Analytics Alerts
Browse the Cortex analytics alert reference.
158 alerts match the current filters. technique: T1078 ✕
Show ATT&CK heatmapMultiple risk indicators for a cloud identity High Cloud
Multiple risk indicators detected for a cloud identity, combining unusual activity with activity from unusual geolocation or high-risk IP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Compromise a cloud user account to gain access and perform malicious activities.Investigative actions: Review the user's recent activity for any unauthorized actions.Rotate the user's credentials immediately if confirmed compromised.Multiple user accounts were deleted Informational Identity Analytics 1 variation
A user deleted multiple user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Impact (TA0040)ATT&CK techniques: Valid Accounts (T1078) Account Access Removal (T1531)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence using a valid account.Investigative actions: Check the user who deleted the accounts and verify the activity. Look into the recent activity of the deleted accounts and whether they were temporary or dormant.Variations
A user deleted multiple users for the first time
Low overridden
A user deleted multiple user accounts. overridden
New FTP Server Low 2 variations
A new FTP server has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.Investigative actions: Verify that the new service is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application.Variations
New FTP Server Accessed Via a Port Scan
Informational overridden
A new FTP server has been detected. overridden
New FTP Server from an external source
Low overridden
A new FTP server has been detected. overridden
New Shared User Account Low Identity Analytics
A user account has been seen active on multiple hosts.Shared accounts are often considered 'bad practice' and may present multiple security risks to the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Hours
- Deduplication:
- 30 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Gaining access to a shared account and multiple hosts and systems throughout the organization.Investigative actions: Ensure that the shared account is legitimate and has a justified role in the organization.Okta Reported Attack Suspected Low Identity Threat Module
Okta Threat Insight Reported Attack Suspected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker might attempt to compromise Okta accounts to gain access to sensitive assets or data.Investigative actions: Examine Okta alerts and search for signs of compromise to evaluate the potential risk.Okta Reported Threat Detected Informational Identity Threat Module 1 variation
Okta Threat Insight Reported Threat Detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.Investigative actions: Investigate the original events that were reported as suspicious. Investigate additional alerts that are activated based on the IP address. Follow further actions done by the ip.Variations
Okta detected multiple threats from the same IP along with other suspicious characteristics
Low overridden
Okta Threat Insight Reported Threat Detected. overridden
Okta account reset password attempt Informational Identity Threat Module 1 variation
A user used a weak factor to reset their Okta password.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: The attacker might deceive the victim into resetting their password, a common tactic in account takeover schemes.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Examine the IP address and assess its reputation. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Suspicious Okta account reset password attempt
Low overridden
A user used a weak factor to reset their Okta password. overridden
Okta account unlock Informational Identity Threat Module 1 variation
Okta user account was unlocked.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 3 Hours
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Examine the user's actions preceding and following the activation of the alert. Initiate contact with the user to verify the authenticity of the account unlock action. Check account the user successfully authenticated after the event. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Okta account unlock with suspicious characteristics
Low overridden
Okta user account was unlocked. overridden
Okta account unlock by admin Informational Identity Threat Module 1 variation
An administrative user unlocked an Okta account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Examine the user's actions preceding and following the activation of the alert. Initiate contact with the user to verify the authenticity of the account unlock action. Check account the user successfully authenticated after the event. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Suspicious Okta account unlock by admin
Low overridden
An administrative user unlocked an Okta account. overridden
Okta device assignment Informational Identity Threat Module 1 variation
A device was assigned as an Okta MFA device to a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 6 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: For purposes of maintaining persistence, an attacker could potentially register his device with various accounts that have been compromised.Investigative actions: Confirm that the device assignments were intentionally made by the users and are legitimate. Examine the IP address and assess its reputation. Continue monitoring the accounts for any subsequent actions that may indicate suspicious behavior.Variations
A suspicious assignment of a mobile device to multiple users
Low overridden
A single device is being used as an Okta MFA device by multiple users. overridden
Owner was added to Azure application Informational Cloud
An Owner was added to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain administrative control and manipulate the application's permissions and settings.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.PKINIT TGT authentication request Informational Identity Analytics 2 variations
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)ATT&CK techniques: Use Alternate Authentication Material (T1550) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Gain unauthorized access to high-privilege accounts by abusing certificate-based authentication mechanisms.Investigative actions: Verify if Windows Hello for Business (WHfB) is deployed and actively used in the environment, as it may explain the PKINIT activity. Inspect the Key Credentials attribute of the target account for recent modifications. Review associated service tickets or lateral movement activities tied to the target account. Investigate unusual certificate issuance or PKI activities.Variations
