Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • Abnormal File Activity in SCCMContentLib Shared Folder by user Informational Identity Analytics 1 variation

    A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Attackers aim to exploit misconfigurations in Microsoft Configuration Manager to access sensitive data, such as credentials and certificates, stored within the SCCMContentLib. This access can facilitate lateral movement and further compromise within the network.
    Investigative actions: Verify the activity with the performing user. Check if SCCM admin credentials were accessed or exfiltrated. Review SCCM logs to identify unauthorized queries or modifications. Investigate recent access to the extracted files and their contents. Check other security logs (e.g., Windows Event Logs, SIEM alerts) for suspicious behavior. Identify the originating system and assess if it has been compromised. Monitor for any further lateral movement or privilege escalation attempts.

    Variations

    Suspicious File Activity in SCCMContentLib Shared Folder by user

    Low overridden

    A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers. overridden

  • Abnormal ICMP echo (PING) to multiple hosts Low

    An endpoint performed an abnormal ICMP echo (PING) to multiple hosts on the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    2 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: XDR Agent
    Attacker's goals: An adversary may use the ICMP protocol to map IP addresses, hostnames and segments to plan its lateral movement over the network.
    Investigative actions: Verify if the host is a newly deployed host. Verify if newly services or applications that require network mapping were installed on the initiating host.
  • Abnormal RDP connections to multiple hosts Informational 1 variation

    The endpoint attempted to initiate rare RDP connections to multiple hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: NDR Lateral Movement Analytics, Enhanced RDP Analytics
    Attacker's goals: Attackers may attempt to move laterally across the network by using compromised accounts or machines to connect to remote hosts via the RDP protocol.
    Investigative actions: Inspect the legitimacy of the user initiating the RDP connections. Verify that this activity is not part of routine IT operations.

    Variations

    Abnormal RDP connections to multiple hosts

    Low overridden

    The endpoint attempted to initiate rare RDP connections to multiple hosts. overridden

  • Abnormal RDP connections to multiple hosts from a rarely seen host Low

    The endpoint attempted to initiate rare RDP connections to multiple hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: NDR Lateral Movement Analytics, Enhanced RDP Analytics, NDR Unmanaged Subnet Analytics
    Attacker's goals: Attackers may attempt to move laterally across the network by using compromised accounts or machines to connect to remote hosts via the RDP protocol.
    Investigative actions: Inspect the legitimacy of the user initiating the RDP connections. Verify that this activity is not part of routine IT operations.
  • Abnormal RDP session to a remote host from a rarely seen host Low

    The endpoint performed a rare RDP session to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet Analytics
    Attacker's goals: Attackers may attempt to move laterally over the network by using compromised accounts or machines to connect to remote hosts using the RDP protocol.
    Investigative actions: Inspect the legitimacy of the user which the RDP made the connection with. Verify that this isn't IT activity.
  • Abnormal RPC traffic to multiple hosts Low 1 variation

    The endpoint performed unfamiliar RPC activity to multiple hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Active Scanning (T1595) Active Scanning: Vulnerability Scanning (T1595.002)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.
    Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.

    Variations

    Abnormal RPC traffic to multiple IPs

    Informational overridden

    The endpoint performed unfamiliar RPC activity to multiple hosts. overridden

  • Abnormal Recurring Communications to a Rare Domain Informational 4 variations

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR C2 Detection
    Attacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.
    Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.

    Variations

    Abnormal Recurring Communications to a Rare Domain With a Port Commonly Used by Attack Platforms

    Low overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

    Abnormal Recurring Communications to a Rare Domain to a Suspicious Autonomous System (AS)

    Low overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

    Abnormal Recurring Communications to a Rare Domain With an Abnormal Domain Suffix

    Informational overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

    Abnormal Recurring Communications to a Rare Domain With a Less Common Port

    Low overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

  • Abnormal SMB activity to multiple hosts Low 4 variations

    An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: XDR Agent
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: An adversary may use different protocols to enumerate and plan its lateral movement over the network.
    Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.

    Variations

    Highly rare SMB activity to multiple hosts

    Low overridden

    An endpoint performed a new, and highly rare, SMB activity to multiple hosts on the network. overridden

    Highly rare SMB activity to multiple hosts

    Medium overridden

    An endpoint performed a new, and highly rare SMB activity to multiple hosts on the network. overridden

    Abnormal SMB activity to multiple hosts

    Medium overridden

    An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network. overridden

    Abnormal SMB activity to multiple hosts

    Low overridden

    An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network. overridden

  • Abnormal SMB scanning activity to multiple hosts Informational 4 variations

    An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    20 Minutes
    Deduplication:
    2 Days
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Active Scanning (T1595)
    Required data: XDR Agent
    Attacker's goals: An adversary may use different protocols to enumerate and plan its lateral movement over the network.
    Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts or periodic network mapping services. Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.

