Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • An unusual archive file creation by a user Informational Identity Threat Module 1 variation

    An archive file was created by a user who doesn't usually create such files. This might indicate an attempt to stage data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Stage data on an endpoint in the organization.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.

    Variations

    A user created an archive file for the first time

    Informational overridden

    A user created an archive file for the first time. This might indicate an attempt to stage data before exfiltration. overridden

  • An unusual cloud identity was granted permissions to a BigQuery resource Informational Cloud 1 variation

    An unusual cloud identity was granted permissions to a BigQuery table or dataset.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578)
    Required data: Gcp Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides inside BigQuery tables or datasets.
    Investigative actions: Check if {cloud_best_identity_match} intended to change BigQuery resource policy. Verify if the affected tables or datasets did not contain any sensitive information.

    Variations

    Cloud admin granted an unknown identity permissions to a BigQuery resource

    Informational overridden

    An unusual cloud identity was granted permissions to a BigQuery table or dataset. overridden

  • An unusual process in ingress-nginx has accessed a service-account token file High Cloud

    An unusual process in ingress-nginx has read a service-account token.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: An attacker is attempting to gain unauthorized access by leveraging valid credentials.
    Investigative actions: Check if the process is intended to preform these actions.
  • An unusual read activity of cloud object Informational Cloud

    An identity accessed a cloud object filetype for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.
  • AppleScript executed a shell script Informational 2 variations

    An uncommon shell script has been executed by the AppleScript interpreter process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002) Command and Scripting Interpreter: Unix Shell (T1059.004)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics, Shell Analytics
    Attacker's goals: Use the AppleScript interpreter to execute a second stage payload.
    Investigative actions: Analyze both the AppleScript and executed shell script to determine whether they perform malicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the script was executed in an unusual way.

    Variations

    AppleScript executed a shell script using an unsigned, globally rare causality actor

    Low overridden

    An uncommon shell script has been executed by the AppleScript interpreter process. overridden

    AppleScript executed a shell script using an uncommon shell process

    Low overridden

    An uncommon shell script has been executed by the AppleScript interpreter process. overridden

  • AppleScript interpreter dynamic library loaded into a process Informational 2 variations

    The AppleScript interpreter dynamic library was loaded into a process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics
    Attacker's goals: Stealthily execute AppleScript code while evading script-based detections.
    Investigative actions: Analyze the process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior. Check whether the process was executed in an unusual way.

    Variations

    AppleScript interpreter dynamic library loaded into an unsigned applet

    Low overridden

    The AppleScript interpreter dynamic library was loaded into an unsigned applet. overridden

    AppleScript interpreter dynamic library loaded into a process with an uncommon vendor signature

    Low overridden

    The AppleScript interpreter dynamic library was loaded into a process with an uncommon vendor signature. overridden

  • AppleScript process executed with a rare command line Informational 6 variations

    The AppleScript interpreter process was executed with an uncommon command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)
    Required data: XDR Agent
    Detector tags: AppleScript Analytics
    Attacker's goals: Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.
    Investigative actions: Analyze the command line and determine whether it performs any malicious or suspicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the process was executed in an unusual way.

    Variations

    AppleScript process executed with a rare command line possibly using Finder to perform operations

    High overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line with an unusual password prompt

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line that possibly injects JavaScript into a browser

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line that possibly establishes persistence

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line that possibly installs a proxy

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

    AppleScript process executed with a rare command line performing clipboard access

    Low overridden

    The AppleScript interpreter process was executed with an uncommon command line. overridden

  • Attempt to execute a command on a remote host using PsExec.exe Low 1 variation

    There was an attempt to run a command on a remote host using PsExec.exe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Detector tags: Malicious Service Analytics
    Attacker's goals: Execute commands and run processes remotely.
    Investigative actions: Confirm that the connection is benign and occurred as a part of normal behavior.

    Variations

    Attempt to execute a command on a remote host using PsExec.exe

    Low overridden

    There was an attempt to run a command on a remote host using PsExec.exe., the connection to the remote host was successful. overridden

  • Attempted Azure application access from unknown tenant Informational Cloud 2 variations

    A Microsoft Graph API was unsuccessfully executed by an Azure application from an unknown tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Abuse serverless services to execute code in cloud environments.
    Investigative actions: Validate the legitimacy of the tenant in question. Investigate any unusual activity originating from the application.

    Variations

    Attempted Azure application access from an unusual tenant

    Medium overridden

    A Microsoft Graph API was unsuccessfully executed by an Azure application from an unknown tenant. overridden

    Azure application access from unknown tenant

    Low overridden

    A Microsoft Graph API was executed by an Azure application from an unknown tenant. overridden

  • Aurora DB cluster stopped Informational Cloud

    An Aurora DB cluster (RDS) was stopped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: This may assist an attacker to exfiltrate sensitive information.
    Investigative actions: Check if the identity intended to stop the cluster. Check if this DB contains sensitive information. Check encryption for the DB cluster (at rest).
  • Authentication Attempt From a Dormant Account Informational 1 variation

    A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    31 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Use a compromised user account that has not been used in a long time and therefore less likely to be noticed.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user returned from a long leave of absence). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.

