Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapAbnormal File Activity in SCCMContentLib Shared Folder by user Informational Identity Analytics 1 variation
A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Attackers aim to exploit misconfigurations in Microsoft Configuration Manager to access sensitive data, such as credentials and certificates, stored within the SCCMContentLib. This access can facilitate lateral movement and further compromise within the network.Investigative actions: Verify the activity with the performing user. Check if SCCM admin credentials were accessed or exfiltrated. Review SCCM logs to identify unauthorized queries or modifications. Investigate recent access to the extracted files and their contents. Check other security logs (e.g., Windows Event Logs, SIEM alerts) for suspicious behavior. Identify the originating system and assess if it has been compromised. Monitor for any further lateral movement or privilege escalation attempts.Variations
Suspicious File Activity in SCCMContentLib Shared Folder by user
Low overridden
A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers. overridden
Abnormal ICMP echo (PING) to multiple hosts Low
An endpoint performed an abnormal ICMP echo (PING) to multiple hosts on the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 2 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: XDR AgentAttacker's goals: An adversary may use the ICMP protocol to map IP addresses, hostnames and segments to plan its lateral movement over the network.Investigative actions: Verify if the host is a newly deployed host. Verify if newly services or applications that require network mapping were installed on the initiating host.Abnormal RDP connections to multiple hosts Informational 1 variation
The endpoint attempted to initiate rare RDP connections to multiple hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: NDR Lateral Movement Analytics, Enhanced RDP AnalyticsAttacker's goals: Attackers may attempt to move laterally across the network by using compromised accounts or machines to connect to remote hosts via the RDP protocol.Investigative actions: Inspect the legitimacy of the user initiating the RDP connections. Verify that this activity is not part of routine IT operations.Variations
Abnormal RDP connections to multiple hosts
Low overridden
The endpoint attempted to initiate rare RDP connections to multiple hosts. overridden
Abnormal RDP connections to multiple hosts from a rarely seen host Low
The endpoint attempted to initiate rare RDP connections to multiple hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: NDR Lateral Movement Analytics, Enhanced RDP Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: Attackers may attempt to move laterally across the network by using compromised accounts or machines to connect to remote hosts via the RDP protocol.Investigative actions: Inspect the legitimacy of the user initiating the RDP connections. Verify that this activity is not part of routine IT operations.Abnormal RDP session to a remote host from a rarely seen host Low
The endpoint performed a rare RDP session to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by using compromised accounts or machines to connect to remote hosts using the RDP protocol.Investigative actions: Inspect the legitimacy of the user which the RDP made the connection with. Verify that this isn't IT activity.Abnormal RPC traffic to multiple hosts Low 1 variation
The endpoint performed unfamiliar RPC activity to multiple hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Active Scanning (T1595) Active Scanning: Vulnerability Scanning (T1595.002)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.Variations
Abnormal RPC traffic to multiple IPs
Informational overridden
The endpoint performed unfamiliar RPC activity to multiple hosts. overridden
Abnormal Recurring Communications to a Rare Domain Informational 4 variations
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR C2 DetectionAttacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.Variations
Abnormal Recurring Communications to a Rare Domain With a Port Commonly Used by Attack Platforms
Low overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Abnormal Recurring Communications to a Rare Domain to a Suspicious Autonomous System (AS)
Low overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Abnormal Recurring Communications to a Rare Domain With an Abnormal Domain Suffix
Informational overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Abnormal Recurring Communications to a Rare Domain With a Less Common Port
Low overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Abnormal SMB activity to multiple hosts Low 4 variations
An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: XDR AgentDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: An adversary may use different protocols to enumerate and plan its lateral movement over the network.Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.Variations
Highly rare SMB activity to multiple hosts
Low overridden
An endpoint performed a new, and highly rare, SMB activity to multiple hosts on the network. overridden
Highly rare SMB activity to multiple hosts
Medium overridden
An endpoint performed a new, and highly rare SMB activity to multiple hosts on the network. overridden
Abnormal SMB activity to multiple hosts
Medium overridden
An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network. overridden
Abnormal SMB activity to multiple hosts
Low overridden
An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network. overridden
Abnormal SMB scanning activity to multiple hosts Informational 4 variations
An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 20 Minutes
- Deduplication:
- 2 Days
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Active Scanning (T1595)Required data: XDR AgentAttacker's goals: An adversary may use different protocols to enumerate and plan its lateral movement over the network.Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts or periodic network mapping services. Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.Variations
Highly rare SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, and highly rare, SMB scanning activity to multiple hosts on the network. overridden
Highly rare SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, and highly rare SMB scanning activity to multiple hosts on the network. overridden
Abnormal SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden
Abnormal SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden
Abnormal User Login to Domain Controller Informational Identity Analytics 4 variations
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078) Use Alternate Authentication Material (T1550)Required data: XDR AgentAttacker's goals: A malicious user may attempt to access a domain controller to access and control Active Directory.Investigative actions: Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller. Check if the user is a service account that accesses a domain controller as part of its normal behavior. Verify that the user is not authenticating to group policy.Variations
Rare RDP User Login to Domain Controller by an Abnormal Department
Medium overridden
A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