    Variations

    Highly rare SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, and highly rare, SMB scanning activity to multiple hosts on the network. overridden

    Highly rare SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, and highly rare SMB scanning activity to multiple hosts on the network. overridden

    Abnormal SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden

    Abnormal SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden

  • Abnormal User Login to Domain Controller Informational Identity Analytics 4 variations

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078) Use Alternate Authentication Material (T1550)
    Required data: XDR Agent
    Attacker's goals: A malicious user may attempt to access a domain controller to access and control Active Directory.
    Investigative actions: Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller. Check if the user is a service account that accesses a domain controller as part of its normal behavior. Verify that the user is not authenticating to group policy.

    Variations

    Rare RDP User Login to Domain Controller by an Abnormal Department

    Medium overridden

    A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    Abnormal RDP User Login to Domain Controller

    Low overridden

    A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    RDP User Login to Domain Controller

    Informational overridden

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    Abnormal User Login to Domain Controller by an Abnormal Department

    Informational overridden

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

  • Abnormal communication with a rare combination of TLS and HTTP User Agent Low 2 variations

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred. Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.

    Variations

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server

    Low overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server. overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain

    Low overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain. overridden

  • Abnormal connections to a dormant host from a newly seen endpoint Informational 1 variation

    The endpoint has performed multiple connections to an endpoint that is relatively inactive on the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    6 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: While probing the network, an attacker may discover dormant hosts. These inactive systems can then be used for lateral movement or privilege escalation.
    Investigative actions: Validate that the source is not a sanctioned port scanner. Check for suspicious artifacts in the endpoint profile.

    Variations

    Abnormal connections to a dormant host

    Low overridden

    The endpoint has performed multiple connections to an endpoint that is relatively inactive on the network. overridden

  • Abnormal increase in network-related alerts on the same host Low

    Abnormal increase in network-related alerts on the same host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: NDR Insights Analytics
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the source of all the linked alerts.
  • Abnormal network communication through TOR using an uncommon port Low 2 variations

    Suspicious connection from a known TOR IP to an uncommon port.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: XDR Agent
    Attacker's goals: Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.
    Investigative actions: Investigate the network configuration related to the participating port.Investigate processes that were listening to that port.

    Variations

    Abnormal network communication through TOR using an uncommon port and App-id

    Low overridden

    Suspicious connection from a known TOR IP to an uncommon port and App-id. overridden

    Abnormal network communication through TOR using a suspicious port

    Low overridden

    Suspicious connection from a known TOR IP to an uncommon potential C2 communication port. overridden

  • Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server Informational 1 variation

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this rare combination of HTTP User Agent with the external HTTP Server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.

    Variations

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare

    Low overridden

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address. overridden

  • Abnormal process connection to default Meterpreter port Informational 1 variation

    This process has probably been compromised by Meterpreter and is now used by it to run malicious commands.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Standard Port (T1571)
    Required data: XDR Agent
    Attacker's goals: Run Metasploits's malicious post-exploitation tool named Meterpreter to further compromise the host.
    Investigative actions: Verify if the destination IP is running a Metasploit server. Look for malicious action being done by the suspicious process.

    Variations

    Abnormal process connection to default Meterpreter port on an internet-facing server

    Low overridden

    This process has probably been compromised by Meterpreter and is now used by it to run malicious commands. overridden

  • Abnormal sensitive RPC traffic to multiple hosts Low 1 variation

    The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.
    Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.

    Variations

    Abnormal sensitive RPC traffic to multiple IPs

    Informational overridden

    The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface. overridden

  • Abnormal sensitive RPC traffic to multiple hosts from a rarely seen host Low

    The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet Analytics
    Attacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.
    Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.
  • Access to Kubernetes CA certificate file Informational 1 variation

    A process accessed a Kubernetes CA certificate file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Make API calls against the Kubernetes cluster.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed certificate was used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed certificate.

    Variations

    Access to Kubernetes CA certificate file by an unusual process

    Low overridden

    A process accessed a Kubernetes CA certificate file for the first time. overridden

  • Access to Kubernetes configuration file Informational 3 variations

    A process accessed a Kubernetes node configuration file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Gain access to the Kubernetes environment.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Access to Kubernetes configuration file by an unusual process

    Low overridden

    A process accessed a Kubernetes node configuration file. overridden

    Access to Kubernetes configuration file from an unusual Kubernetes pod

    Low overridden

    A process accessed a Kubernetes node configuration file. overridden

    Access to Kubernetes configuration file from a Kubernetes pod

    Informational overridden

    A process accessed a Kubernetes node configuration file. overridden

  • Access to kubelet credentials file Informational 1 variation

    A process accessed a kubelet credentials file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Impersonate the node agent to gain control over the cluster.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Access to kubelet credentials file by an unusual process

    Low overridden

    A process accessed a kubelet credentials file for the first time. overridden

  • Access to sensitive host files from within a Kubernetes pod Informational 2 variations

    A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Access to the host filesystem.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed files were used for malicious activity. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Access to sensitive host files from within a Kubernetes pod via an interactive shell

    Medium overridden

    A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden

    Unusual access to sensitive host files from within a Kubernetes pod

    Low overridden

    A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden

  • Account probing Low Identity Analytics

    A user failed to log in to multiple hosts it never accessed before in a short amount of time.This may indicate the account is compromised and an attacker is probing for a host it can access with those credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Gain access to hosts by using stolen user-account credentials.
    Investigative actions: Check if the user account was compromised, and which resources it could access.
  • Adding execution privileges Informational 1 variation

    A script was granted execution privileges using chmod before being run.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may use chmod to grant execution privileges to scripts or binaries for malicious execution.
    Investigative actions: Verify that this activity is not part of normal IT operations. Check for similar commands executed on other hosts.

