta, accompanied by suspicious characteristics

    Low overridden

    The user exceeded the access threshold in Okta, triggering a violation alert. overridden

  • Potential Phishing has been detected Medium Email 4 variations

    This email contains multiple indicators consistent with a phishing attack. The message likely attempts to steal credentials, distribute malware, or trick recipients into performing actions that compromise security through deceptive content or suspicious technical characteristics.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Microsoft 365 Emails Office 365 Audit Okta Audit Log Salesforce Slack Audit Log
    Detector tags: Phishing
    Attacker's goals: Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.
    Investigative actions: Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming. Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk. Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.

    Variations

    Potential Brand Impersonation has been detected

    Medium overridden

    This email appears to impersonate a legitimate brand or service provider to deceive recipients. Attackers often mimic trusted companies like banks, cloud services, or popular brands to steal credentials, distribute malware, or conduct fraudulent activities. overridden

    Potential Spear Phishing has been detected

    Medium overridden

    This email represents a targeted spear phishing attack aimed at high-value personnel within your organization. These highly personalized attacks often target executives or privileged users to gain unauthorized access to sensitive systems or information. overridden

    Potential Business Email Compromise has been detected

    Medium overridden

    This email exhibits characteristics of a Business Email Compromise attack, where threat actors impersonate executives or trusted business partners to manipulate recipients into authorizing fraudulent financial transactions or wire transfers. overridden

    Potential Exfiltration has been detected

    Medium overridden

    This outbound email shows suspicious patterns consistent with data exfiltration attempts. The communication may involve unauthorized transmission of sensitive organizational data to external recipients through email channels. overridden

  • Potential spoofing of internal domain spotted Informational Email

    An external sender is possibly impersonating an employee by spoofing the company's internal address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Employee Impersonation, Spear Phishing
    Attacker's goals: Get credentials for internal systems. Executing financial transfers from the company to the attacker's account. Extracting information outside the company. Encrypting critical information and demanding a ransom.
    Investigative actions: Check the received header path, especially the sender host. Check DMARC, SPF AND DKIM authentication results. Verify whether the sender's IP address has appeared in different log sources before and its reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Quarantined email released to recipients Informational Email 3 variations

    This message was previously quarantined by vendor and has now been released and delivered to the intended recipients.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Repeated quarantine releases to mailbox from previously quarantined sender

    Low overridden

    This message was previously quarantined by vendor and later released and delivered to the intended recipients, while the mailbox has received multiple quarantined messages and the sender has been quarantined several times over the past 30 days. overridden

    Repeated quarantine releases from previously quarantined sender

    Low overridden

    This message was previously quarantined by vendor and later released and delivered to the intended recipients, while the sender has been quarantined multiple times over the past 30 days. overridden

    Repeated quarantine-released emails received by mailbox

    Low overridden

    This mailbox has repeatedly received messages over the past 30 days that were quarantined by vendor and later released and delivered to the recipient. overridden

  • Rare MS-Update Server was detected Informational 1 variation

    The endpoint requested an MS-Update operation from a rare update server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server. Attackers may use the MS-Update protocol to execute unauthorized code through Microsoft binaries.
    Investigative actions: Inspect the legitimacy of the server as a WSUS functioning server. Verify that your MS-Update network routine is HTTPS enforced Verify that this MS-Update server is not a newly deployed server as part of a legitimate IT activity.

    Variations

    Rare MS-Update Server was detected

    Informational overridden

    The endpoint requested an MS-Update operation from a rare update server. overridden

  • Rarely seen URL(s) within a well-known domain detected in your organization's email Informational Email

    We have identified unpopular URL(s) within this email.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Rarely seen sender address in the organization Informational Email

    An email was received from a sender that has not been observed in the organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Rarely seen sender domain in the organization Informational Email

    An email was received from a domain that has not been observed in the organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Remote usage of AWS Lambda's role Informational Cloud 5 variations

    An AWS Lambda's role was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the IAM role was assumed by an unknown identity. Check what API calls were executed using the access-key.

    Variations

    Remote command line usage of AWS Lambda's role

    High overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    Medium overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    Low overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Suspicious usage of AWS Lambda's role

    High overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

    Usage of AWS Lambda's role from a known ASN

    Informational overridden

    An AWS Lambda's role was used externally of the cloud environment. overridden

  • Remote usage of an AWS service token Low Cloud 1 variation

    An AWS service token was used externally of the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate a token and abuse it remotely.
    Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.