Abnormal RDP User Login to Domain Controller
Low overridden
A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
RDP User Login to Domain Controller
Informational overridden
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
Abnormal User Login to Domain Controller by an Abnormal Department
Informational overridden
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent Low 2 variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred. Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.Variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server. overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain. overridden
Abnormal connections to a dormant host from a newly seen endpoint Informational 1 variation
The endpoint has performed multiple connections to an endpoint that is relatively inactive on the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 6 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: While probing the network, an attacker may discover dormant hosts. These inactive systems can then be used for lateral movement or privilege escalation.Investigative actions: Validate that the source is not a sanctioned port scanner. Check for suspicious artifacts in the endpoint profile.Variations
Abnormal connections to a dormant host
Low overridden
The endpoint has performed multiple connections to an endpoint that is relatively inactive on the network. overridden
Abnormal increase in network-related alerts on the same host Low
Abnormal increase in network-related alerts on the same host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsDetector tags: NDR Insights AnalyticsAttacker's goals: Execute multiple covert actions to circumvent detection.Investigative actions: Investigate the source of all the linked alerts.Abnormal network communication through TOR using an uncommon port Low 2 variations
Suspicious connection from a known TOR IP to an uncommon port.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: XDR AgentAttacker's goals: Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.Investigative actions: Investigate the network configuration related to the participating port.Investigate processes that were listening to that port.Variations
Abnormal network communication through TOR using an uncommon port and App-id
Low overridden
Suspicious connection from a known TOR IP to an uncommon port and App-id. overridden
Abnormal network communication through TOR using a suspicious port
Low overridden
Suspicious connection from a known TOR IP to an uncommon potential C2 communication port. overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server Informational 1 variation
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare combination of HTTP User Agent with the external HTTP Server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare
Low overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address. overridden
Abnormal process connection to default Meterpreter port Informational 1 variation
This process has probably been compromised by Meterpreter and is now used by it to run malicious commands.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Standard Port (T1571)Required data: XDR AgentAttacker's goals: Run Metasploits's malicious post-exploitation tool named Meterpreter to further compromise the host.Investigative actions: Verify if the destination IP is running a Metasploit server. Look for malicious action being done by the suspicious process.Variations
Abnormal process connection to default Meterpreter port on an internet-facing server
Low overridden
This process has probably been compromised by Meterpreter and is now used by it to run malicious commands. overridden
Abnormal sensitive RPC traffic to multiple hosts Low 1 variation
The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.Variations
Abnormal sensitive RPC traffic to multiple IPs
Informational overridden
The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface. overridden
Abnormal sensitive RPC traffic to multiple hosts from a rarely seen host Low
The endpoint performed unfamiliar RPC activity to multiple hosts using a known sensitive interface.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.Access to Kubernetes CA certificate file Informational 1 variation
A process accessed a Kubernetes CA certificate file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Make API calls against the Kubernetes cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed certificate was used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed certificate.Variations
Access to Kubernetes CA certificate file by an unusual process
Low overridden
A process accessed a Kubernetes CA certificate file for the first time. overridden
Access to Kubernetes configuration file Informational 3 variations
A process accessed a Kubernetes node configuration file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENTAttacker's goals: Gain access to the Kubernetes environment.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Access to Kubernetes configuration file by an unusual process
Low overridden
A process accessed a Kubernetes node configuration file. overridden
Access to Kubernetes configuration file from an unusual Kubernetes pod
Low overridden
A process accessed a Kubernetes node configuration file. overridden
Access to Kubernetes configuration file from a Kubernetes pod
Informational overridden
A process accessed a Kubernetes node configuration file. overridden
Access to kubelet credentials file Informational 1 variation
A process accessed a kubelet credentials file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Impersonate the node agent to gain control over the cluster.Investigative actions: Look for additional suspicious activities. Verify if the exposed credentials were used to access the API server. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Access to kubelet credentials file by an unusual process
Low overridden
A process accessed a kubelet credentials file for the first time. overridden
Access to sensitive host files from within a Kubernetes pod Informational 2 variations
A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Access to the host filesystem.Investigative actions: Look for additional suspicious activities. Verify if the exposed files were used for malicious activity. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Access to sensitive host files from within a Kubernetes pod via an interactive shell
Medium overridden
A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden
Unusual access to sensitive host files from within a Kubernetes pod
Low overridden
A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden
Account probing Low Identity Analytics
A user failed to log in to multiple hosts it never accessed before in a short amount of time.This may indicate the account is compromised and an attacker is probing for a host it can access with those credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Gain access to hosts by using stolen user-account credentials.Investigative actions: Check if the user account was compromised, and which resources it could access.Adding execution privileges Informational 1 variation