    Variations

    Adding execution privileges in a Kubernetes pod

    Informational overridden

    A script was granted execution privileges using chmod before being run. overridden

  • Admin privileges were granted to a Google Workspace user Informational Identity Threat Module

    Admin privileges were granted to a Google Workspace user. This user now has access to additional administrative functions and settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to sensitive data stored in Google Workspace. Manipulate or delete data stored in Google Workspace. Gain access to privileged features in Google Workspace.
    Investigative actions: Check which Google Workspace user was granted the admin privileges. Check if the user is authorized to be granted such privileges. Review the audit logs to determine the actions taken by the user.
  • Administrator groups enumerated via LDAP Informational

    An LDAP search query that collects information about administrators was executed. This may be indicative of Active Directory domain enumeration, which can be used to perform attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators.
  • Allocation of multiple cloud compute resources Informational Cloud 5 variations

    An identity allocated multiple compute resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)
    ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage cloud compute resources to earn virtual currency.
    Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, service account, etc.

    Variations

    Unusual allocation of multiple cloud compute resources

    High overridden

    An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen across all the projects during the past 30 days. overridden

    Unusual allocation of multiple cloud compute resources

    Medium overridden

    An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden

    Unusual allocation of multiple cloud compute resources

    Medium overridden

    An identity allocated multiple compute resources.The allocated instances contains GPU accelerators, such pattern is related to a crypto mining activity. overridden

    Allocation of multiple cloud compute resources with accelerator gear

    Low overridden

    An identity allocated multiple compute resources.his activity is unusual for this identity in past 30 days. overridden

    Unusual allocation attempt of multiple cloud compute resources

    Low overridden

    An identity attempted to allocate multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden

  • An AWS EC2 instance containing sensitive data was exported Informational Cloud

    A EC2 instance was exported to an S3 bucket.The instance was found to contain sensitive data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Data Detection & Response
    Attacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.
    Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.
  • An AWS EC2 instance was exported from a production account Informational Cloud

    An EC2 instance was exported from a production account to an S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Data Detection & Response
    Attacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.
    Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.
  • An AWS EC2 instance was exported into an unknown S3 bucket Informational Cloud

    An EC2 instance was exported to an unknown S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Data Detection & Response
    Attacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.
    Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.
  • An AWS EFS File-share mount was deleted Informational Cloud

    An AWS EFS File-share mount was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Modify or delete data stored in the EFS File-share.
    Investigative actions: Verify whether the identity that deleted the File-share should be making this action.
  • An AWS EFS file-share was deleted Informational Cloud

    An AWS EFS File-share has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Gain access to sensitive data stored on the AWS EFS File-share.
    Investigative actions: Check the AWS EFS File-shares for any modifications or deletions.
  • An AWS EKS cluster was created or deleted Informational Cloud

    An AWS EKS cluster has been created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485) Valid Accounts (T1078)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to the cluster and its resources.Gain access to sensitive data stored in the cluster.
    Investigative actions: Check whether the identity is authorized to perform changes to AWS EKS clusters.
  • An AWS GuardDuty IP set was created Informational Cloud

    An AWS GuardDuty IP set has been created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check which IP set has been modified and confirm the changes.
  • An AWS Lambda Function was created Informational Cloud

    An AWS Lambda Function was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Serverless Execution (T1648) Scheduled Task/Job: Scheduled Task (T1053.005)
    Required data: AWS Audit Log
    Attacker's goals: Execute malicious code on AWS using Lambda functions. Maintain persistence on AWS Lambda by creating or invoking Lambda functions.
    Investigative actions: Identify the Lambda function that was created and analyze its code for any malicious activity.
  • An AWS Lambda function was modified Informational Cloud

    An AWS Lambda function was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Serverless Execution (T1648)
    Required data: AWS Audit Log
    Attacker's goals: Modification of Lambda functions may provide attackers access to run code against cloud environments.
    Investigative actions: Check what modifications were made to the AWS Lambda function.
  • An AWS RDS Global Cluster Deletion Informational Cloud

    An AWS RDS global cluster was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Destruction of data.
    Investigative actions: Check for existing backups for the deleted cluster. Check if a secondary cluster exists, which was detached before the global deletion.
  • An AWS RDS instance was created from a snapshot Informational Cloud

    A new AWS RDS instance was created from a publicly available RDS snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Gain access to the RDS instance. Access confidential data stored in the RDS instance.
    Investigative actions: Check the RDS instance status in the AWS console. Verify if the instance is publicly accessible.
  • An AWS Route 53 domain was transferred to another AWS account Informational Cloud

    An AWS Route 53 domain was transferred to another AWS account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Resource Development (TA0042)
    ATT&CK techniques: Acquire Infrastructure: Domains (T1583.001)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to DNS records and abuse them for malicious purposes.
    Investigative actions: Check if the domain transfer was done by an authorized user.
  • An AWS S3 bucket configuration was modified Informational Cloud