    Variations

    Authentication Attempt From a Dormant Account to a sensitive server

    Low overridden

    A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker on a sensitive server. overridden

  • Authentication attempt by a honey user Low Identity Analytics 1 variation

    An authentication attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Okta OneLogin PingOne
    Detector tags: Honey User Analytics
    Attacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.
    Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other authentication attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the authentication attempt. Follow further actions performed by the user.

    Variations

    Abnormal authentication by a honey user

    Medium overridden

    An authentication attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials. overridden

  • Authentication method added to an Azure account Informational Identity Threat Module 2 variations

    An identity attempted to add an Azure authentication method.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker can add an authentication method to an account, so they can have later access to the tenant and resources.
    Investigative actions: Check if the authentication method is legitimate in the organization. Check whether the identity is permitted to perform such actions. Follow the account for possible suspicious or unusual logins.

    Variations

    Suspicious authentication method addition to privileged Azure account

    Medium overridden

    A privileged user added an Azure authentication method. overridden

    Suspicious authentication method addition to Azure account

    Low overridden

    An identity added an Azure authentication method. overridden

  • Authentication method was added to Azure account Informational Cloud

    A new authentication method was added to an Azure AD user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Establish a backdoor for persistent access.
    Investigative actions: Review recent authentication attempts and access logs to detect any unauthorized activities or potential misuse of the newly added authentication method. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Autorun.inf created in root C drive Medium

    An autorun file installed at the root of a C:\ drive is suspicious, as autorun files are typically associated with removable drives.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Hijack Execution Flow: Services File Permissions Weakness (T1574.010) Replication Through Removable Media (T1091)
    Required data: XDR Agent
    Attacker's goals: The Autorun and AutoPlay components of Microsoft Windows operating systems may use 'Autorun.inf' to automatically execute a program (without user interaction). Adversaries can manipulate this mechanism to run a malicious program.
    Investigative actions: Read the content of the 'Autorun.inf' file from the root directory folder of the drive (the file may be hidden).
  • Azure AD PIM alert disabled Medium Identity Threat Module

    An identity disabled an Azure AD PIM alert.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker might want to disable alerts associated with authentication requirements for privileged access. This may allow malicious activities to go unnoticed.
    Investigative actions: Check what alert was disabled. Check whether the user that disabled the alert is permitted to perform such actions.
  • Azure AD PIM elevation request Informational Identity Threat Module

    An Azure AD PIM elevation request was denied/approved.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: Getting elevated permissions to perform malicious actions.
    Investigative actions: Check if the elevation is authorized. Follow further actions or suspicious logins from the elevated account.
  • Azure AD PIM role settings change Low Identity Threat Module 1 variation

    An identity changed the PIM role settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.
    Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.

    Variations

    Suspicious Azure AD PIM role settings change

    Medium overridden

    An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden

  • Azure AD account unlock/password reset attempt Informational Identity Threat Module 1 variation

    An attempt to unlock an Azure AD identity or reset its password has occurred.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may switch a valid account's password for persistence.
    Investigative actions: Check if the password reset is authorized. Check whether the user who reset the password is permitted to perform such actions. Check if the account is in the password reset group or is acting out of scope. Check whether the user has not completed the password reset and cancelled before successfully passing authentication methods. Follow further actions or suspicious logins from the target account.

    Variations

    Azure AD account unlock/successful password reset

    Low overridden

    An identity successfully reset or changed Azure AD password. overridden

  • Azure Automation Account Creation Informational Cloud

    Azure Automation account was created. An attacker might create an account for persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the identity that created the account and verify its activity.
  • Azure Automation Runbook Creation/Modification Informational Cloud

    An Azure Automation Runbook was being modified or created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the identity and its actions after the modify/create action.
  • Azure Automation Runbook Deletion Informational Cloud

    An Azure Automation runbook was deleted. This could disrupt business automation processes or remove a malicious runbook that was part of an attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Impair Defenses (T1562) Service Stop (T1489)
    Required data: Azure Audit Log
    Attacker's goals: Stop business services.
    Investigative actions: Check which runbook was deleted and whether it is malicious or valid.
  • Azure Automation Webhook creation Informational Cloud

    Azure Automation Webhook can be used to pass a payload with specific attributes to run a malicious Runbook.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the identity actions prior/after the webhook creation. Find which Runbook was executed using the webhook.
  • Azure Blob Container Access Level Modification Informational Cloud

    Access level modification for a blob container, this action might be dangerous as sensitive data can be exposed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: File and Directory Permissions Modification (T1222)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Access restricted data.
    Investigative actions: Check if and which data was exposed after the access level modification.
  • Azure Event Hub Authorization rule creation/modification Informational Cloud

    An authorization rule is bound with specific rights, once created within a namespace, which has management permissions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using the created/updated rule.
    Investigative actions: Check the identity that created/updated the authorization rule. What actions were taken using the rule.
  • Azure Event Hub Deletion Low Cloud