A script was granted execution privileges using chmod before being run.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Unix Shell (T1059.004)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may use chmod to grant execution privileges to scripts or binaries for malicious execution.Investigative actions: Verify that this activity is not part of normal IT operations. Check for similar commands executed on other hosts.Variations
Adding execution privileges in a Kubernetes pod
Informational overridden
A script was granted execution privileges using chmod before being run. overridden
Admin privileges were granted to a Google Workspace user Informational Identity Threat Module
Admin privileges were granted to a Google Workspace user. This user now has access to additional administrative functions and settings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Gain access to sensitive data stored in Google Workspace. Manipulate or delete data stored in Google Workspace. Gain access to privileged features in Google Workspace.Investigative actions: Check which Google Workspace user was granted the admin privileges. Check if the user is authorized to be granted such privileges. Review the audit logs to determine the actions taken by the user.Administrator groups enumerated via LDAP Informational
An LDAP search query that collects information about administrators was executed. This may be indicative of Active Directory domain enumeration, which can be used to perform attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators.Allocation of multiple cloud compute resources Informational Cloud 5 variations
An identity allocated multiple compute resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage cloud compute resources to earn virtual currency.Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, service account, etc.Variations
Unusual allocation of multiple cloud compute resources
High overridden
An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen across all the projects during the past 30 days. overridden
Unusual allocation of multiple cloud compute resources
Medium overridden
An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden
Unusual allocation of multiple cloud compute resources
Medium overridden
An identity allocated multiple compute resources.The allocated instances contains GPU accelerators, such pattern is related to a crypto mining activity. overridden
Allocation of multiple cloud compute resources with accelerator gear
Low overridden
An identity allocated multiple compute resources.his activity is unusual for this identity in past 30 days. overridden
Unusual allocation attempt of multiple cloud compute resources
Low overridden
An identity attempted to allocate multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden
An AWS EC2 instance containing sensitive data was exported Informational Cloud
A EC2 instance was exported to an S3 bucket.The instance was found to contain sensitive data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.An AWS EC2 instance was exported from a production account Informational Cloud
An EC2 instance was exported from a production account to an S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.An AWS EC2 instance was exported into an unknown S3 bucket Informational Cloud
An EC2 instance was exported to an unknown S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.An AWS EFS File-share mount was deleted Informational Cloud
An AWS EFS File-share mount was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Modify or delete data stored in the EFS File-share.Investigative actions: Verify whether the identity that deleted the File-share should be making this action.An AWS EFS file-share was deleted Informational Cloud
An AWS EFS File-share has been deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Gain access to sensitive data stored on the AWS EFS File-share.Investigative actions: Check the AWS EFS File-shares for any modifications or deletions.An AWS EKS cluster was created or deleted Informational Cloud
An AWS EKS cluster has been created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Impact (TA0040)ATT&CK techniques: Data Destruction (T1485) Valid Accounts (T1078)Required data: AWS Audit LogAttacker's goals: Gain access to the cluster and its resources.Gain access to sensitive data stored in the cluster.Investigative actions: Check whether the identity is authorized to perform changes to AWS EKS clusters.An AWS GuardDuty IP set was created Informational Cloud
An AWS GuardDuty IP set has been created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Evade detection.Investigative actions: Check which IP set has been modified and confirm the changes.An AWS Lambda Function was created Informational Cloud
An AWS Lambda Function was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Serverless Execution (T1648) Scheduled Task/Job: Scheduled Task (T1053.005)Required data: AWS Audit LogAttacker's goals: Execute malicious code on AWS using Lambda functions. Maintain persistence on AWS Lambda by creating or invoking Lambda functions.Investigative actions: Identify the Lambda function that was created and analyze its code for any malicious activity.An AWS Lambda function was modified Informational Cloud
An AWS Lambda function was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Serverless Execution (T1648)Required data: AWS Audit LogAttacker's goals: Modification of Lambda functions may provide attackers access to run code against cloud environments.Investigative actions: Check what modifications were made to the AWS Lambda function.An AWS RDS Global Cluster Deletion Informational Cloud
An AWS RDS global cluster was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Destruction of data.Investigative actions: Check for existing backups for the deleted cluster. Check if a secondary cluster exists, which was detached before the global deletion.An AWS RDS instance was created from a snapshot Informational Cloud
A new AWS RDS instance was created from a publicly available RDS snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Gain access to the RDS instance. Access confidential data stored in the RDS instance.Investigative actions: Check the RDS instance status in the AWS console. Verify if the instance is publicly accessible.An AWS Route 53 domain was transferred to another AWS account Informational Cloud
An AWS Route 53 domain was transferred to another AWS account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Acquire Infrastructure: Domains (T1583.001)Required data: AWS Audit LogAttacker's goals: Gain access to DNS records and abuse them for malicious purposes.Investigative actions: Check if the domain transfer was done by an authorized user.An AWS S3 bucket configuration was modified Informational Cloud
An AWS S3 bucket configuration has been modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Impair Defenses (T1562) Data Encrypted for Impact (T1486)Required data: AWS Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Modify storage configuration to detection or allow access to sensitive information.Investigative actions: Examine AWS S3 access to identify any suspicious activity. Check which S3 buckets were affected.An AWS SAML provider was modified Informational Cloud