    An AWS S3 bucket configuration has been modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Impair Defenses (T1562) Data Encrypted for Impact (T1486)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Modify storage configuration to detection or allow access to sensitive information.
    Investigative actions: Examine AWS S3 access to identify any suspicious activity. Check which S3 buckets were affected.
  • An AWS SAML provider was modified Informational Cloud

    An AWS SAML provider was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Trusted Relationship (T1199) Modify Authentication Process (T1556)
    Required data: AWS Audit Log
    Attacker's goals: Gain privileged access to AWS accounts.
    Investigative actions: Check what changes were made to the SAML provider.
  • An AWS SES identity was deleted Informational Cloud

    An AWS SES identity has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to confidential emails of an organization.
    Investigative actions: Check whether the identity that executed the API should be making this action.
  • An AWS database service master user password was changed Informational Cloud 2 variations

    An AWS database service master user password was changed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Gain access and control of the database.
    Investigative actions: Confirm the identity intended to perform this action. Follow further actions done by the identity. Check what other changes were made to the AWS Database instance or cluster.

    Variations

    An AWS Database Service master user password was changed from an unusual country

    Low overridden

    An AWS database service master user password was changed. overridden

    An AWS Database Service master user password was changed by a non-DevOps identity

    Low overridden

    An AWS database service master user password was changed. overridden

  • An Azure DNS Zone was modified Informational Cloud

    An Azure DNS zone has been changed or removed, which may indicate malicious activity or a misconfiguration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol: DNS (T1071.004)
    Required data: Azure Audit Log
    Attacker's goals: Take control of DNS zones to redirect traffic to malicious websites.
    Investigative actions: Verify whether the identity should be making this action. Check what Azure DNS zones were changed or removed.
  • An Azure Firewall policy deletion Low Cloud

    An Azure Firewall policy was deleted. An attacker might use this technique to disable network defenses.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Exfiltrate information, network persistence of a service/resource.
    Investigative actions: Check which subnets or specific IP addresses were affected by the change. Check which services were accessed after the firewall change and via which protocols or network traffic.
  • An Azure Firewall rule collection group was modified or deleted Informational Cloud

    An Azure Firewall rule collection group was modified or deleted. This could indicate a malicious actor attempting to bypass security measures.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures to gain access to cloud resources.
    Investigative actions: Check the Azure Firewall rule collection group to identify the modified or deleted rules.
  • An Azure Firewall was modified Informational Cloud

    An Azure Firewall was modified or deleted. This may indicate a security risk.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures.
    Investigative actions: Verify whether the identity should be making this action. Check what changes were made to Azure Firewall.
  • An Azure Key Vault key was modified Informational Cloud

    An Azure Key Vault key was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to sensitive data stored in the Azure Key Vault.
    Investigative actions: Check the Azure Key Vault configuration to identify what changes were made.
  • An Azure Key Vault was modified Informational Cloud

    Azure Key Vault has been modified or deleted by an Identity. This could be an indication of unauthorized access or malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to sensitive data stored in the Azure Key Vault.
    Investigative actions: Check the Azure Key Vault configuration to identify what changes were made.
  • An Azure Kubernetes Cluster was created or deleted Informational Cloud

    An Azure Kubernetes Cluster was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Azure Audit Log
    Attacker's goals: Leverage access to Azure Kubernetes to disrupt or damage the organization's infrastructure.
    Investigative actions: Verify whether the identity is authorized to perform this action. Investigate any suspicious activity initiated by the identity.
  • An Azure Kubernetes Role or Cluster-Role was modified Informational Cloud

    An Azure Kubernetes Role or Cluster-Role was modified or deleted. This could indicate malicious activity and should be investigated.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Escalate privileges to gain access to restricted resources in Azure Kubernetes cluster.
    Investigative actions: Review the role or ClusterRole changes made by the identity. Determine whether the identity is authorized to perform these actions.
  • An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted Informational Cloud

    An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted. This could indicate a security breach or malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Escalate privileges to gain access to restricted resources in Azure Kubernetes cluster.
    Investigative actions: Investigate which actions were made by the identity and identify any suspicious activity. Review the Kubernetes configuration to identify any other changes.
  • An Azure Kubernetes Service Account was modified or deleted Informational Cloud

    An Azure Kubernetes Service Account was modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to privileged resources using Kubernetes Service Account.
    Investigative actions: Verify whether the identity should be making this action. Check the Kubernetes cluster for any suspicious activity initiated by the identity. Check if any other service accounts have been modified or deleted.
  • An Azure Network Security Group was modified Informational Cloud

    An Azure Network Security Group was modified or deleted. This could indicate malicious activity or a misconfiguration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures to gain access to cloud resources.
    Investigative actions: Check the network security settings of the Azure account to identify any recent changes.
  • An Azure Point-to-Site VPN was modified Informational Cloud