    Variations

    Suspicious usage of AWS service token

    Medium overridden

    An AWS service token was used externally of the cloud environment. overridden

  • SSO authentication attempt by a honey user Low Identity Analytics 1 variation

    An SSO authentication attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Okta OneLogin PingOne
    Detector tags: Honey User Analytics
    Attacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.
    Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.

    Variations

    Abnormal SSO authentication by a honey user

    Medium overridden

    An SSO authentication attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity. overridden

  • SSO authentication by a machine account Low Identity Analytics

    A machine account successfully authenticated via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.
    Investigative actions: Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.
  • SSO authentication by a service account Low Identity Analytics 2 variations

    A service account successfully authenticated via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.
    Investigative actions: Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Rare non-interactive SSO authentication by a service account

    Informational overridden

    A service account successfully authenticated via SSO. overridden

    First time SSO authentication by a service account

    Medium overridden

    A service account successfully authenticated via SSO. overridden

  • SSO with abnormal operating system Informational Identity Analytics

    A user successfully authenticated via SSO with an abnormal operating system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Okta
    Attacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.
  • SSO with abnormal user agent Informational Identity Analytics 1 variation

    A user successfully authenticated via SSO with an abnormal user agent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Okta AzureAD Azure SignIn Log Duo PingOne
    Attacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new user agent app). Follow actions and suspicious activities regarding the user.

    Variations

    SSO with an offensive user agent

    Low overridden

    A user successfully authenticated via SSO with an offensive user agent. overridden

  • SSO with new operating system Informational Identity Analytics

    A user successfully authenticated via SSO with a new operating system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Okta Azure SignIn Log AzureAD Duo
    Attacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.
  • SaaS suspicious external domain user activity Informational Identity Threat Module 1 variation

    An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: Gain their initial foothold within the organization and explore the environment to achieve their target.
    Investigative actions: Investigate the external domain name. Check the identity activity in the organization.

    Variations

    Suspicious external user activity detected from a domain first seen in the organization

    Low overridden

    An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization, both in cloud and SaaS environments. overridden

  • Sending unusual file(s) to an external address Low Email

    Unusual files sent to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)
    ATT&CK techniques: Phishing (T1566) Exfiltration Over Alternative Protocol (T1048)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Extracting sensitive credentials, potentially leading to account takeover or unauthorized access to internal services. Extracting valuable information outside the company.
    Investigative actions: Check the content of the unusual files that were sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further actions taken, such as accessing private keys, API tokens and sensitive data.
  • Suspicious API call from a Tor exit node High Cloud 2 variations

    A cloud API was called from a Tor exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Conceal information about malicious activities, such as location and network usage.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.

    Variations

    Suspicious Kubernetes API call from a Tor exit node

    High overridden

    A Kubernetes API was called from a Tor exit node. overridden

    A Failed API call from a Tor exit node

    Informational overridden

    A cloud API was called from a Tor exit node. overridden

  • Suspicious Azure AD interactive sign-in using PowerShell Informational Identity Analytics 1 variation

    A user interactively logged in to Azure AD via PowerShell.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD
    Attacker's goals: The attacker attempts to gain access to the organization's resources.
    Investigative actions: Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

    Variations

    Unusual Azure AD interactive sign-in using PowerShell

    Low overridden

    A user interactively logged in to Azure AD via PowerShell from an unusual geolocation or ASN. overridden

  • Suspicious External RDP Login Informational Identity Analytics

    An unusual successful RDP connection by a user from an external IP.This may be indicative of using stolen credentials or malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts through RDP from an external source.
    Investigative actions: Identify the user performing RDP and check that it is authorized. Check whether this IP has a malicious reputation. Reset the user's password. Follow further actions done by the user.
  • Suspicious HTTP parameters detected Medium

    The endpoint received suspicious HTTP parameters via an HTTP request, which may indicate attempts to exploit server components or web shell activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.
    Investigative actions: Inspect the legitimacy of the URI path and the parameters values sent to the server. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.
  • Suspicious MFA request reported by user in Entra ID Informational Identity Threat Module 1 variation

    A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may attempt to gain unauthorized access to the account.
    Investigative actions: Check if the authentication attempt was legitimate. Investigate any recent unusual login behavior or IP addresses associated with the account. Verify whether the user has recently changed their authentication methods or account settings. Follow the account for possible suspicious or unusual logins.