Suspicious PKINIT TGT authentication request
Medium overridden
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden
Abnormal PKINIT TGT authentication request
Low overridden
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden
Possible Impossible Travel Pattern - SSO Informational Identity Analytics 2 variations
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker who compromises user credentials will leverage those credentials to gain initial access to the corporate network.To obfuscate their true origin, adversaries commonly route traffic through proxies or VPNs across multiple geographic locations.Investigative actions: Review the source IPs and AS organizations. Check if they are associated with known corporate VPNs, cloud hosting providers, or personal VPN services. Examine recent activity associated with the user in the relevant SSO provider, focusing on suspicious actions such as MFA changes or unusual data access.Variations
Azure First-Seen Device - Impossible Traveler
Low overridden
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden
Rare Country Login - Impossible Traveler (SSO)
Low overridden
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden
Potential Okta access limit breach Informational Identity Threat Module 1 variation
A user surpassed Okta's rate limit, leading to an access limit violation. This could suggest a potential account takeover attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Initial Access (TA0001)ATT&CK techniques: Automated Collection (T1119) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).Variations
A breach in access limits within Okta, accompanied by suspicious characteristics
Low overridden
The user exceeded the access threshold in Okta, triggering a violation alert. overridden
Privileged certificate request via certificate template Informational Identity Analytics 2 variations
A privileged certificate was requested via certificate template.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker may attempt to exploit the Active Directory Certificate Services to escalate privileges to a domain controller or privileged account.Investigative actions: Check if this is a legitimate certificate request. Check if the certificate issued was used to request a Kerberos ticket. Investigate actions done with the issued certificate and its owner. Check for possible NTLM relay alerts.Variations
Suspicious privileged certificate request denied via certificate template
Medium overridden
A suspicious privileged certificate request was denied via certificate template. overridden
Suspicious privileged certificate request via certificate template
Low overridden
A suspicious privileged certificate was requested via certificate template. overridden
PsExec was executed with a suspicious command line Informational 4 variations
PsExec.exe was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: System Services: Service Execution (T1569.002) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: An adversary may attempt to use PsExec to gain execution capabilities, run remote commands or perform privilege escalation.Investigative actions: Check if any other suspicious activities happened under the same causality. Confirm the PsExec.exe command is benign.Variations
PsExec was executed with a suspicious command line by a LOLBIN
Low overridden
PsExec.exe was executed with NT/System privilege level by a LOLBIN. overridden
PsExec was executed with a suspicious command line by an unsigned actor
Medium overridden
PsExec.exe was executed with NT/System privilege level by an unsigned actor. overridden
PsExec was executed with a suspicious command line
Low overridden
PsExec.exe was executed with NT/System privilege level. overridden
PsExec was executed with a suspicious command line
Low overridden
PsExec.exe was executed with plain-text credentials. overridden
Remote usage of AWS Lambda's role Informational Cloud 5 variations
An AWS Lambda's role was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the IAM role was assumed by an unknown identity. Check what API calls were executed using the access-key.Variations
Remote command line usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Medium overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Low overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Usage of AWS Lambda's role from a known ASN
Informational overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Remote usage of an AWS service token Low Cloud 1 variation
An AWS service token was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate a token and abuse it remotely.Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.Variations
Suspicious usage of AWS service token
Medium overridden
An AWS service token was used externally of the cloud environment. overridden
SPNs cleared from a machine account Low Identity Analytics 1 variation
Service principal names were cleared from a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Follow actions performed by the user. Look for associated sAMAccountName rename events.Variations
SPNs cleared from a machine account for the first time
Medium overridden
Service principal names were cleared from a machine account. overridden
SSO authentication attempt by a honey user Low Identity Analytics 1 variation
An SSO authentication attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Okta OneLogin PingOneDetector tags: Honey User AnalyticsAttacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.Variations
Abnormal SSO authentication by a honey user
Medium overridden
An SSO authentication attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity. overridden
SSO authentication by a machine account Low Identity Analytics
A machine account successfully authenticated via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.Investigative actions: Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.SSO authentication by a service account Low Identity Analytics 2 variations
A service account successfully authenticated via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.Investigative actions: Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Rare non-interactive SSO authentication by a service account
Informational overridden
A service account successfully authenticated via SSO. overridden
First time SSO authentication by a service account
Medium overridden
A service account successfully authenticated via SSO. overridden