    An Azure Point-to-Site VPN was modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security controls.
    Investigative actions: Determine how the Azure Point-to-Site VPN was modified or deleted. Verify whether the identity performing this action is authorized to make such changes.
  • An Azure SQL database was exported from a production subscription Informational Cloud

    An Azure SQL database export was initiated.The database was exported from a production subscription.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Azure Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source SQL instance. Review further actions performed by the identity.
  • An Azure Suppression Rule was created Informational Cloud

    An Azure Suppression Rule was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures.
    Investigative actions: Investigate the user's activity to determine the cause of the alert.
  • An Azure VM snapshot SAS URL was generated for export from a production subscription Informational Cloud

    A SAS URL for an Azure VM snapshot was generated.The operation was performed within a production subscription.SAS URLs allow others to download or export the snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Azure Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate the VM disk image to access sensitive data stored on the disk.
    Investigative actions: Verify if the identity is authorized to generate SAS URLs for VM snapshots. Check if the snapshot export aligns with scheduled maintenance or backup procedures. Review further actions performed by the identity to see if the snapshot was downloaded or accessed.
  • An Azure VPN Connection was modified Informational Cloud

    Modification or removal of an Azure VPN connection was detected. This alert indicates a change to an existing VPN connection or the deletion of an existing connection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures.
    Investigative actions: Check how Azure VPN Connection was modified. Verify whether the identity should be making this action.
  • An Azure application reached a throttling API rate Informational Cloud 2 variations

    An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Enumerate cloud services in an Azure tenant.
    Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.

    Variations

    An Azure application reached an unusual throttling API rate

    Informational overridden

    An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error. overridden

    An Azure application reached an unusual throttling API rate

    Low overridden

    An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error. overridden

  • An Azure firewall rule group was modified Informational Cloud

    An Azure firewall rule group was modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security controls to gain access to restricted resources within the Azure cloud environment.
    Investigative actions: Check the Azure Firewall rule configuration to identify the changes made. Verify whether the identity should be making this action.
  • An Azure identity performed multiple actions that were denied Informational Cloud 3 variations

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Execute various of commands to explore the cloud environment.
    Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.

    Variations

    An Azure application attempted multiple actions on resources that were denied

    Medium overridden

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden

    An Azure identity attempted multiple actions on resources that were denied

    Low overridden

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden

    An Azure application performed multiple actions that were denied

    Low overridden

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden

  • An Azure virtual network Device was modified Informational Cloud

    An Azure virtual network Device was modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to resources within the virtual network. Gain access to sensitive data stored on the virtual network.
    Investigative actions: Investigate the Azure portal for the relevant virtual network device and review the changes made to it. Review the Azure Activity Log for any suspicious activities related to the virtual network device.
  • An Azure virtual network was modified Informational Cloud

    An Azure virtual network has been modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Azure Audit Log
    Attacker's goals: Manipulate, interrupt, or destroy data.
    Investigative actions: Verify whether the identity should be making this action. Check the audit logs for any suspicious activity related to the virtual network.
  • An EBS snapshot block was downloaded Informational Cloud 2 variations

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data from the cloud environment.
    Investigative actions: Check the accessed snapshot and corresponding volume. Monitor additional snapshot blocks downloads from the snapshot. Verify that the identity did not download any sensitive information that it shouldn't.

    Variations

    An EBS snapshot block was downloaded from a snapshot with sensitive data

    Medium overridden

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The snapshot contains sensitive data. overridden

    An unusual download of EBS snapshot block

    Low overridden

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The operation was not performed by this identity in the last 30 days. overridden

  • An Email address was added to AWS SES Informational Cloud

    An Email address was added to AWS SES.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to SES account. Abuse the new identity as a spambot.
    Investigative actions: Check which identity was added to the service.
  • An IAM group was created Informational Cloud

    An IAM group was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: AWS Audit Log
    Attacker's goals: Gain persistence through an IAM user who may be a member of the newly created group.
    Investigative actions: Review the group's permissions. Identify which users were added to the group.
  • An RDS snapshot containing sensitive data was exported Informational Cloud

    An RDS snapshot containing sensitive data was exported to an S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.
  • An RDS snapshot was exported from a production account Informational Cloud

    An RDS snapshot was exported from a production account to an S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.
  • An RDS snapshot was exported to an unknown S3 bucket Low Cloud 3 variations

    An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source snapshot ID. Review further actions performed by the identity and role.

    Variations

    An RDS snapshot was exported to an unknown S3 bucket by an admin identity

    Informational overridden

    An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days.The identity has an administrative behavior. overridden

    An RDS snapshot was exported to an unknown S3 bucket with suspicious indicators

    Medium overridden

    An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days. overridden

    An RDS snapshot was exported to an unknown S3 bucket - denied attempt

    Informational overridden

    A denied attempt to export an RDS snapshot to an unknown S3 bucket. overridden

  • An RDS snapshot was exported to an unknown bucket Informational Cloud 1 variation

    An RDS snapshot was exported to an unknown S3 bucket.The destination bucket has not been seen in your tenant in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.

    Variations

    Failed RDS snapshot export attempt to an unknown bucket

    Informational overridden

    A failed attempt to export an RDS snapshot to an unknown bucket. overridden

  • An S3 replication policy to an unknown bucket was created Low Cloud 3 variations

    An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source bucket. Review further actions performed by the identity.