    An Azure event hub was deleted. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check what actions were taken by the identity that deleted the event hub.
  • Azure Key Vault Secrets were modified Informational Cloud

    Azure key vault secrets were modified. A change or deletion of secrets in Azure Key Vault has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to confidential data stored in the Azure Key Vault.
    Investigative actions: Investigate what Azure Key Vault Secrets were modified or deleted. Check for any suspicious activity initiated by the identity.
  • Azure Key Vault modification Informational Cloud

    Azure Key Vault modifications can be crucial as it stores secrets e.g. encryption keys, certifications, etc.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials (T1552)
    Required data: Azure Audit Log
    Attacker's goals: Exfiltrate information, persistence on existing users or damage critical accounts.
    Investigative actions: Check the identity actions before or after the Key Vault modification. Find which credentials were modified and their usage.
  • Azure Kubernetes events were deleted Informational Cloud

    Events have been deleted in Azure Kubernetes. This could indicate malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Remove evidence or hinder defenses.
    Investigative actions: Look for any suspicious activity initiated by the identity.
  • Azure Network Watcher Deletion Low Cloud

    Azure Network Watchers are used for monitoring and diagnosing Azure resources. An attacker might use this technique to avoid security mitigations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Avoid security mitigations and detections.
    Investigative actions: Check which devices are monitored by the deleted Network Watcher.
  • Azure Privilege Escalation Using an Application Medium Identity Threat Module

    An Azure application was observed assigning an Azure administrator role to a user. This might indicate a privilege escalation attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.
    Investigative actions: Check if the affected account is new to the organization. Check whether the application that added the account to the role is permitted to perform such actions. Check what can be affected by the assigned role Follow further actions done by the account that was added to the role.
  • Azure Resource Group Deletion Informational Cloud

    Resource group deletion permanently deletes all resources within the group, An attacker might use this technique to avoid detection or destroy procedures/data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check which resource group was deleted.
  • Azure Service principal/Application creation Informational Cloud

    An Azure Service principal/Application was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To gain persistent access and elevate privileges within the environment.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Azure Storage Account key generated Informational Cloud

    Azure storage access keys rotation, might affect services/applications depended on the key set.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate information or damage critical services.
    Investigative actions: Check what actions were made by the users a few hours prior/after to the generation operation. Which actions were taken using the newly generated access keys.
  • Azure Temporary Access Pass (TAP) registered to an account Informational Identity Threat Module 2 variations

    An identity registered an Azure Temporary Access Pass (TAP) to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: A TAP can allow setting of other authentication methods and can be used as an initial replacement of a multifactor authentication.
    Investigative actions: Check if the account that got the TAP should get it. Check whether the account that registered the TAP is supposed to perform such actions. Check if the TAP was registered to a privileged account. Follow further actions done by the initiator and the account with the TAP.

    Variations

    Azure Temporary Access Pass (TAP) registered to a privileged account

    Medium overridden

    An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden

    Abnormal Azure Temporary Access Pass (TAP) account registration

    Low overridden

    An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden

  • Azure account creation by a non-standard account Informational Identity Threat Module 1 variation

    An Azure AD account creation was performed by a user that doesn't typically create users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Create Account (T1136)
    Required data: AzureAD Audit Log
    Attacker's goals: Create a backdoor account for later access to Azure AD or Azure resources, or delete evidence of such an account.
    Investigative actions: Follow further actions by the initiator. Check for new resource creations by the new user. Check if the new user was added to a privileged role. Follow further actions done by the new user.

    Variations

    Unusual Azure account creation by a non-standard account

    Low overridden

    An Azure AD account creation was performed by a user that doesn't typically create users. overridden

  • Azure account deletion by a non-standard account Low Identity Threat Module 2 variations

    An Azure AD account deletion was performed by a user that doesn't typically delete users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: AzureAD Audit Log
    Attacker's goals: Interrupt availability and access to Azure by deleting access accounts.
    Investigative actions: Follow further actions by the initiator. Check what services, groups and applications are affected by the deleted user being removed. Check if the deleted user had a privileged role.

    Variations

    Azure account deletion by a non-standard account with high administrative activity

    Informational overridden

    An Azure AD account deletion was performed by an identity with high administrative activity that doesn't typically delete users. overridden

    A suspicious Azure account deletion by a non-standard account

    Medium overridden

    An Azure AD account deletion was performed by a user that doesn't typically delete users in a suspicious manner. overridden

  • Azure application URI modification Informational Identity Threat Module 1 variation

    An identity added or updated an Azure application's URI.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.
    Investigative actions: Check whether the account that modified the URI is supposed to perform such actions. Check for possible logins from the application modified. Check for possible account consents or credential changes regarding the application. Follow further actions done by the application.

    Variations

    Suspicious Azure application URI modification

    Low overridden

    An identity added or updated an Azure application's URI. overridden

  • Azure application consent Informational Identity Threat Module 1 variation

    An identity consented permissions to an application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Phishing (T1566) Phishing: Spearphishing Link (T1566.002) Steal Application Access Token (T1528) Trusted Relationship (T1199)
    Required data: AzureAD Audit Log
    Attacker's goals: Get access to credentials, data or an organization via applications with sufficient permissions.
    Investigative actions: Follow further actions by the consenting user. Check for new resource creations by the new user. Check how the consenting user got to the application. Verify the application creators. Check what permissions the application requested. Check for possible phishing in the organization.