SSO with abnormal operating system Informational Identity Analytics
A user successfully authenticated via SSO with an abnormal operating system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD OktaAttacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.SSO with abnormal user agent Informational Identity Analytics 1 variation
A user successfully authenticated via SSO with an abnormal user agent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Okta AzureAD Azure SignIn Log Duo PingOneAttacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new user agent app). Follow actions and suspicious activities regarding the user.Variations
SSO with an offensive user agent
Low overridden
A user successfully authenticated via SSO with an offensive user agent. overridden
SSO with new operating system Informational Identity Analytics
A user successfully authenticated via SSO with a new operating system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Okta Azure SignIn Log AzureAD DuoAttacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.Service ticket request with a spoofed sAMAccountName Medium Identity Analytics
A Kerberos service ticket (ST) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Follow actions by the account and if it performed a DCSync.Short-lived Azure AD user account Informational Identity Threat Module 1 variation
An Azure AD user was created and deleted within a short period of time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: Evasion using a valid account.Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.Variations
Abnormal Short-lived Azure AD user account
Low overridden
An Azure AD user was created and deleted within a short period of time. overridden
Short-lived user account Low Identity Analytics 2 variations
A user was created and deleted within a short period of time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Evasion using a valid account.Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.Variations
Abnormal short-lived user account
Low overridden
A user was observed creating and deleting an account a short time later. This user does not regularly create and delete accounts. overridden
Short-lived hidden user account
Medium overridden
A user was created with a name that mimics a machine account and later deleted within a short period of time. This may be an attacker's attempt to evade detection. overridden
Successful unusual guest user invitation Informational Identity Threat Module 1 variation
An identity successfully invited a guest user to the tenant with unusual characteristics.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker can invite users to for evasion.Investigative actions: Check who is the invited guest user. Check whether the inviter is permitted to perform such actions. Check if the domain of the invited guest is allowed for invitations in the organization.Variations
Rare successful guest invitation in the organization
Low overridden
An identity successfully invited a suspicious guest user to the tenant. overridden
Suspicious API call from a Tor exit node High Cloud 2 variations
A cloud API was called from a Tor exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Conceal information about malicious activities, such as location and network usage.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.Variations
Suspicious Kubernetes API call from a Tor exit node
High overridden
A Kubernetes API was called from a Tor exit node. overridden
A Failed API call from a Tor exit node
Informational overridden
A cloud API was called from a Tor exit node. overridden
Suspicious Azure AD interactive sign-in using PowerShell Informational Identity Analytics 1 variation
A user interactively logged in to Azure AD via PowerShell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureADAttacker's goals: The attacker attempts to gain access to the organization's resources.Investigative actions: Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).Variations
Unusual Azure AD interactive sign-in using PowerShell
Low overridden
A user interactively logged in to Azure AD via PowerShell from an unusual geolocation or ASN. overridden
Suspicious MFA request reported by user in Entra ID Informational Identity Threat Module 1 variation
A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker may attempt to gain unauthorized access to the account.Investigative actions: Check if the authentication attempt was legitimate. Investigate any recent unusual login behavior or IP addresses associated with the account. Verify whether the user has recently changed their authentication methods or account settings. Follow the account for possible suspicious or unusual logins.Variations
Suspicious MFA request reported by a sensitive user in Entra ID
Low overridden
A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt. overridden
Suspicious SSO access from ASN Informational Identity Analytics 1 variation
A suspicious SSO authentication was made by a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOneAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.Variations
Google Workspace - Suspicious SSO access from ASN
Informational overridden
A suspicious SSO authentication was made by a user. overridden
Suspicious SSO authentication Informational Identity Analytics 2 variations
A suspicious SSO authentication was made by a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: OktaAttacker's goals: Achieve initial access to a company's resources.Investigative actions: See whether this was a legitimate action. Review the external IP/domain involved in the alert. Contact the user whose account is being accessed and verify that they are actually attempting to log in. Check if the login attempt is coming from an unfamiliar location or device. Look for unusual login patterns, such as login attempts at odd hours. Monitor the user's account for further unusual activity.Variations
Successful SSO authentication with suspicious characteristics
Medium overridden
A user successfully accessed SSO with some suspicious characteristics that flagged this login attempt as a suspicious login. overridden
SSO authentication attempt with suspicious characteristics
Low overridden
A user accessed SSO with some suspicious characteristics that flagged this login attempt as a suspicious login. overridden
Suspicious account attribute modification that matches that of another account Low Identity Analytics 1 variation