    Variations

    Suspicious MFA request reported by a sensitive user in Entra ID

    Low overridden

    A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt. overridden

  • Suspicious Process Spawned by Adobe Reader Low

    Unusual process spawned by Adobe Reader with an uncommon command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001)
    Required data: XDR Agent
    Attacker's goals: An attacker attempts to gain code execution via a phishing document.
    Investigative actions: Check the source of the document (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.
  • Suspicious SSO access from ASN Informational Identity Analytics 1 variation

    A suspicious SSO authentication was made by a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOne
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.

    Variations

    Google Workspace - Suspicious SSO access from ASN

    Informational overridden

    A suspicious SSO authentication was made by a user. overridden

  • Suspicious SSO authentication Informational Identity Analytics 2 variations

    A suspicious SSO authentication was made by a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta
    Attacker's goals: Achieve initial access to a company's resources.
    Investigative actions: See whether this was a legitimate action. Review the external IP/domain involved in the alert. Contact the user whose account is being accessed and verify that they are actually attempting to log in. Check if the login attempt is coming from an unfamiliar location or device. Look for unusual login patterns, such as login attempts at odd hours. Monitor the user's account for further unusual activity.

    Variations

    Successful SSO authentication with suspicious characteristics

    Medium overridden

    A user successfully accessed SSO with some suspicious characteristics that flagged this login attempt as a suspicious login. overridden

    SSO authentication attempt with suspicious characteristics

    Low overridden

    A user accessed SSO with some suspicious characteristics that flagged this login attempt as a suspicious login. overridden

  • Suspicious authentication with Azure Password Hash Sync user Medium Identity Analytics

    Authentication to an unusual authentication target was performed by the Azure AD Password Hash Sync user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078) Modify Authentication Process: Hybrid Identity (T1556.007)
    Required data: AzureAD
    Attacker's goals: The attacker may be attempting to exploit a PHS user, the attacker wants to escalate and abuse this user, to get access to all the user's hashes.
    Investigative actions: Follow further actions done by the account.
  • Suspicious failed HTTP request - potential Spring4Shell exploit Low 1 variation

    A potentially malicious failed HTTP request was received, possibly as part of a Spring4Shell exploitation attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Exploit Public-Facing Application (T1190)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Gain the ability to execute code remotely or drop malware.
    Investigative actions: Check if suspicious process executions occurred after the request. Consider limiting access to the vulnerable server.

    Variations

    Suspicious HTTP request - potential Spring4Shell exploit

    Medium overridden

    A potentially malicious HTTP request was received, possibly as part of a Spring4Shell exploitation attempt. overridden

  • Suspicious heavy allocation of compute resources - possible mining activity Medium Cloud 3 variations

    An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)
    ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage cloud compute resources to earn virtual currency.
    Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. access key, service account, etc.

    Variations

    Suspicious heavy allocation of compute resources - possible mining activity

    Low overridden

    An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden

    Suspicious heavy allocation of compute resources - possible mining activity

    High overridden

    An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden

    Suspicious heavy allocation of compute resources - possible mining activity

    Medium overridden

    An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden

  • Suspicious sender exhibiting automated sending patterns Informational Email 1 variation

    Multiple messages from a single sender were observed over a short period, all having the same subject and differing body content.This repetitive pattern may indicate automated or scripted behavior.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Phishing
    Attacker's goals: Trick the user into clicking a link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Suspicious sender with high-volume automated sending patterns

    Informational overridden

    A high volume of messages was observed from a single sender address within a short time period, all sharing the same subject line but containing different body content.This elevated and repetitive pattern may indicate automated or scripted behavior at scale. overridden

  • Suspicious sending domain with sender address randomization Informational Email 1 variation

    Multiple messages from a single sender domain were observed over a short period, each using a unique sender address.This per-message sender randomization is uncommon for legitimate senders and suggests automated behavior.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Phishing
    Attacker's goals: Trick the user into clicking a link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    High-volume sender domain with per-message sender randomization

    Informational overridden

    A high volume of emails was observed from a single sending domain over a short time period, each using a unique sender address.This high volume per-message sender randomization is uncommon for legitimate senders and suggests automated behavior. overridden

  • Suspicious successful RDP connection to localhost Informational Identity Analytics 2 variations

    An unusual process created a successful RDP connection to localhost. This may indicate the use of a tunnel to bypass a firewall.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: XDR Agent
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: The attacker attempts to gain access to the accounts through RDP from an external source.
    Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity. Identify the user performing RDP and check that it is authorized. Follow further actions done by the user.