An AWS SAML provider was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Trusted Relationship (T1199) Modify Authentication Process (T1556)Required data: AWS Audit LogAttacker's goals: Gain privileged access to AWS accounts.Investigative actions: Check what changes were made to the SAML provider.An AWS SES identity was deleted Informational Cloud
An AWS SES identity has been deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit LogAttacker's goals: Gain access to confidential emails of an organization.Investigative actions: Check whether the identity that executed the API should be making this action.An AWS database service master user password was changed Informational Cloud 2 variations
An AWS database service master user password was changed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Gain access and control of the database.Investigative actions: Confirm the identity intended to perform this action. Follow further actions done by the identity. Check what other changes were made to the AWS Database instance or cluster.Variations
An AWS Database Service master user password was changed from an unusual country
Low overridden
An AWS database service master user password was changed. overridden
An AWS Database Service master user password was changed by a non-DevOps identity
Low overridden
An AWS database service master user password was changed. overridden
An Azure DNS Zone was modified Informational Cloud
An Azure DNS zone has been changed or removed, which may indicate malicious activity or a misconfiguration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol: DNS (T1071.004)Required data: Azure Audit LogAttacker's goals: Take control of DNS zones to redirect traffic to malicious websites.Investigative actions: Verify whether the identity should be making this action. Check what Azure DNS zones were changed or removed.An Azure Firewall policy deletion Low Cloud
An Azure Firewall policy was deleted. An attacker might use this technique to disable network defenses.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Exfiltrate information, network persistence of a service/resource.Investigative actions: Check which subnets or specific IP addresses were affected by the change. Check which services were accessed after the firewall change and via which protocols or network traffic.An Azure Firewall rule collection group was modified or deleted Informational Cloud
An Azure Firewall rule collection group was modified or deleted. This could indicate a malicious actor attempting to bypass security measures.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Azure Audit LogAttacker's goals: Bypass security measures to gain access to cloud resources.Investigative actions: Check the Azure Firewall rule collection group to identify the modified or deleted rules.An Azure Firewall was modified Informational Cloud
An Azure Firewall was modified or deleted. This may indicate a security risk.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Azure Audit LogAttacker's goals: Bypass security measures.Investigative actions: Verify whether the identity should be making this action. Check what changes were made to Azure Firewall.An Azure Key Vault key was modified Informational Cloud
An Azure Key Vault key was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: Azure Audit LogAttacker's goals: Gain access to sensitive data stored in the Azure Key Vault.Investigative actions: Check the Azure Key Vault configuration to identify what changes were made.An Azure Key Vault was modified Informational Cloud
Azure Key Vault has been modified or deleted by an Identity. This could be an indication of unauthorized access or malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: Azure Audit LogAttacker's goals: Gain access to sensitive data stored in the Azure Key Vault.Investigative actions: Check the Azure Key Vault configuration to identify what changes were made.An Azure Kubernetes Cluster was created or deleted Informational Cloud
An Azure Kubernetes Cluster was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: Azure Audit LogAttacker's goals: Leverage access to Azure Kubernetes to disrupt or damage the organization's infrastructure.Investigative actions: Verify whether the identity is authorized to perform this action. Investigate any suspicious activity initiated by the identity.An Azure Kubernetes Role or Cluster-Role was modified Informational Cloud
An Azure Kubernetes Role or Cluster-Role was modified or deleted. This could indicate malicious activity and should be investigated.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Azure Audit LogAttacker's goals: Escalate privileges to gain access to restricted resources in Azure Kubernetes cluster.Investigative actions: Review the role or ClusterRole changes made by the identity. Determine whether the identity is authorized to perform these actions.An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted Informational Cloud
An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted. This could indicate a security breach or malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Azure Audit LogAttacker's goals: Escalate privileges to gain access to restricted resources in Azure Kubernetes cluster.Investigative actions: Investigate which actions were made by the identity and identify any suspicious activity. Review the Kubernetes configuration to identify any other changes.An Azure Kubernetes Service Account was modified or deleted Informational Cloud
An Azure Kubernetes Service Account was modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Azure Audit LogAttacker's goals: Gain access to privileged resources using Kubernetes Service Account.Investigative actions: Verify whether the identity should be making this action. Check the Kubernetes cluster for any suspicious activity initiated by the identity. Check if any other service accounts have been modified or deleted.An Azure Network Security Group was modified Informational Cloud
An Azure Network Security Group was modified or deleted. This could indicate malicious activity or a misconfiguration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security measures to gain access to cloud resources.Investigative actions: Check the network security settings of the Azure account to identify any recent changes.An Azure Point-to-Site VPN was modified Informational Cloud
An Azure Point-to-Site VPN was modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security controls.Investigative actions: Determine how the Azure Point-to-Site VPN was modified or deleted. Verify whether the identity performing this action is authorized to make such changes.An Azure SQL database was exported from a production subscription Informational Cloud
An Azure SQL database export was initiated.The database was exported from a production subscription.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Azure Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source SQL instance. Review further actions performed by the identity.An Azure Suppression Rule was created Informational Cloud
An Azure Suppression Rule was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security measures.Investigative actions: Investigate the user's activity to determine the cause of the alert.An Azure VM snapshot SAS URL was generated for export from a production subscription Informational Cloud