    Variations

    Unusual S3 replication policy to an unknown bucket was created

    Low overridden

    An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.The operation was not performed in your organization in the last 30 days. overridden

    An S3 replication policy to an unknown bucket was created by an admin identity

    Informational overridden

    An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.The identity has an administrative behavior. overridden

    An S3 replication policy to an unknown bucket was created - denied attempt

    Low overridden

    A denied attempt to create an S3 replication policy to an unknown bucket. overridden

  • An app was added to Google Marketplace Informational Identity Threat Module 3 variations

    An app was added to the Google Workspace Marketplace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Remote Access Tools (T1219)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An adversary may add a malicious application to an organization's Google Workspace domain to maintain a presence in their target's organization and steal data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new app that was added to Google workspace Marketplace. Follow further actions done by the account.

    Variations

    An app was added to Google Marketplace by a non-administrative identity

    Informational overridden

    An app was added to the Google Workspace Marketplace. overridden

    An app was added to Google Marketplace from an unusual ASN

    Low overridden

    An app was added to the Google Workspace Marketplace. overridden

    An unusual app was added to Google Marketplace

    Low overridden

    An app was added to the Google Workspace Marketplace. overridden

  • An app was added to the Google Workspace trusted OAuth apps list Informational Identity Threat Module 2 variations

    An identity added an OAuth app to the Google Workspace trusted OAuth apps list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious OAuth apps can be used to request elevated permissions or to impersonate another user.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was added to the trusted apps list looks suspicious. Follow further actions done by the account.

    Variations

    An unusual app was added to the Google Workspace trusted OAuth apps list

    Low overridden

    An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden

    An app was added to the Google Workspace trusted OAuth apps list by a non-administrative identity

    Low overridden

    An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden

  • An app was removed from a blocked list in Google Workspace Informational Identity Threat Module 3 variations

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious OAuth Apps can be used to request elevated permissions or to impersonate another user.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was removed from the trusted apps list looks suspicious. Follow further actions done by the account.

    Variations

    An app was removed from a blocked list in Google Workspace by a suspicious identity

    Low overridden

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden

    An app was removed from a blocked list in Google Workspace by a non Google Workspace administrative user

    Low overridden

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden

    An app was removed from a blocked list in Google Workspace from an unusual ASN

    Low overridden

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden

  • An executable was written and executed by a web server Low

    Web server process had written an executable file that was executed shortly after.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.
  • An identity accessed Azure Kubernetes Secrets Informational Cloud

    An identity has accessed or attempted to access Azure Kubernetes secrets or Config Objects.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: Azure Audit Log
    Attacker's goals: Extract Kubernetes secrets to gain access to restricted resources in the cluster.
    Investigative actions: Verify whether the identity should be making this action. Check for any suspicious activity initiated by the identity.
  • An identity accessed a backup cloud storage Informational Cloud 1 variation

    An identity accessed a backup cloud storage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.

    Variations

    An identity accessed a backup cloud storage which wasn't read recently

    Low overridden

    An identity accessed a backup cloud storage. overridden

  • An identity accessed a cloud storage for the first time Informational Cloud

    An identity accessed a cloud storage resource for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Review the identity that invoked the operation. Verify the accessed resource and ensure it does not contain sensitive data.
  • An identity accessed cloud storage containing sensitive data Informational Cloud

    An identity accessed cloud storage containing sensitive data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.
  • An identity attached an administrative policy to an IAM user or role Informational Cloud 3 variations

    An identity attached an administrative policy to an IAM user or role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges in cloud environments.
    Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.

    Variations

    An identity attached an administrative policy to itself

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    An identity failed to attach an administrative policy to an IAM user or role

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    A suspicious identity attached an administrative policy to an IAM user/role

    Low overridden

    An identity attached an administrative policy to an IAM user or role. overridden

  • An identity created or updated password for an IAM user Informational Cloud 1 variation

    An identity created or updated an AWS console password for an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges, maintain persistence in cloud environments.
    Investigative actions: Verify whether the identity should be making this action. Examine what additional API calls were made by the identity.

    Variations

    A suspicious identity created or updated password for an IAM user

    Low overridden

    An identity created or updated an AWS console password for an IAM user. overridden

  • An identity disabled bucket logging Informational Cloud

    An identity disabled bucket logging.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Avoid detection by disabling cloud logging capabilities.
    Investigative actions: Determine whether this activity was done on purpose. Examine additional API calls made by the identity.
  • An identity initiated a download of multiple cloud objects Informational Cloud 2 variations

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operations. Check the accessed resource and verify it doesn't contain sensitive data.

    Variations

    An identity initiated a download of multiple cloud objects in large volume compared to the project's usual volume

    Medium overridden

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been in this project for the last 30 days. overridden

    An identity initiated a download of multiple cloud objects in large volume compared to the bucket's usual volume

    Low overridden

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been seen in this bucket for the last 30 days. overridden

  • An identity performed a suspicious download of multiple cloud storage objects Informational Cloud 4 variations

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data from the cloud environment.
    Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.