    Variations

    Suspicious successful RDP connection to localhost via reverse SSH tunnel

    Low overridden

    An unusual process created a successful RDP connection to localhost.The command line indicates the usage of SSH tunnel to bypass the firewall. overridden

    Suspicious successful RDP connection to localhost on DC server

    Low overridden

    An unusual process created a successful RDP connection to localhost on a DC server. This may indicate the use of a tunnel to bypass a firewall. overridden

  • Suspicious usage of EC2 token Low Cloud 1 variation

    An AWS EC2 STS token was used externally from an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Check if the access key was generated by the attached instance. Check what actions were executed by the access key. Check if the relevant instance is compromised.

    Variations

    Suspicious usage of EC2 token

    Medium overridden

    An AWS EC2 STS token was used externally from an EC2 instance. overridden

  • Training simulation email detected Medium Email

    This email was flagged as part of a training simulation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Phishing
    Attacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.
    Investigative actions: Check the email address for any unusual spellings. Examine the sender's IP address and reputation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Uncommon URL domain(s) in your organization detected in email Informational Email 3 variations

    We have identified unpopular domain(s) in URL(s) within this email.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into engaging with a URL(s), aiming to extract information or establish access to the network.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    External email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

    Internal email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

    Outbound email with a first-seen URL domain(s) in your organization in the last 30 days

    Informational overridden

    We have identified unpopular domain(s) in URL(s) within this email. overridden

  • Unique client computer model was detected via MS-Update protocol Informational

    A unique client computer model was detected via MS-Update protocol.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Hardware Additions (T1200)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server while providing the necessary client characteristics to install the suitable client version and build. Characteristics may consist of computer model, BIOS version and architecture. A unique computer model in the network may indicate an unauthorized and unmanaged connection to the internal network.
    Investigative actions: Inspect the legitimacy of the host and its hardware components. Verify that this host is not a newly deployed end-point or virtual machine as part of a legitimate IT activity.
  • Unpopular domains detected in email URLs for a recipient Informational Email 1 variation

    We have identified unpopular domain(s) within these email URLs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into clicking a link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Highly unpopular URL domain(s) for mailbox detected in email

    Informational overridden

    We have identified unpopular domain(s) within these email URLs. overridden

  • Unrecognized internal address (AAD mismatch) Informational Email

    An email was received from an address using an internal domain, but the sender is not found in Active Directory. This may indicate an impersonation attempt or domain spoofing.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Employee Impersonation, Spear Phishing
    Attacker's goals: The attacker aims to impersonate an internal user to gain trust, bypass security controls, and potentially extract sensitive information or distribute malicious content through internal-looking emails.
    Investigative actions: Verify if the sender address exists in Active Directory. Check historical email activity from the spoofed address. Review email headers for spoofing indicators (SPF, DKIM, DMARC failures). Identify if recipients engaged with the email (clicked links, downloaded attachments). Correlate with other alerts involving the same sender or domain.
  • Unusual AWS Bedrock model access request Informational Cloud

    A cloud identity requested access to an AWS Bedrock model.MITRE ATLAS Technique: AML.T0012 - Valid Accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Gain access to cloud AI/ML resources and services.
    Investigative actions: Examine which AWS Bedrock models were affected. Investigate any unusual activity originating from the suspected identity.
  • Unusual DB process spawning a shell Informational 3 variations

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Lateral Movement (TA0008)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Exploitation of Remote Services (T1210)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: Obtain access to either the database or its hosting machine for various purposes like privilege escalation, lateral movement, and data theft.
    Investigative actions: Review the commands/processes executed by the shell for malicious actions. Check if and what else the DB process has executed. Check for any additional alerts raised in the context of the DB process. Audit the query/access logs of the DB for suspicious actions (Such as SQL injection or similar).