Suspicious account attribute modification that matches that of another account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might modify account attributes to elevate privileges and get access to strong accounts in the domain.Investigative actions: Check if any associated certificates were granted. Check if any login attempts were made by the impersonated accounts using certificates. Check if any Kerberos TGT tickets were generated by the impersonated accounts using certificates.Variations
Suspicious account attribute modification that matches that of a sensitive machine account
Medium overridden
Suspicious account attribute modification that matches that of another account. overridden
Suspicious authentication with Azure Password Hash Sync user Medium Identity Analytics
Authentication to an unusual authentication target was performed by the Azure AD Password Hash Sync user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078) Modify Authentication Process: Hybrid Identity (T1556.007)Required data: AzureADAttacker's goals: The attacker may be attempting to exploit a PHS user, the attacker wants to escalate and abuse this user, to get access to all the user's hashes.Investigative actions: Follow further actions done by the account.Suspicious dNSHostName attribute change to DC name Medium Identity Analytics
The dNSHostName attribute of a machine account was changed to a Domain Controller server name.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.Suspicious heavy allocation of compute resources - possible mining activity Medium Cloud 3 variations
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage cloud compute resources to earn virtual currency.Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. access key, service account, etc.Variations
Suspicious heavy allocation of compute resources - possible mining activity
Low overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden
Suspicious heavy allocation of compute resources - possible mining activity
High overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden
Suspicious heavy allocation of compute resources - possible mining activity
Medium overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden
Suspicious sAMAccountName change Low Identity Analytics 1 variation
The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.Variations
Suspicious sAMAccountName change to DC hostname
Medium overridden
The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign. overridden
Suspicious usage of EC2 token Low Cloud 1 variation
An AWS EC2 STS token was used externally from an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the access key was generated by the attached instance. Check what actions were executed by the access key. Check if the relevant instance is compromised.Variations
Suspicious usage of EC2 token
Medium overridden
An AWS EC2 STS token was used externally from an EC2 instance. overridden
TGT request with a spoofed sAMAccountName - Event log Medium Identity Analytics
A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.TGT request with a spoofed sAMAccountName - Network Medium Identity Analytics
A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.The CA policy EditFlags was queried Medium
The CA policy EditFlags was queried.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Querying this registry value can indicate an attacker is looking for an enabled EDITF_ATTRIBUTESUBJECTALTNAME2 flag. When this flag is enabled, it allows users to request certificates with a Subject Alternate Name(SAN). This can allow an attacker to obtain a certificate with higher privileges.Investigative actions: Check if the action was allowed by the user. Monitor certificate enrollments with Subject Alternate Names. Check for unusual high privilege users certificate authentications.Unusual AWS Bedrock model access request Informational Cloud
A cloud identity requested access to an AWS Bedrock model.MITRE ATLAS Technique: AML.T0012 - Valid Accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Gain access to cloud AI/ML resources and services.Investigative actions: Examine which AWS Bedrock models were affected. Investigate any unusual activity originating from the suspected identity.Unusual Identity and Access Management (IAM) activity Informational Cloud 2 variations
A cloud identity performed an unusual IAM operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.Using the modified accounts, the attacker may perform additional activities in an evasive manner.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive IAM operation that it shouldn't.Variations
Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance
Medium overridden
A cloud Internet facing instance performed an unusual IAM operation. overridden
Unusual Identity and Access Management (IAM) activity
Low overridden
A cloud non-user identity performed an unusual IAM operation. overridden
Unusual cloud identity impersonation Informational Cloud 3 variations
A cloud identity attempted to impersonate another identity for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.Variations
Unusual cloud identity impersonation of a management role
Informational overridden
A cloud identity attempted to impersonate a management role for the first time. overridden
Suspicious cloud identity impersonation was succeeded
Medium overridden
A cloud identity has impersonated another identity for the first time. overridden
Suspicious cloud identity impersonation was failed
Informational overridden
A cloud identity has failed to impersonate another identity. overridden
Unusual resource modification by newly seen IAM user Informational Cloud 3 variations
A cloud resource was modified by a newly seen IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Impact (TA0040)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage access to manipulate cloud infrastructure.Investigative actions: Examine which resources were affected and how. Investigate any unusual activity originating from the identity.Variations
Unusual Kubernetes resource modification by newly seen IAM user
Informational overridden
A cloud resource was modified by a newly seen IAM user. overridden
Unusual IAM resource modification by newly seen IAM user
Low overridden
A cloud resource was modified by a newly seen IAM user. overridden
Unusual resource modification by newly seen IAM user from an uncommon IP
Low overridden
A cloud resource was modified by a newly seen IAM user. overridden
Unusual user account unlock Informational Identity Analytics 1 variation
A user unlocked an account. This user does not usually unlock user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may unlock a user account to gain unauthorized access.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4625, 4776 events). Check if the user is authorized to unlock accounts. Confirm that the user unlock was expected. Monitor services that may be running with a user's credentials, resulting in lockouts.Variations