A SAS URL for an Azure VM snapshot was generated.The operation was performed within a production subscription.SAS URLs allow others to download or export the snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Azure Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate the VM disk image to access sensitive data stored on the disk.Investigative actions: Verify if the identity is authorized to generate SAS URLs for VM snapshots. Check if the snapshot export aligns with scheduled maintenance or backup procedures. Review further actions performed by the identity to see if the snapshot was downloaded or accessed.An Azure VPN Connection was modified Informational Cloud
Modification or removal of an Azure VPN connection was detected. This alert indicates a change to an existing VPN connection or the deletion of an existing connection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security measures.Investigative actions: Check how Azure VPN Connection was modified. Verify whether the identity should be making this action.An Azure application reached a throttling API rate Informational Cloud 2 variations
An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Enumerate cloud services in an Azure tenant.Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.Variations
An Azure application reached an unusual throttling API rate
Informational overridden
An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error. overridden
An Azure application reached an unusual throttling API rate
Low overridden
An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error. overridden
An Azure firewall rule group was modified Informational Cloud
An Azure firewall rule group was modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Azure Audit LogAttacker's goals: Bypass security controls to gain access to restricted resources within the Azure cloud environment.Investigative actions: Check the Azure Firewall rule configuration to identify the changes made. Verify whether the identity should be making this action.An Azure identity performed multiple actions that were denied Informational Cloud 3 variations
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Execute various of commands to explore the cloud environment.Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.Variations
An Azure application attempted multiple actions on resources that were denied
Medium overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
An Azure identity attempted multiple actions on resources that were denied
Low overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
An Azure application performed multiple actions that were denied
Low overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
An Azure virtual network Device was modified Informational Cloud
An Azure virtual network Device was modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: Azure Audit LogAttacker's goals: Gain access to resources within the virtual network. Gain access to sensitive data stored on the virtual network.Investigative actions: Investigate the Azure portal for the relevant virtual network device and review the changes made to it. Review the Azure Activity Log for any suspicious activities related to the virtual network device.An Azure virtual network was modified Informational Cloud
An Azure virtual network has been modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: Azure Audit LogAttacker's goals: Manipulate, interrupt, or destroy data.Investigative actions: Verify whether the identity should be making this action. Check the audit logs for any suspicious activity related to the virtual network.An EBS snapshot block was downloaded Informational Cloud 2 variations
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed snapshot and corresponding volume. Monitor additional snapshot blocks downloads from the snapshot. Verify that the identity did not download any sensitive information that it shouldn't.Variations
An EBS snapshot block was downloaded from a snapshot with sensitive data
Medium overridden
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The snapshot contains sensitive data. overridden
An unusual download of EBS snapshot block
Low overridden
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The operation was not performed by this identity in the last 30 days. overridden
An Email address was added to AWS SES Informational Cloud
An Email address was added to AWS SES.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AWS Audit LogAttacker's goals: Gain access to SES account. Abuse the new identity as a spambot.Investigative actions: Check which identity was added to the service.An IAM group was created Informational Cloud
An IAM group was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account (T1136)Required data: AWS Audit LogAttacker's goals: Gain persistence through an IAM user who may be a member of the newly created group.Investigative actions: Review the group's permissions. Identify which users were added to the group.An RDS snapshot containing sensitive data was exported Informational Cloud
An RDS snapshot containing sensitive data was exported to an S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.An RDS snapshot was exported from a production account Informational Cloud
An RDS snapshot was exported from a production account to an S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.An RDS snapshot was exported to an unknown S3 bucket Low Cloud 3 variations
An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source snapshot ID. Review further actions performed by the identity and role.Variations
An RDS snapshot was exported to an unknown S3 bucket by an admin identity
Informational overridden
An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days.The identity has an administrative behavior. overridden
An RDS snapshot was exported to an unknown S3 bucket with suspicious indicators
Medium overridden
An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days. overridden
An RDS snapshot was exported to an unknown S3 bucket - denied attempt
Informational overridden
A denied attempt to export an RDS snapshot to an unknown S3 bucket. overridden
An RDS snapshot was exported to an unknown bucket Informational Cloud 1 variation
An RDS snapshot was exported to an unknown S3 bucket.The destination bucket has not been seen in your tenant in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.Variations
Failed RDS snapshot export attempt to an unknown bucket
Informational overridden
A failed attempt to export an RDS snapshot to an unknown bucket. overridden
An S3 replication policy to an unknown bucket was created Low Cloud 3 variations
An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source bucket. Review further actions performed by the identity.Variations
Unusual S3 replication policy to an unknown bucket was created
Low overridden
An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.The operation was not performed in your organization in the last 30 days. overridden
An S3 replication policy to an unknown bucket was created by an admin identity
Informational overridden
An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.The identity has an administrative behavior. overridden
An S3 replication policy to an unknown bucket was created - denied attempt