    Variations

    Unusual DB process spawning a shell with a possible reconnaissance command

    Low overridden

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden

    Unusual DB process spawning a shell with a possible web download/access command

    Low overridden

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden

    Unusual DB process spawning a shell with an unusual command line

    Low overridden

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden

  • Unusual Process Spawned by Nginx in Ingress-Nginx pod Low 1 variation

    Unusual Process Spawned by Nginx in Ingress-Nginx pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: Command and Scripting Interpreter (T1059) Exploit Public-Facing Application (T1190)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: An attacker attempts to use nginx for lateral movement or privilege escalation.
    Investigative actions: Investigate the child processes for malicious activity and network connections to an external host.

    Variations

    Unusual process spawned by ingress-nginx with a critical-severity vulnerability found the workload

    High overridden

    Unusual Process Spawned by Nginx in Ingress-Nginx pod. overridden

  • Unusual cloud identity impersonation Informational Cloud 3 variations

    A cloud identity attempted to impersonate another identity for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

    Variations

    Unusual cloud identity impersonation of a management role

    Informational overridden

    A cloud identity attempted to impersonate a management role for the first time. overridden

    Suspicious cloud identity impersonation was succeeded

    Medium overridden

    A cloud identity has impersonated another identity for the first time. overridden

    Suspicious cloud identity impersonation was failed

    Informational overridden

    A cloud identity has failed to impersonate another identity. overridden

  • Unusual cross projects activity Low Cloud 1 variation

    A suspicious activity between different cloud projects.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse an existing connection and pivot through multiple projects to find their target.
    Investigative actions: Check if the identity intended to perform actions on the project. Check the operations that were performed on the project {caller_project}. Check if the identity performed additional operations in the cloud environment that might be malicious.

    Variations

    Suspicious cross projects activity

    Medium overridden

    A suspicious activity between different cloud projects. overridden

  • Unusual display name in From header Informational Email 2 variations

    An email was detected with an unusual display name in the From header.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Evade defenses and hide potential malicious data inside the email display name.
    Investigative actions: Analyze the email further to determine the source of the anomaly and what can be done about it.

    Variations

    Unusual display name in the From header containing an embedded URL

    Low overridden

    An email was detected with an unusual sender display name in the From header containing an embedded URL. overridden

    Unusual display name in the From header that is identical to the email address

    Informational overridden

    An email was detected where the display name in the From header is unusual and matches the sender email address. overridden

  • Unusual user account unlock Informational Identity Analytics 1 variation

    A user unlocked an account. This user does not usually unlock user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may unlock a user account to gain unauthorized access.
    Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4625, 4776 events). Check if the user is authorized to unlock accounts. Confirm that the user unlock was expected. Monitor services that may be running with a user's credentials, resulting in lockouts.

    Variations

    Unusual sensitive user account unlock

    Low overridden

    A user unlocked a sensitive account. This user does not usually unlock user accounts. overridden

  • Unusual user-agent for a cloud identity Informational Cloud 1 variation

    A cloud identity has executed an API call with an unusual user-agent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Evade detection by using non-standard tools or scripts.
    Investigative actions: Examine the recent actions of the user for any abnormal or unauthorized behavior. Verify if the user intentionally used a new device or tool.

    Variations

    Unusual user-agent for a cloud identity by a compromised AWS access key

    Medium overridden

    A cloud identity has executed an API call with an unusual user-agent. overridden

  • Upload pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.
  • User signed in to an application via Power Automate for the first time Informational Identity Threat Module 1 variation

    A user signed in to an application via Power Automate for the first time. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)
    ATT&CK techniques: Valid Accounts (T1078) Automated Exfiltration (T1020)
    Required data: AzureAD
    Attacker's goals: Use automation flows to automate data exfiltration, C2 communication, lateral movement and evade DLP solutions.
    Investigative actions: Check if this was a desired behavior as part of the automation flow. Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Look for signs of different data exfiltration via email, shared links or uploads to online storage.

    Variations

    User signed in to an uncommon application via Power Automate for the first time

    Low overridden

    A user signed in to an uncommon application via Power Automate for the first time. This may be indicative of a compromised account. overridden

  • VPN access with an abnormal operating system Informational Identity Analytics 2 variations

    A user accessed a VPN with an abnormal operating system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use a legitimate user and connect to a VPN service to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.

    Variations

    VPN access with a suspicious operating system

    Medium overridden

    A user accessed a VPN with an abnormal operating system. overridden

    VPN access from an abnormal operating system with suspicious characteristics

    Low overridden

    A user accessed a VPN from an abnormal operating system with some more suspicious characteristics that flagged this login attempt as a suspicious login. overridden

  • VPN login attempt by a honey user Low Identity Analytics 1 variation

    A VPN login attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Detector tags: Honey User Analytics
    Attacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.
    Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.