    Variations

    An identity performed a suspicious download of multiple cloud storage objects from an internal IP

    Informational overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden

    An identity performed a suspicious download of multiple cloud storage objects

    High overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen across all projects for the last 30 days. overridden

    An identity performed a suspicious download of multiple cloud storage objects

    Medium overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen in this project for the last 30 days. overridden

    An identity performed a suspicious download of multiple cloud storage objects from multiple buckets

    Medium overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects from several buckets had not been seen for the last 30 days. overridden

  • An identity started an AWS SSM session Informational Cloud 2 variations

    An identity started an AWS SSM interactive session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.
    Investigative actions: Examine the specifics of the SSM session, including the source IP address, identity, and timestamp. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant instance.

    Variations

    An identity started an unusual AWS SSM session

    Medium overridden

    An identity started an AWS SSM interactive session. overridden

    An unusual identity started an AWS SSM session

    Low overridden

    An identity started an AWS SSM interactive session. overridden

  • An identity successfully extracted multiple secrets within the organization Low Cloud 2 variations

    An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    An identity successfully enumerated and extracted multiple secrets within the organization

    Medium overridden

    An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

    An identity successfully extracted multiple secrets within the organization across multiple regions

    Medium overridden

    An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

  • An identity was granted permissions to manage user access to Azure resources Informational Cloud

    An identity was granted the User Access Administrator permission at the tenant scope.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005)
    Required data: Azure Audit Log
    Attacker's goals: Elevate permission to gain access to all Azure Subscriptions.
    Investigative actions: Verify whether the identity should be making this action. Check what additional API calls were made by the identity.
  • An internal Cloud resource performed port scan on external networks Medium Cloud

    An internal cloud resource attempted to connect to the same destination port of multiple external IP addresses.This may be a result of the cloud resource being hijacked by an attacker.Attackers perform port scans on a specific destination port for reconnaissance purposes, to detect known vulnerable services that accept connections in the specific port, and perform targeted attacks against them.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Impact (TA0040)
    ATT&CK techniques: Network Service Discovery (T1046) Resource Hijacking (T1496) Cloud Service Discovery (T1526)
    Required data: AWS Flow Log AWS OCSF Flow Logs Azure Flow Log Gcp Flow Log XDR Agent
    Attacker's goals: Detect vulnerable services, which listen on known ports and are opened to the Internet.
    Investigative actions: Check if similar activity was performed on additional cloud resources. Check if similar activity was performed against additional ports and external ip addresses from the same cloud resource. Check which process triggered the port scanning activity and for what purpose.
  • An operation was performed by an identity from a domain that was not seen in the organization Informational Cloud 1 variation

    An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Gain their initial foothold within the organization and explore the environment to achieve their target.
    Investigative actions: Investigate the external domain name. Check The cloud identity activity in the organization.

    Variations

    An operation was performed by an identity from a domain that was not seen in the tenant

    Low overridden

    An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before. overridden

  • An uncommon RDP session from a managed host Informational 5 variations

    An RDP session was established with uncommon parameters from a managed host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.
    Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.

    Variations

    An uncommon RDP session initiated by a chained RDP client

    Low overridden

    An RDP session was established by a process that is itself an RDP client, which is uncommon behavior. overridden

    An uncommon RDP session initiated by a globally rare RDP client

    Low overridden

    An RDP session was established by a process hash that has not been seen globally, which is uncommon. overridden

    An uncommon RDP session initiated by a rare RDP client

    Low overridden

    An RDP session was established by a process hash that is rare in the environment. overridden

    An uncommon RDP session from a host that rarely initiates RDP

    Low overridden

    An RDP session was initiated from a host that does not typically establish RDP connections. overridden

    An uncommon RDP session initiated by a process with rare causality

    Low overridden

    An RDP session was established by a process with an uncommon parent process relationship. overridden

  • An uncommon RDP session was established Informational 5 variations

    An RDP session was established with uncommon parameters.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: XDR Agent
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.
    Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.

    Variations

    An uncommon RDP session was established from a Suspicious Autonomous System (AS)

    Medium overridden

    An RDP session was established with uncommon parameters. overridden

    An uncommon RDP session was established originating from a chained RDP session which is also from a rare subnet

    Low overridden

    An RDP session was established with uncommon parameters. The connection appears to originate from an endpoint that itself received an RDP connection, suggesting a chained session. overridden

    An uncommon RDP session was established between subnets with no prior communication

    Low overridden

    An RDP session was established with uncommon parameters. The source and destination subnets have not been observed communicating with each other previously. overridden

    An uncommon RDP session was established involving subnets with no prior RDP history

    Low overridden

    An RDP session was established with uncommon parameters. Neither the source nor the destination subnet has been observed participating in RDP sessions previously. overridden

    An uncommon RDP session was established involving a destination subnet which rarely receives incoming RDP sessions

    Low overridden

    An RDP session was established with uncommon parameters. The destination subnet is rarely involved in RDP activity. overridden

  • An uncommon executable was remotely written over SMB to an uncommon destination Low 3 variations

    An uncommon executable was remotely written over SMB to a destination, which was not involved in significant similar activity during last month.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Transfer tools as part of lateral movement activity across the network.
    Investigative actions: Verify if the shared file is malicious. Investigate if the file was executed on the host. Check the remote SMB client for other suspicious activities.