    Variations

    First seen Azure admin consent to an application

    Low overridden

    An administrative identity consented permissions to an application. overridden

  • Azure application credentials added Informational Identity Threat Module 2 variations

    An identity added credentials to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.
    Investigative actions: Check if the modified application is new to the organization. Check whether the account that modified the credentials is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.

    Variations

    Suspicious credential operation on an Azure application

    Medium overridden

    An identity added a certificate to an Azure application in a suspicious way. overridden

    Unusual certificate operation on an Azure application

    Low overridden

    An identity added a certificate to an Azure application with some unusual parameters. overridden

  • Azure application removed Informational Cloud

    An Azure application has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts (T1564)
    Required data: Azure Audit Log
    Attacker's goals: Delete apps used for malicious activities. Delete evidence of activity.
    Investigative actions: Check the Azure Portal for any changes in applications. Review the activities performed by the application.
  • Azure conditional access policy creation or modification Informational Cloud

    An Azure conditional access policy was created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Bypass authentication controls.
    Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Azure device code authentication flow used Informational Identity Analytics 3 variations

    An Azure AD login was performed with device code flow.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: Azure Audit Log
    Attacker's goals: An attacker may use a device to access resources in the tenant using an access token from device code authentication flows.
    Investigative actions: Check what devices are listed with the logged-in user. Check if the account is authorized to use such devices to access resources. Check for possible logins from the device. Follow further actions done by the account and device.

    Variations

    Suspicious Azure device code authentication flow used by an Azure AD privileged user

    Medium overridden

    An Azure AD login was performed with device code flow. overridden

    Suspicious Azure device code authentication flow used

    Low overridden

    An Azure AD login was performed with device code flow. overridden

    Azure device code authentication flow used by an Azure AD privileged user

    Low overridden

    An Azure AD login was performed with device code flow. overridden

  • Azure diagnostic configuration deletion Informational Cloud

    An attacker might delete the Azure diagnostic settings to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check the identity and its actions after the deletion action.
  • Azure domain federation settings modification attempt Low Identity Threat Module 1 variation

    A user or application attempted to modify the federation settings of the domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.
    Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.

    Variations

    A successful Azure domain federation settings modification

    Medium overridden

    A user or application successfully modified the federation settings of the domain. overridden

  • Azure enumeration activity using Microsoft Graph API Informational Cloud 1 variation

    The Microsoft Graph API was used to enumerate an Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Map the Azure tenant and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.

    Variations

    Azure sensitive resources enumeration activity using Microsoft Graph API

    Informational overridden

    Microsoft Graph API was used to enumerate sensitive resources in Azure tenant. overridden

  • Azure group creation/deletion Informational Cloud

    A group in Azure was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain persistence to the environment.
    Investigative actions: Check group's assigned roles. Check which members were added to the group.
  • Azure mailbox rule creation Informational Cloud 1 variation

    A Mailbox rule in Azure was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009) Defense Evasion (TA0005)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Indicator Removal: Clear Mailbox Data (T1070.008)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Intercept or exfiltrate sensitive information.
    Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.

    Variations

    Unusual Azure mailbox rule creation

    Low overridden

    A Mailbox rule in Azure was created. overridden

  • Azure permission delegation granted Informational Cloud 1 variation

    An identity delegated permissions to access a certain resource or application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log
    Attacker's goals: Gain control over user accounts.
    Investigative actions: Check the user access logs for any suspicious activity. Review the permissions granted and the scope of the permissions.

    Variations

    Azure permission delegation granted by an Azure AD privileged user

    Low overridden

    An identity delegated permissions to access a certain resource or application. overridden

  • Azure service principal assigned app role Informational Identity Threat Module

    An identity assigned an app role (permissions) to a service principal.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add roles to service principals that will allow them to access sensitive information and perform other actions.
    Investigative actions: Check if the added service principle is new to the organization. Check whether the account that added the app role is supposed to perform such actions. Check for possible logins and actions from the service principle with the role. Follow further actions done by the application and the assigner.
  • Azure storage account blob anonymous access is enabled Informational Cloud

    It is possible to configure anonymous access to blobs within the storage account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the blobs within the storage account should be accessed from all networks. Disable public network access or disable blob anonymous access to storage account if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.
  • Azure storage account cross-tenant object replication was enabled Informational Cloud 1 variation

    Azure cross-tenant object replication in a storage account was enabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Enable unauthorized data transfer to an external or attacker-controlled environment. Establish a persistent channel for ongoing data exfiltration. Conceal malicious activity by utilizing legitimate cross-tenant object replication functionality.
    Investigative actions: Confirm that the identity intended to enable cross-tenant replication. Follow further actions done by the identity. Monitor the storage account for other suspicious activities.

