Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

207 alerts match the current filters. tactic: TA0003 ✕

Show ATT&CK heatmap
  • User added a new device to Okta Verify instance Informational Identity Threat Module 1 variation

    The user has successfully registered a new device with the Okta Verify application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: Attackers may exploit the device registration process in Okta by registering unauthorized devices, thereby gaining access to sensitive resources and user accounts within an organization.
    Investigative actions: Reach out to the user responsible for the device registration to confirm its legitimacy. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN). Make sure the IP address is not showing any abnormal activity. Monitor the activity from the new registered device and ensure that it matches the user's normal activity.

    Variations

    Suspicious device enrollment to Okta

    Low overridden

    A new device was registered on Okta with suspicious characteristics, which increased the alert severity. overridden

  • User added to a group and removed Informational Identity Analytics 2 variations

    A user was added to an Active Directory group and removed within a short period of time, which may be a sign of compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Check for any suspicious actions performed by the added user. Check for a possible compromise of the initiating user.

    Variations

    Rare privileged group addition and removal

    Medium overridden

    A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden

    User added to a privileged group and removed

    Low overridden

    A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden

  • User added to the SMS Admins local group Low Identity Analytics 1 variation

    A user was added to the SMS Admins local group. This may indicate a potential attack targeting the Microsoft Configuration Manager infrastructure.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.
    Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.

    Variations

    User added to the SMS Admins group and removed

    Medium overridden

    A user was added to the SMS Admins group and removed within a short period of time, which may be a sign of compromise. overridden

  • User installed an application in Microsoft Teams via Graph API Informational Identity Threat Module 1 variation

    A user who rarely uses the Graph API to install Microsoft Teams applications has installed one using it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Cloud Application Integration (T1671)
    Required data: Microsoft Graph Logs
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.
    Investigative actions: Verify the user's role and typical usage of Microsoft Graph API. Check if the user's account has recently logged in from unusual locations or devices. Review recent email and chat activity to identify any phishing or suspicious messages sent. Examine the Graph API call logs to see what actions were performed and their timestamps. Correlate with endpoint logs to detect any malware or suspicious processes running on the user's device. Check for signs of account compromise, such as password changes or MFA bypass attempts. Follow further actions done by the account.

    Variations

    User installed an application in Microsoft Teams via Graph API from a first seen ASN

    Low overridden

    A user who rarely uses the Graph API to install Microsoft Teams applications has installed one using it. overridden

  • Weakly-Encrypted Kerberos TGT Response Informational 1 variation

    A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process: Domain Controller Authentication (T1556.001)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Manipulate the domain controller authentication process to bypass standard authentication and gain access to hosts and resources in environments relying on single-factor authentication.
    Investigative actions: Identify the user or entity that requested the TGT during the alert timeframe. Determine whether a legitimate service or application requested weak Kerberos encryption. Verify whether the domain controller is patched against the Skeleton Key vulnerability (CVE-2016-1567).

    Variations

    Abnormal Weakly-Encrypted Kerberos TGT Response

    Low overridden

    A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack. overridden

  • Web server CGO executed a process following a potential Webshell dropped Informational

    A process was executed by a web server CGO following a potential drop of a webshell file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    4 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.
  • Web server CGO executed an uncommon process Informational 1 variation

    An uncommon process was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent
    Detector tags: Webshell Analytics
    Attacker's goals: Gaining the ability to execute commands on the host, as well as persistence.
    Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the executed process is malicious or executes a suspicious action.

    Variations

    Web server CGO executed a LOLBIN process with direct IP in the command line

    High overridden

    A LOLBIN process with a direct IP in the command line was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit. overridden