Low overridden
A denied attempt to create an S3 replication policy to an unknown bucket. overridden
An app was added to Google Marketplace Informational Identity Threat Module 3 variations
An app was added to the Google Workspace Marketplace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Remote Access Tools (T1219)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An adversary may add a malicious application to an organization's Google Workspace domain to maintain a presence in their target's organization and steal data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new app that was added to Google workspace Marketplace. Follow further actions done by the account.Variations
An app was added to Google Marketplace by a non-administrative identity
Informational overridden
An app was added to the Google Workspace Marketplace. overridden
An app was added to Google Marketplace from an unusual ASN
Low overridden
An app was added to the Google Workspace Marketplace. overridden
An unusual app was added to Google Marketplace
Low overridden
An app was added to the Google Workspace Marketplace. overridden
An app was added to the Google Workspace trusted OAuth apps list Informational Identity Threat Module 2 variations
An identity added an OAuth app to the Google Workspace trusted OAuth apps list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Authentication Process (T1556)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious OAuth apps can be used to request elevated permissions or to impersonate another user.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was added to the trusted apps list looks suspicious. Follow further actions done by the account.Variations
An unusual app was added to the Google Workspace trusted OAuth apps list
Low overridden
An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden
An app was added to the Google Workspace trusted OAuth apps list by a non-administrative identity
Low overridden
An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden
An app was removed from a blocked list in Google Workspace Informational Identity Threat Module 3 variations
An identity removed an app from Google Workspace blocked OAuth or third-party apps list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Authentication Process (T1556)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious OAuth Apps can be used to request elevated permissions or to impersonate another user.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was removed from the trusted apps list looks suspicious. Follow further actions done by the account.Variations
An app was removed from a blocked list in Google Workspace by a suspicious identity
Low overridden
An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden
An app was removed from a blocked list in Google Workspace by a non Google Workspace administrative user
Low overridden
An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden
An app was removed from a blocked list in Google Workspace from an unusual ASN
Low overridden
An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden
An executable was written and executed by a web server Low
Web server process had written an executable file that was executed shortly after.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.An identity accessed Azure Kubernetes Secrets Informational Cloud
An identity has accessed or attempted to access Azure Kubernetes secrets or Config Objects.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: Azure Audit LogAttacker's goals: Extract Kubernetes secrets to gain access to restricted resources in the cluster.Investigative actions: Verify whether the identity should be making this action. Check for any suspicious activity initiated by the identity.An identity accessed a backup cloud storage Informational Cloud 1 variation
An identity accessed a backup cloud storage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.Variations
An identity accessed a backup cloud storage which wasn't read recently
Low overridden
An identity accessed a backup cloud storage. overridden
An identity accessed a cloud storage for the first time Informational Cloud
An identity accessed a cloud storage resource for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Review the identity that invoked the operation. Verify the accessed resource and ensure it does not contain sensitive data.An identity accessed cloud storage containing sensitive data Informational Cloud
An identity accessed cloud storage containing sensitive data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.An identity attached an administrative policy to an IAM user or role Informational Cloud 3 variations
An identity attached an administrative policy to an IAM user or role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Escalate privileges in cloud environments.Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.Variations
An identity attached an administrative policy to itself
Medium overridden
An identity attached an administrative policy to an IAM user or role. overridden
An identity failed to attach an administrative policy to an IAM user or role
Medium overridden
An identity attached an administrative policy to an IAM user or role. overridden
A suspicious identity attached an administrative policy to an IAM user/role
Low overridden
An identity attached an administrative policy to an IAM user or role. overridden
An identity created or updated password for an IAM user Informational Cloud 1 variation
An identity created or updated an AWS console password for an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit LogAttacker's goals: Escalate privileges, maintain persistence in cloud environments.Investigative actions: Verify whether the identity should be making this action. Examine what additional API calls were made by the identity.Variations
A suspicious identity created or updated password for an IAM user
Low overridden
An identity created or updated an AWS console password for an IAM user. overridden
An identity disabled bucket logging Informational Cloud
An identity disabled bucket logging.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Avoid detection by disabling cloud logging capabilities.Investigative actions: Determine whether this activity was done on purpose. Examine additional API calls made by the identity.An identity initiated a download of multiple cloud objects Informational Cloud 2 variations
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Transfer Data to Cloud Account (T1537)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operations. Check the accessed resource and verify it doesn't contain sensitive data.Variations
An identity initiated a download of multiple cloud objects in large volume compared to the project's usual volume
Medium overridden
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been in this project for the last 30 days. overridden
An identity initiated a download of multiple cloud objects in large volume compared to the bucket's usual volume
Low overridden
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been seen in this bucket for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects Informational Cloud 4 variations
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.Variations