Unusual sensitive user account unlock
Low overridden
A user unlocked a sensitive account. This user does not usually unlock user accounts. overridden
Unusual user-agent for a cloud identity Informational Cloud 1 variation
A cloud identity has executed an API call with an unusual user-agent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Evade detection by using non-standard tools or scripts.Investigative actions: Examine the recent actions of the user for any abnormal or unauthorized behavior. Verify if the user intentionally used a new device or tool.Variations
Unusual user-agent for a cloud identity by a compromised AWS access key
Medium overridden
A cloud identity has executed an API call with an unusual user-agent. overridden
User added a new device to Okta Verify instance Informational Identity Threat Module 1 variation
The user has successfully registered a new device with the Okta Verify application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: Attackers may exploit the device registration process in Okta by registering unauthorized devices, thereby gaining access to sensitive resources and user accounts within an organization.Investigative actions: Reach out to the user responsible for the device registration to confirm its legitimacy. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN). Make sure the IP address is not showing any abnormal activity. Monitor the activity from the new registered device and ensure that it matches the user's normal activity.Variations
Suspicious device enrollment to Okta
Low overridden
A new device was registered on Okta with suspicious characteristics, which increased the alert severity. overridden
User added to a group and removed Informational Identity Analytics 2 variations
A user was added to an Active Directory group and removed within a short period of time, which may be a sign of compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate permissions and establish persistence.Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Check for any suspicious actions performed by the added user. Check for a possible compromise of the initiating user.Variations
Rare privileged group addition and removal
Medium overridden
A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden
User added to a privileged group and removed
Low overridden
A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden
User added to the SMS Admins local group Low Identity Analytics 1 variation
A user was added to the SMS Admins local group. This may indicate a potential attack targeting the Microsoft Configuration Manager infrastructure.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.Variations
User added to the SMS Admins group and removed
Medium overridden
A user was added to the SMS Admins group and removed within a short period of time, which may be a sign of compromise. overridden
User signed in to an application via Power Automate for the first time Informational Identity Threat Module 1 variation
A user signed in to an application via Power Automate for the first time. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)ATT&CK techniques: Valid Accounts (T1078) Automated Exfiltration (T1020)Required data: AzureADAttacker's goals: Use automation flows to automate data exfiltration, C2 communication, lateral movement and evade DLP solutions.Investigative actions: Check if this was a desired behavior as part of the automation flow. Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Look for signs of different data exfiltration via email, shared links or uploads to online storage.Variations
User signed in to an uncommon application via Power Automate for the first time
Low overridden
A user signed in to an uncommon application via Power Automate for the first time. This may be indicative of a compromised account. overridden
VPN access with an abnormal operating system Informational Identity Analytics 2 variations
A user accessed a VPN with an abnormal operating system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use a legitimate user and connect to a VPN service to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.Variations
VPN access with a suspicious operating system
Medium overridden
A user accessed a VPN with an abnormal operating system. overridden
VPN access from an abnormal operating system with suspicious characteristics
Low overridden
A user accessed a VPN from an abnormal operating system with some more suspicious characteristics that flagged this login attempt as a suspicious login. overridden
VPN login attempt by a honey user Low Identity Analytics 1 variation
A VPN login attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Global Protect Third-Party VPNsDetector tags: Honey User AnalyticsAttacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.Variations
Abnormal VPN login by a honey user
Medium overridden
A VPN login attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity. overridden
VPN login by a dormant user Informational Identity Analytics
A dormant user logged on to a VPN service after having been unused for a month or longer.This may indicate the account is misused by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use a compromised user account which has not been used for a long while, and therefore is less likely to be noticed.Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check if the user initiated other logins aside from a VPN login. Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.VPN login by a service account Low Identity Analytics 1 variation
A service account attempted to log in to a VPN service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network and access privileged resources.Investigative actions: See whether the service authentication was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Rare VPN login by an administrative service account
Medium overridden
An administrative service account attempted to log in to a VPN service. overridden
VPN login with a machine account Informational Identity Analytics 1 variation
A machine account successfully logged in to a VPN service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network and access privileged resources.Investigative actions: See whether the service login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Rare VPN login with a machine account
Low overridden
A machine account successfully logged in to a VPN service. overridden