    Variations

    Azure storage account cross-tenant object replication was enabled for the first time in a subscription

    Low overridden

    Azure cross-tenant object replication in a storage account was enabled for the first time in a subscription. overridden

  • Azure storage account was publicly shared Informational Cloud

    Azure Storage Account network permissions modified to public, exposing data to any network and unauthorized identities.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: Attackers want to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the storage account should be accessed from all networks. Disable public network access if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.
  • Azure user creation/deletion Informational Cloud

    A user in Azure was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain persistence into the account.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Azure user password reset Informational Cloud

    The password of an Azure AD user was reset.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: An attacker may attempt to gain access to the account.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Azure virtual machine commands execution Informational Cloud

    An Azure virtual machine executed PowerShell commands with System privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter (T1059)
    Required data: Azure Audit Log
    Attacker's goals: Executing malicious commands for discovery, privilege escalation, etc.
    Investigative actions: Check the VM that executed the commands and their results.
  • Bedrock model shared with a foreign account Low Cloud

    A bedrock model was shared with a foreign account through AWS resource access manager.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Exfiltrate the proprietary model to a foreign account and establish persistent access to it.
    Investigative actions: Investigate the foreign cloud accounts that gained access to the models. Assess the sensitivity of the shared models to determine the potential impact of this exposure. Identify the actor and investigate their identity for compromise.
  • BigQuery table or query results exfiltrated to a foreign project Informational Cloud 2 variations

    A cloud identity exfiltrated BigQuery table data to a foreign storage service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Gcp Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides inside BigQuery table.
    Investigative actions: Check if {cloud_best_identity_match} intended to transfer data from BigQuery table. Verify if the affected table did not contain any sensitive information.

    Variations

    BigQuery table or query results exfiltrated to a foreign project by cloud admin identity

    Informational overridden

    A cloud identity exfiltrated BigQuery table data to a foreign storage service. overridden

    BigQuery table or query results exfiltrated to a foreign project by an unknown identity

    Low overridden

    A cloud identity exfiltrated BigQuery table data to a foreign storage service. overridden

  • Billing admin role was removed Low Cloud

    Sensitive Action - Billing admin role was removed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Prevent billing notifications from being sent to the billing admin.
    Investigative actions: Check if the identity intended to remove the billing admin. Check if the identity performed additional malicious operations in the cloud environment.
  • BitLocker key retrieval Informational Identity Threat Module

    An identity retrieved a BitLocker Key.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: BitLocker keys are used for mitigating unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive. An attacker that retrieves this key, can potentially access the data that should be encrypted.
    Investigative actions: Check what key was retrieved. Check for a possible compromised device. Check whether the user is permitted to perform such actions.
  • Bitsadmin.exe persistence using command-line callback Medium

    BITSAdmin.exe was used with a command-line that may indicate malware trying to gain persistence on the machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: BITS Jobs (T1197)
    Required data: XDR Agent
    Attacker's goals: Gain persistence using the legitimate bitsadmin 'setnotifycmdline' mechanism, which triggers process executions once a Bits job is done or fails.
    Investigative actions: Check if the command line contains any malicious indicators. Check if the parent process is suspicious. Check if the command-line used to persist is malicious or references a malicious binary.
  • Broker Collection Error Informational 2 variations

    A collection error was detected on a broker VM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.

    Variations

    Broker Collector Critical Error

    High overridden

    A collection error was detected on a broker VM. overridden

    Broker Collection Issue

    Medium overridden

    A collection error was detected on a broker VM. overridden

  • Bronze-Bit exploit High

    A forwardable Kerberos ticket for delegation of a Protected User was observed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain a special user's Kerberos ticket to move laterally.
    Investigative actions: Check the initiating service account delegation privileges. Check the delegated account credentials and if it has high privileges. Check the ticket destination to verify whether it is a sensitive asset.
  • Browser Extension Installed Informational 1 variation

    Uncommon browser extension installed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Chromium Extensions Analytics
    Attacker's goals: Establish persistent access to victim systems through Chromium-based browser, steal sensitive data such credentials, cookies hijacking and financial data.
    Investigative actions: Investigate the extension and how it was loaded. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.

    Variations

    Uncommon Browser Extension Installed

    Low overridden

    Uncommon browser extension installed. overridden

  • Browser bookmark files accessed by a rare non-browser process Informational

    Browser bookmark files accessed by a rare non-browser process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Browser Information Discovery (T1217)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Accessing these files is done by attackers to collect information about the endpoint.
    Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.
  • Brute-force attempt on a local account Informational Identity Analytics 1 variation

    A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the account.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    Brute force on a local account

    Low overridden

    A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack. overridden

  • Bucket's block public access setting turned off Informational Cloud

    S3 bucket block public access setting turned off.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Expose bucket to the public and maintain access to bucket's resources avoiding detection.
    Investigative actions: Check if {cloud_best_identity_match} intended to modify block public access settings. Check if the {bucket_name} bucket contains any sensitive information.
  • Bucket's object ownership controls were modified Informational Cloud

    S3 bucket object ownership controls were modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Maintain control and access to data that resides inside the S3 bucket.
    Investigative actions: Check if {cloud_best_identity_match} intended to modify bucket's object ownership. Check if the {aws_s3bucket_identifier} bucket contains any sensitive information.
  • Cached credentials discovery with cmdkey Low 2 variations

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: OS Credential Dumping (T1003) Account Discovery (T1087)
    Required data: XDR Agent
    Attacker's goals: Access cached user credentials.
    Investigative actions: Check the initiator process for additional suspicious activity. Check if the host is a shared host that multiple users' credentials can be extracted from.