An identity performed a suspicious download of multiple cloud storage objects from an internal IP
Informational overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
An identity performed a suspicious download of multiple cloud storage objects
High overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen across all projects for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects
Medium overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen in this project for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects from multiple buckets
Medium overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects from several buckets had not been seen for the last 30 days. overridden
An identity started an AWS SSM session Informational Cloud 2 variations
An identity started an AWS SSM interactive session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.Investigative actions: Examine the specifics of the SSM session, including the source IP address, identity, and timestamp. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant instance.Variations
An identity started an unusual AWS SSM session
Medium overridden
An identity started an AWS SSM interactive session. overridden
An unusual identity started an AWS SSM session
Low overridden
An identity started an AWS SSM interactive session. overridden
An identity successfully extracted multiple secrets within the organization Low Cloud 2 variations
An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
An identity successfully enumerated and extracted multiple secrets within the organization
Medium overridden
An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
An identity successfully extracted multiple secrets within the organization across multiple regions
Medium overridden
An identity successfully dumped multiple secrets from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
An identity was granted permissions to manage user access to Azure resources Informational Cloud
An identity was granted the User Access Administrator permission at the tenant scope.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005)Required data: Azure Audit LogAttacker's goals: Elevate permission to gain access to all Azure Subscriptions.Investigative actions: Verify whether the identity should be making this action. Check what additional API calls were made by the identity.An internal Cloud resource performed port scan on external networks Medium Cloud
An internal cloud resource attempted to connect to the same destination port of multiple external IP addresses.This may be a result of the cloud resource being hijacked by an attacker.Attackers perform port scans on a specific destination port for reconnaissance purposes, to detect known vulnerable services that accept connections in the specific port, and perform targeted attacks against them.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Impact (TA0040)ATT&CK techniques: Network Service Discovery (T1046) Resource Hijacking (T1496) Cloud Service Discovery (T1526)Required data: AWS Flow Log AWS OCSF Flow Logs Azure Flow Log Gcp Flow Log XDR AgentAttacker's goals: Detect vulnerable services, which listen on known ports and are opened to the Internet.Investigative actions: Check if similar activity was performed on additional cloud resources. Check if similar activity was performed against additional ports and external ip addresses from the same cloud resource. Check which process triggered the port scanning activity and for what purpose.An operation was performed by an identity from a domain that was not seen in the organization Informational Cloud 1 variation
An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: External Remote Services (T1133)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Gain their initial foothold within the organization and explore the environment to achieve their target.Investigative actions: Investigate the external domain name. Check The cloud identity activity in the organization.Variations
An operation was performed by an identity from a domain that was not seen in the tenant
Low overridden
An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before. overridden
An uncommon RDP session from a managed host Informational 5 variations
An RDP session was established with uncommon parameters from a managed host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.Variations
An uncommon RDP session initiated by a chained RDP client
Low overridden
An RDP session was established by a process that is itself an RDP client, which is uncommon behavior. overridden
An uncommon RDP session initiated by a globally rare RDP client
Low overridden
An RDP session was established by a process hash that has not been seen globally, which is uncommon. overridden
An uncommon RDP session initiated by a rare RDP client
Low overridden
An RDP session was established by a process hash that is rare in the environment. overridden
An uncommon RDP session from a host that rarely initiates RDP
Low overridden
An RDP session was initiated from a host that does not typically establish RDP connections. overridden
An uncommon RDP session initiated by a process with rare causality
Low overridden
An RDP session was established by a process with an uncommon parent process relationship. overridden
An uncommon RDP session was established Informational 5 variations
An RDP session was established with uncommon parameters.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.Variations
An uncommon RDP session was established from a Suspicious Autonomous System (AS)
Medium overridden
An RDP session was established with uncommon parameters. overridden
An uncommon RDP session was established originating from a chained RDP session which is also from a rare subnet
Low overridden
An RDP session was established with uncommon parameters. The connection appears to originate from an endpoint that itself received an RDP connection, suggesting a chained session. overridden
An uncommon RDP session was established between subnets with no prior communication
Low overridden
An RDP session was established with uncommon parameters. The source and destination subnets have not been observed communicating with each other previously. overridden
An uncommon RDP session was established involving subnets with no prior RDP history
Low overridden
An RDP session was established with uncommon parameters. Neither the source nor the destination subnet has been observed participating in RDP sessions previously. overridden
An uncommon RDP session was established involving a destination subnet which rarely receives incoming RDP sessions
Low overridden
An RDP session was established with uncommon parameters. The destination subnet is rarely involved in RDP activity. overridden
An uncommon executable was remotely written over SMB to an uncommon destination Low 3 variations
An uncommon executable was remotely written over SMB to a destination, which was not involved in significant similar activity during last month.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Transfer tools as part of lateral movement activity across the network.Investigative actions: Verify if the shared file is malicious. Investigate if the file was executed on the host. Check the remote SMB client for other suspicious activities.Variations