    Variations

    Abnormal VPN login by a honey user

    Medium overridden

    A VPN login attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity. overridden

  • VPN login by a service account Low Identity Analytics 1 variation

    A service account attempted to log in to a VPN service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network and access privileged resources.
    Investigative actions: See whether the service authentication was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Rare VPN login by an administrative service account

    Medium overridden

    An administrative service account attempted to log in to a VPN service. overridden

  • VPN login with a machine account Informational Identity Analytics 1 variation

    A machine account successfully logged in to a VPN service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network and access privileged resources.
    Investigative actions: See whether the service login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Rare VPN login with a machine account

    Low overridden

    A machine account successfully logged in to a VPN service. overridden

  • Web server CGO executed an uncommon process Informational 1 variation

    An uncommon process was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the executed process is malicious or executes a suspicious action.

    Variations

    Web server CGO executed a LOLBIN process with direct IP in the command line

    High overridden

    A LOLBIN process with a direct IP in the command line was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit. overridden

  • X-Forefront-Antispam-Report has flagged this email as a potential threat Informational Email 15 variations

    This email has been categorized by X-Forefront-Antispam-Report as a threat, suggesting it is likely malicious in nature (e.g., spam, phishing, impersonation, etc.).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) Impersonation (T1656) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    X-Forefront-Antispam-Report has categorized this email as containing malware (AMP)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    X-Forefront-Antispam-Report has categorized this email as containing malware (MALW)

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as containing malware, indicating a high likelihood that it includes malicious content. overridden

    Email contains an attachment flagged by X-Forefront-Antispam-Report as malware due to its file type

    Informational overridden

    X-Forefront-Antispam-Report has automatically flagged certain attachment types as malware based on file type (without deeper content analysis). This email includes such attachments. overridden

    Email identified by X-Forefront-Antispam-Report as a phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as a phishing attempt in its anti-spam headers, indicating a high likelihood that it is designed to deceive the recipient into disclosing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as a highly confident phishing attempt

    Informational overridden

    X-Forefront-Antispam-Report has identified this email as a phishing attempt with high confidence in its anti-spam headers, suggesting a significant risk of deceptive intent aimed at stealing sensitive information. overridden

    Email flagged by X-Forefront-Antispam-Report as impersonating internal communication

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as an attempt to mimic or impersonate internal organizational communication, suggesting a potential internal compromise or impersonation attempt. overridden

    X-Forefront-Antispam-Report has strongly flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam with high confidence in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report flagged this email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam in its anti-spam headers, indicating it is likely unsolicited and potentially harmful. overridden

    X-Forefront-Antispam-Report has flagged this email as a bulk email

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as a bulk message in its anti-spam headers, indicating it is part of mass communication that may be unsolicited or irrelevant to the recipient. overridden

    X-Forefront-Antispam-Report has flagged an internal email as spam

    Informational overridden

    X-Forefront-Antispam-Report has classified this email as spam originating from within the organization in its anti-spam headers, indicating a potential internal security issue, such as a compromised account or misconfigured system sending unsolicited messages. overridden

    X-Forefront-Antispam-Report has flagged this email as attempting to forge the sender's identity

    Informational overridden

    This email has been classified by X-Forefront-Antispam-Report as spoofing the sender's identity in its anti-spam headers, indicating a high likelihood that the sender's identity has been forged to appear as a trusted source. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a specific user within the organization

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a specific user within the organization in its anti-spam headers, suggesting a targeted attempt to deceive recipients by mimicking a trusted internal user. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating the organization's domain

    Informational overridden

    This email has been identified by X-Forefront-Antispam-Report as an attempt to impersonate the organization's domain in its anti-spam headers, indicating a deceptive effort to make the email appear as if it originates from the organization's legitimate domain. overridden

    X-Forefront-Antispam-Report has flagged this email as using advanced impersonation techniques

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as using advanced impersonation techniques in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication patterns to appear credible. overridden

    X-Forefront-Antispam-Report has flagged this email as impersonating a well-known brand

    Informational overridden

    X-Forefront-Antispam-Report has categorized this email as impersonating a well-known brand in its anti-spam headers, indicating the use of sophisticated methods where the sender mimics typical communication made by legitimate brands to appear credible. overridden