    Variations

    The process cmdkey runs with modified name and extract cached credentials

    High overridden

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden

    Transfer cached credentials with cmdkey to other standard output

    Medium overridden

    Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden

  • Certutil pfx parsing Low

    Certutil was used to parse a pfx certificate file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Local System (T1005)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers want to check pfx details. If details suffice, the correct certificate can be used for authentication, persistence or NTLM extraction.
    Investigative actions: Check if the pfx parsing is legitimate for the user (Testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).
  • Change of sudo caching configuration Low 1 variation

    Change of sudo caching configuration may have been intended to enable privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may use the sudoers file to elevate privileges.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Change of sudo caching configuration in a Kubernetes pod

    Low overridden

    Change of sudo caching configuration may have been intended to enable privilege escalation. overridden

  • Chrome Extension Installed By User Informational Identity Threat Module

    A Chrome extension was installed or updated by a Google Workspace user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) Software Extensions: Browser Extensions (T1176.001)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may leverage browser extensions installation to gain Initial Access and Persistence, enabling them to intercept credentials and hijack active web sessions.
    Investigative actions: Review the extension installed, it's OAuth scopes, reputation and permissions. Analyze subsequent network traffic from the user's device or browser for connections to newly registered domains. Investigate the source IP and identity for previous malicious activity or anomalies.
  • Chrome OS Remote Access policy was modified in Google Workspace Informational Identity Threat Module 1 variation

    A user modified Chrome OS Remote Access configuration in Google Workspace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Lateral Movement (TA0008)
    ATT&CK techniques: Impair Defenses (T1562) Remote Services (T1021)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may modify remote access settings to maintain persistent access and bypass security controls.
    Investigative actions: Verify if the configuration change was authorized. Investigate the source IP address and account involved for malicious activity. Follow further actions performed by the account and Remote Access connections performed.

    Variations

    Suspicious Chrome OS Remote Access policy was modified in Google Workspace

    Low overridden

    This is the first time the user performs this operation in the last 30 days. overridden

  • ClickFix - PowerShell executed through the run application Low 4 variations

    An attacker may be trying to trick a user to execute PowerShell through the run application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing (T1566)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may be trying to trick a user to execute PowerShell through the run application.
    Investigative actions: Check if the command line is known in the organization or malicious. And ask the user what is the source of it.

    Variations

    ClickFix - PowerShell command executed through the run application and using Invoke-Expression cmdlet

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Long PowerShell command executed through the run application with URL in the command

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Long encoded PowerShell command executed through the run application

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Schedule task PowerShell command executed through the run application

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

  • Cloud AI agent was modified Informational Cloud 1 variation

    A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Modify AI agents to evade certain restrictions and potentially access sensitive data.
    Investigative actions: Examine changed AI agent and determine how it was affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    Unusual modification of AI agent

    Low overridden

    A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden

  • Cloud IMDS access followed by remote token usage Medium Cloud

    A request was made to the cloud Instance Metadata Service (IMDS) followed by a remote usage of EC2 role token.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)
    Required data: AWS Audit Log XDR Agent
    Attacker's goals: Gain unauthorized access by leveraging valid cloud credentials.
    Investigative actions: Identify the process that accessed the IMDS on the cloud instance. Examine the AWS API calls made by the stolen token, focusing on unusual or sensitive actions. Assess the role's permissions and rotate credentials if compromise is confirmed.
  • Cloud Organizational policy was created or modified Informational Cloud 1 variation

    Cloud organizational policy was created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484)
    Required data: Gcp Audit Log
    Attacker's goals: Gain elevated privileges, disable security measures, misuse resources or cause disruption.
    Investigative actions: Check which services were affected by the policy creation. Check The cloud identity activity prior/after the policy creation.

    Variations

    Cloud Organizational policy was created or modified

    Low overridden

    Cloud organizational policy was created or modified. overridden

  • Cloud Watch alarm deletion Informational Cloud

    A Cloud Watch alarm was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Delete alarm to evade detection.
    Investigative actions: Check the identity that deleted the alarm. Check the which resource were related to the deleted alarm.
  • Cloud access key creation Informational Cloud 2 variations

    Cloud access key creation by a cloud identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Persist in the environment.
    Investigative actions: investigate the identity who created the access keys. Check the access key activity in the organization.

    Variations

    Successful access key creation by an unusual identity type

    Informational overridden

    Cloud access key creation by a cloud identity. overridden

    Unusual successful cloud access key creation

    Informational overridden

    Cloud access key creation by a cloud identity. overridden

  • Cloud activity from a high-risk IP address Informational Cloud 1 variation

    An identity executed a cloud API from a high-risk IP address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Gain initial access using a compromised identity while obfuscating origin.
    Investigative actions: Verify if the user is authorized to use anonymizing services. Review subsequent actions by the user for suspicious activity. Check for other users accessing from the same IP or tunnel operator.