An uncommon executable was remotely written over SMB to a highly suspicious destination
High overridden
An uncommon executable was remotely written over SMB to a highly suspicious destination, which was not involved in significant similar activity during last month. overridden
An uncommon executable with SCR extension was remotely written over SMB to an uncommon destination
Medium overridden
An uncommon executable with SCR extension was remotely written over SMB to a destination, which was not involved in significant similar activity during last month. overridden
PsExec remote service component was remotely written over SMB to an uncommon destination
Low overridden
PsExec remote service component was remotely written over SMB to a destination, which was not involved in significant similar activity during last month. overridden
An uncommon file added to startup-related Registry keys Informational 5 variations
An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain persistence using the legitimate Windows registry run key mechanism, which executes files or scripts on user login or computer boot.Investigative actions: Verify if the registered file is malicious. Check if the installing software is a malicious binary or script.Variations
An uncommon file added to startup-related Registry keys by an unsigned and unpopular CGO process
Low overridden
An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon script added to startup-related Registry keys
Low overridden
An attacker may add a script to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon file added to startup-related Registry keys by a commonly known and signed application
Low overridden
An attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon LOLBIN added to startup-related Registry keys
Low overridden
An attacker may add a LOLBIN to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon file added to startup-related Registry keys by a remote actor
Low overridden
A remote attacker may add a file to the Registry "Run Keys" or the "Winlogon\Userinit" key to cause it to be executed as the user logs in. overridden
An uncommon file was created in the startup folder Informational 4 variations
An uncommon file was created in the startup folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Maintain persistence on the host through automatic execution at startup.Investigative actions: Determine if the file was created as part of a legitimate application installation, and check other files written by the same process. Identify which program opens this file based on its extension. Check the registry at HKEY_CLASSES_ROOT\[extension]\shell\[action]\command to see the default application or command used to execute the file.Variations
An executable file with a non-default extension was added to the startup folder
Medium overridden
An executable file with a non-default extension was added to the startup folder. overridden
An executable or script was added to the startup folder
Low overridden
An executable or script was added to the startup folder. This may occur during a legitimate program installation but could also indicate a malicious program persisting on the system. overridden
A file with an uncommon extension was added to the startup folder
Low overridden
A file with an uncommon extension was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden
A new shortcut (lnk) was added to the startup folder
Low overridden
A new shortcut (lnk) file was added to the startup folder, which may happen on new program installation, but may also indicate a malicious program persisting itself. overridden
An uncommon lolbin execution by scheduled task Informational 2 variations
A lolbin was executed with uncommon commandline by a scheduled task.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Scheduled Task/Job (T1053)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to gain persistence, privilege escalation or proxy execution on the endpoint using scheduled tasks.Investigative actions: Review the lolbin's command line executed by the schedule task. Investigate the specific scheduled task execution chain. Investigate how the scheduled task was created and the actor who created it.Variations
An uncommon lolbin execution by scheduled task on a sensitive server
Informational overridden
A lolbin was executed with uncommon commandline by a scheduled task. overridden
A rare and commonly-abused lolbin execution by scheduled task
Informational overridden
A commonly abused lolbin was executed with uncommon commandline by a scheduled task. overridden
An uncommon service was started Low 1 variation
An uncommon service was started using systemctl or service processes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may create systemd services to run malicious payloads.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
An uncommon service was started in a Kubernetes pod
Low overridden
An uncommon service was started using systemctl or service processes. overridden
An unknown account was invited to the AWS organization Informational Cloud
An unknown account was invited to your AWS organization.The target account was not seen in your tenant for the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: AWS Audit LogAttacker's goals: Establish persistent access to the compromised cloud account.Investigative actions: Identify the invited account ID and ownership. Review additional actions performed by the identity and role.An unpopular process accessed the microphone on the host Low 1 variation
An unpopular process accessed the microphone on the host, the process can abuse this device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Audio Capture (T1123) Video Capture (T1125)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Surround recording or video capture in the workplace may leak corporate data. Surround recording or video capture of the user space can expose them to potential risks as worker extortion, sextortion, etc.Investigative actions: Check if the application that registered in the Microsoft privacy settings (ConsentStore in registry) is legitimate. Check if the user was aware of the use of the device.Variations
An unpopular process accessed the webcam on the host
Low overridden
An unpopular process accessed the webcam on the host, the process can abuse this device. overridden
An unsigned process created scheduled task and performed an injection Medium 1 variation
An unsigned process created scheduled task and performed an injection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 4 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005) Process Injection (T1055)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: To ensure they have persistence on the system, the threat actor may use scheduled tasks to set persistence, Then, to avoid detection and carry out stealth execution, they may inject a malicious payload into a remote process.Investigative actions: Investigate the injection payload and the injection process. Check if the scheduled task trigger payload is malicious.Variations
Possible an unsigned installer created scheduled task and performed an injection
Low overridden
Possible an unsigned installer created scheduled task and performed an injection. overridden