    Variations

    An uncommon executable was remotely written over SMB to a highly suspicious destination

    High overridden

    An uncommon executable was remotely written over SMB to a highly suspicious destination, which was not involved in significant similar activity during last month. overridden

    An uncommon executable with SCR extension was remotely written over SMB to an uncommon destination

    Medium overridden

    An uncommon executable with SCR extension was remotely written over SMB to a destination, which was not involved in significant similar activity during last month. overridden

    PsExec remote service component was remotely written over SMB to an uncommon destination

    Low overridden

    PsExec remote service component was remotely written over SMB to a destination, which was not involved in significant similar activity during last month. overridden

  • An uncommon file added to startup-related Registry keys Informational 5 variations

    An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain persistence using the legitimate Windows registry run key mechanism, which executes files or scripts on user login or computer boot.
    Investigative actions: Verify if the registered file is malicious. Check if the installing software is a malicious binary or script.

    Variations

    An uncommon file added to startup-related Registry keys by an unsigned and unpopular CGO process

    Low overridden

    An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon script added to startup-related Registry keys

    Low overridden

    An attacker may add a script to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon file added to startup-related Registry keys by a commonly known and signed application

    Low overridden

    An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon LOLBIN added to startup-related Registry keys

    Low overridden

    An attacker may add a LOLBIN to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

    An uncommon file added to startup-related Registry keys by a remote actor

    Low overridden

    A remote attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden

  • An uncommon file was created in the startup folder Informational 4 variations

    An uncommon file was created in the startup folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Maintain persistence on the host through automatic execution at startup.
    Investigative actions: Determine if the file was created as part of a legitimate application installation, and check other files written by the same process. Identify which program opens this file based on its extension. Check the registry at HKEY_CLASSES_ROOT\[extension]\shell\[action]\command to see the default application or command used to execute the file.

    Variations

    An executable file with a non-default extension was added to the startup folder

    Medium overridden

    An executable file with a non-default extension was added to the startup folder. overridden

    An executable or script was added to the startup folder

    Low overridden

    An executable or script was added to the startup folder. This may occur during a legitimate program installation but could also indicate a malicious program persisting on the system. overridden

    A file with an uncommon extension was added to the startup folder

    Low overridden

    A file with an uncommon extension was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden

    A new shortcut (lnk) was added to the startup folder

    Low overridden

    A new shortcut (lnk) file was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden

  • An uncommon lolbin execution by scheduled task Informational 2 variations

    A lolbin was executed with uncommon commandline by a scheduled task.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Scheduled Task/Job (T1053)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.
    Investigative actions: Review the lolbin's command line executed by the schedule task. Investigate the specific scheduled task execution chain. Investigate how the scheduled task was created and the actor who created it.

    Variations

    An uncommon lolbin execution by scheduled task on a sensitive server

    Informational overridden

    A lolbin was executed with uncommon commandline by a scheduled task. overridden

    A rare and commonly-abused lolbin execution by scheduled task

    Informational overridden

    A commonly abused lolbin was executed with uncommon commandline by a scheduled task. overridden

  • An uncommon service was started Low 1 variation

    An uncommon service was started using systemctl or service processes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may create systemd services to run malicious payloads.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    An uncommon service was started in a Kubernetes pod

    Low overridden

    An uncommon service was started using systemctl or service processes. overridden

  • An unknown account was invited to the AWS organization Informational Cloud

    An unknown account was invited to your AWS organization.The target account was not seen in your tenant for the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: AWS Audit Log
    Attacker's goals: Establish persistent access to the compromised cloud account.
    Investigative actions: Identify the invited account ID and ownership. Review additional actions performed by the identity and role.
  • An unpopular process accessed the microphone on the host Low 1 variation

    An unpopular process accessed the microphone on the host, the process can abuse this device.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Audio Capture (T1123) Video Capture (T1125)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Surround recording or video capture in the workplace may leak corporate data. Surround recording or video capture of the user space can expose them to potential risks as worker extortion, sextortion, etc.
    Investigative actions: Check if the application that registered in the Microsoft privacy settings (ConsentStore in registry) is legitimate. Check if the user was aware of the use of the device.

    Variations

    An unpopular process accessed the webcam on the host

    Low overridden

    An unpopular process accessed the webcam on the host, the process can abuse this device. overridden

  • An unsigned process created scheduled task and performed an injection Medium 1 variation

    An unsigned process created scheduled task and performed an injection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    4 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005) Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: To ensure they have persistence on the system, the threat actor may use scheduled tasks to set persistence, Then, to avoid detection and carry out stealth execution, they may inject a malicious payload into a remote process.
    Investigative actions: Investigate the injection payload and the injection process. Check if the scheduled task trigger payload is malicious.

    Variations

    Possible an unsigned installer created scheduled task and performed an injection

    Low overridden

    Possible an unsigned installer created scheduled task and performed an injection. overridden