    Variations

    Cloud activity from an unusual high-risk IP

    Low overridden

    An identity executed a cloud API from a high-risk IP address. overridden

  • Cloud compute instance user data script modification Informational Cloud 1 variation

    The user data of a cloud compute instance was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Cloud Administration Command (T1651)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Execute commands within virtual machines.
    Investigative actions: Verify whether this action is expected. Inspect the user data script for malicious content.

    Variations

    Unusual Cloud compute instance user data script modification

    Low overridden

    The user data of a cloud compute instance was modified. overridden

  • Cloud compute serial console access Informational Cloud 2 variations

    An identity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Utilize direct access to virtual infrastructure to pivot through a cloud environment.
    Investigative actions: Verify whether the identity should be making this action. Investigate which actions were performed via serial console access.

    Variations

    Cloud compute serial console access by an identity with high administrative activity

    Informational overridden

    An identity with high administrative activity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances. overridden

    Suspicious cloud compute serial console access in a project

    Low overridden

    An identity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances. overridden

  • Cloud compute volume creation attempt Informational Cloud 1 variation

    An attempt was made to create an EBS volume.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive data stored on snapshots.
    Investigative actions: Review recent activity related to the identity, the created volume and the cloud snapshot.

    Variations

    Cloud compute volume creation attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to create an EBS volume. overridden

  • Cloud email infrastructure enumeration activity Informational Cloud

    A cloud identity attempted to discover available email sending resources within the cloud environment.This may indicate an adversary attempting to map the organization's email sending environment and discover cloud resources that may assist to send phishing emails or spam.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log
    Attacker's goals: Map the cloud email environment and detect potential email resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available email resources were discovered. Investigate if the discovered email resources were used to send phishing emails or spam, or perform other attacks in the cloud environment.
  • Cloud email sending was enabled Informational Cloud 1 variation

    Cloud email sending was enabled for the cloud account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts: Email Accounts (T1586.002)
    Required data: AWS Audit Log
    Attacker's goals: Use the existing account to send phishing or spread malware.
    Investigative actions: Check if the identity has performed any email-related operations in the past. Check if this account should be used for email sending.

    Variations

    Cloud email sending was enabled by an unusual identity

    Low overridden

    Cloud email sending was enabled for the cloud account.The identity was not seen performing any operations in SES in the last 30 days. overridden

  • Cloud email service activity Informational Cloud 2 variations

    A cloud Identity performed an email service operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Internal Spearphishing (T1534)
    Required data: AWS Audit Log Azure Audit Log
    Attacker's goals: Abuse the cloud email service for sending phishing emails.
    Investigative actions: Check for any following actions related to this activity. Verify that the identity did not abuse the email service to send phishing emails to victims.

    Variations

    Unusual cloud email service activity

    Low overridden

    A cloud Identity performed an email service operation for the first time in the tenant. overridden

    Cloud email service entity creation

    Low overridden

    A cloud Identity created a new cloud email identity. overridden

  • Cloud identity reached a throttling API rate Informational Cloud 3 variations

    A cloud identity has executed a high volume of API calls, causing a throttling error.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse cloud resource, such behavior is usually seen during cryptocurrency attacks.
    Investigative actions: Check the identity created resources and their legitimacy. Look for any unusual behavior originated from the suspected identity.

    Variations

    Cloud identity reached a highly unusual throttling API rate

    Low overridden

    A cloud identity has executed a high volume of API calls, causing a throttling error.This indicates on a high volume of cloud instances allocation, such activity may be related to a cryptocurrency attack. overridden

    Cloud identity reached an unusual throttling API rate in the cloud project

    Informational overridden

    A cloud identity has executed a high volume of API calls, causing a throttling error.This API rate is unusual on the project level. overridden

    Cloud identity reached an unusual throttling API rate

    Informational overridden

    A cloud identity has executed a high volume of API calls, causing a throttling error.This activity is unusual for The cloud identity, and was not seen in the last 30 days. overridden

  • Cloud impersonation attempt by unusual identity type Informational Cloud 2 variations

    A suspicious identity type has attempted to impersonate another identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges to bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform sensitive operation on behalf of the impersonated identity.

    Variations

    Cloud impersonation attempt of a management role by unusual identity type

    Informational overridden

    An unusual cloud identity type attempted to impersonate a management role. overridden

    Successful cloud impersonation by an unusual identity type

    Medium overridden

    A suspicious identity type has successfully impersonated another identity. overridden

  • Cloud infrastructure enumeration activity Informational Cloud 1 variation

    A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Map the cloud environment and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.

    Variations

    Suspicious cloud infrastructure enumeration activity

    Low overridden

    A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment. overridden

  • Cloud instance creation attempt Informational Cloud

    An attempt was made to create a cloud compute instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure: Create Cloud Instance (T1578.002)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Create a new cloud instance to evade detection or leverage it for further malicious activity.
    Investigative actions: Review recent activity related to the identity and the created cloud instance.
  • Cloud instance deletion attempt Informational Cloud 1 variation

    An attempt was made to delete a cloud compute instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: To remove evidence or disrupt operations.
    Investigative actions: Review recent activity associated with the identity and the deleted instance.

    Variations

    Cloud instance deletion attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to delete a cloud compute instance. overridden

  • Cloud penetration testing tool activity High Cloud 3 variations

    A cloud API was successfully executed using a known cloud penetration testing tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Leverage known attack tools to enumerate resources, identify vulnerabilities, or exploit cloud configurations.
    Investigative actions: Confirm if authorized penetration testing activity is currently scheduled. Review the API operations performed by the identity to determine the intent and scope of the activity.

    Variations

    Cloud penetration testing tool usage attempt

    Informational overridden

    A failed cloud API was executed using a known cloud penetration testing tool. overridden

    Cloud security assessment tool activity

    Low overridden

    A cloud API was successfully executed using a known cloud security assessment tool. overridden

    Cloud penetration testing tool activity by Azure application

    Informational overridden

    A cloud API was successfully executed using a known cloud penetration testing tool by an Azure application. overridden

  • Cloud resource logging was disabled Informational Cloud 3 variations

    Cloud resource logging was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Avoiding detection of their activities by limiting the amount of data collected. This action may be preliminary to resource deletion or data exhilaration from the resource. Setting the stage for further attacks, like a Ransomware Attack.
    Investigative actions: Confirm that the identity intended to disable logging on this resource. Follow further actions done by the identity. Monitor other (non-disabled) activity logs related to this resource.

    Variations

    Cloud resource logging was disabled - failed attempt

    Informational overridden

    A failed attempt to disable cloud resource logging. overridden

    Cloud resource logging was disabled on an Azure DB/storage resource

    Informational overridden

    Cloud resource logging was disabled on a DB/storage resource. overridden

    Cloud resource logging was disabled on a GCP DB/storage resource

    Low overridden

    Cloud resource logging was disabled on a DB/storage resource. overridden

  • Cloud snapshot created or modified Informational Cloud 3 variations

    A cloud identity has created or modified a cloud snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the snapshot.
    Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.

    Variations

    Cloud snapshot was configured for public access

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Cloud snapshot was shared with an unusual AWS account(s)

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Previously unseen GCP principal was bound to cloud snapshot

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

  • Cloud snapshot of a database or storage instance was publicly shared Medium Cloud

    A cloud identity has publicly shared a snapshot of a database or storage instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the snapshot.
    Investigative actions: Check if the identity intended to share the snapshot publicly. Check if the identity performed additional malicious operations within the cloud environment.
  • Cloud storage automatic backup disabled Informational Cloud 1 variation

    Automatic backup of a cloud storage resource was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Impair built-in protection of the cloud environment. This action may be a preliminary action before deleting the cloud resource itself.
    Investigative actions: Confirm that the identity intended to disable automatic backup on this resource. Follow further actions done by the identity. Monitor this resource for other suspicious activities.

    Variations

    Cloud storage automatic backup disabled from a CLI

    Informational overridden

    Automatic backup of a cloud storage resource was disabled from a CLI. overridden

  • Cloud storage delete protection disabled Informational Cloud 1 variation

    Delete protection of a cloud storage resource was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Impair built-in protection of the cloud environment. This action may be a preliminary action before deleting the cloud resource itself.
    Investigative actions: Confirm that the identity intended to disable deletion protection on this resource. Follow further actions done by the identity. Monitor this resource for other suspicious activities.

    Variations

    Cloud storage delete protection disabled by an unusual identity

    Informational overridden

    Delete protection of a cloud storage resource was disabled by an unusual identity. overridden

  • Cloud storage object discovery Informational Cloud

    Cloud storage object discovery.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Storage Object Discovery (T1619)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Identify sensitive data, valuable files, configuration details or other information that can be leveraged for further attacks.
    Investigative actions: Review the identity's permissions and historical access to the storage resource. Analyze the identity's immediate post-listing actions on the storage resource. Correlate this event with other discovery activity or suspicious logins by the identity.
  • Cloud user performed multiple actions that were denied Informational Cloud 1 variation

    An identity performed multiple actions that were denied, which may indicate it is being misused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Execute various commands to explore the cloud environment.
    Investigative actions: Check if the API calls were made by the identity.Check if there are additional calls executed by the identity.

    Variations

    Cloud non-user identity performed multiple actions that were denied

    Low overridden

    An identity performed multiple actions that were denied, which may indicate it is being misused. overridden

  • CloudTrail logging deletion Informational Cloud 2 variations

    CloudTrail logging trail deletion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Verify whether the identity attempted to delete the trail. Determine whether an additional trail needs to be enabled.

    Variations

    Successful CloudTrail logging deletion by a non-admin identity

    Medium overridden

    CloudTrail logging trail deletion. overridden

    Successful CloudTrail logging deletion by an unusual identity

    Low overridden

    CloudTrail logging trail deletion. overridden