Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapAn unusual archive file creation by a user Informational Identity Threat Module 1 variation
An archive file was created by a user who doesn't usually create such files. This might indicate an attempt to stage data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Stage data on an endpoint in the organization.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Variations
A user created an archive file for the first time
Informational overridden
A user created an archive file for the first time. This might indicate an attempt to stage data before exfiltration. overridden
An unusual cloud identity was granted permissions to a BigQuery resource Informational Cloud 1 variation
An unusual cloud identity was granted permissions to a BigQuery table or dataset.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578)Required data: Gcp Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides inside BigQuery tables or datasets.Investigative actions: Check if {cloud_best_identity_match} intended to change BigQuery resource policy. Verify if the affected tables or datasets did not contain any sensitive information.Variations
Cloud admin granted an unknown identity permissions to a BigQuery resource
Informational overridden
An unusual cloud identity was granted permissions to a BigQuery table or dataset. overridden
An unusual process in ingress-nginx has accessed a service-account token file High Cloud
An unusual process in ingress-nginx has read a service-account token.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: An attacker is attempting to gain unauthorized access by leveraging valid credentials.Investigative actions: Check if the process is intended to preform these actions.An unusual read activity of cloud object Informational Cloud
An identity accessed a cloud object filetype for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.AppleScript executed a shell script Informational 2 variations
An uncommon shell script has been executed by the AppleScript interpreter process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002) Command and Scripting Interpreter: Unix Shell (T1059.004)Required data: XDR AgentDetector tags: AppleScript Analytics, Shell AnalyticsAttacker's goals: Use the AppleScript interpreter to execute a second stage payload.Investigative actions: Analyze both the AppleScript and executed shell script to determine whether they perform malicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the script was executed in an unusual way.Variations
AppleScript executed a shell script using an unsigned, globally rare causality actor
Low overridden
An uncommon shell script has been executed by the AppleScript interpreter process. overridden
AppleScript executed a shell script using an uncommon shell process
Low overridden
An uncommon shell script has been executed by the AppleScript interpreter process. overridden
AppleScript interpreter dynamic library loaded into a process Informational 2 variations
The AppleScript interpreter dynamic library was loaded into a process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)Required data: XDR AgentDetector tags: AppleScript AnalyticsAttacker's goals: Stealthily execute AppleScript code while evading script-based detections.Investigative actions: Analyze the process and determine whether it performs any malicious or suspicious actions. Check the events generated by the process for potential malicious behavior. Check whether the process was executed in an unusual way.Variations
AppleScript interpreter dynamic library loaded into an unsigned applet
Low overridden
The AppleScript interpreter dynamic library was loaded into an unsigned applet. overridden
AppleScript interpreter dynamic library loaded into a process with an uncommon vendor signature
Low overridden
The AppleScript interpreter dynamic library was loaded into a process with an uncommon vendor signature. overridden
AppleScript process executed with a rare command line Informational 6 variations
The AppleScript interpreter process was executed with an uncommon command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AppleScript (T1059.002)Required data: XDR AgentDetector tags: AppleScript AnalyticsAttacker's goals: Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.Investigative actions: Analyze the command line and determine whether it performs any malicious or suspicious actions. Check the events generated by the process or its children for potential malicious behavior. Check whether the process was executed in an unusual way.Variations
AppleScript process executed with a rare command line possibly using Finder to perform operations
High overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
AppleScript process executed with a rare command line with an unusual password prompt
Low overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
AppleScript process executed with a rare command line that possibly injects JavaScript into a browser
Low overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
AppleScript process executed with a rare command line that possibly establishes persistence
Low overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
AppleScript process executed with a rare command line that possibly installs a proxy
Low overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
AppleScript process executed with a rare command line performing clipboard access
Low overridden
The AppleScript interpreter process was executed with an uncommon command line. overridden
Attempt to execute a command on a remote host using PsExec.exe Low 1 variation
There was an attempt to run a command on a remote host using PsExec.exe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Remote Services: SMB/Windows Admin Shares (T1021.002) System Services: Service Execution (T1569.002)Required data: XDR AgentDetector tags: Malicious Service AnalyticsAttacker's goals: Execute commands and run processes remotely.Investigative actions: Confirm that the connection is benign and occurred as a part of normal behavior.Variations
Attempt to execute a command on a remote host using PsExec.exe
Low overridden
There was an attempt to run a command on a remote host using PsExec.exe., the connection to the remote host was successful. overridden
Attempted Azure application access from unknown tenant Informational Cloud 2 variations
A Microsoft Graph API was unsuccessfully executed by an Azure application from an unknown tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Trusted Relationship (T1199)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Abuse serverless services to execute code in cloud environments.Investigative actions: Validate the legitimacy of the tenant in question. Investigate any unusual activity originating from the application.Variations
Attempted Azure application access from an unusual tenant
Medium overridden
A Microsoft Graph API was unsuccessfully executed by an Azure application from an unknown tenant. overridden
Azure application access from unknown tenant
Low overridden
A Microsoft Graph API was executed by an Azure application from an unknown tenant. overridden
Aurora DB cluster stopped Informational Cloud
An Aurora DB cluster (RDS) was stopped.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Service Stop (T1489)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: This may assist an attacker to exfiltrate sensitive information.Investigative actions: Check if the identity intended to stop the cluster. Check if this DB contains sensitive information. Check encryption for the DB cluster (at rest).Authentication Attempt From a Dormant Account Informational 1 variation
A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 31 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Use a compromised user account that has not been used in a long time and therefore less likely to be noticed.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user returned from a long leave of absence). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.Variations
Authentication Attempt From a Dormant Account to a sensitive server
Low overridden
A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker on a sensitive server. overridden
Authentication attempt by a honey user Low Identity Analytics 1 variation
An authentication attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Okta OneLogin PingOneDetector tags: Honey User AnalyticsAttacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other authentication attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the authentication attempt. Follow further actions performed by the user.Variations
Abnormal authentication by a honey user
Medium overridden
An authentication attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials. overridden
Authentication method added to an Azure account Informational Identity Threat Module 2 variations
An identity attempted to add an Azure authentication method.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker can add an authentication method to an account, so they can have later access to the tenant and resources.Investigative actions: Check if the authentication method is legitimate in the organization. Check whether the identity is permitted to perform such actions. Follow the account for possible suspicious or unusual logins.Variations
Suspicious authentication method addition to privileged Azure account
Medium overridden
A privileged user added an Azure authentication method. overridden
Suspicious authentication method addition to Azure account
Low overridden
An identity added an Azure authentication method. overridden
Authentication method was added to Azure account Informational Cloud
A new authentication method was added to an Azure AD user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Modify Authentication Process (T1556)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Establish a backdoor for persistent access.Investigative actions: Review recent authentication attempts and access logs to detect any unauthorized activities or potential misuse of the newly added authentication method. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Autorun.inf created in root C drive Medium
An autorun file installed at the root of a C:\ drive is suspicious, as autorun files are typically associated with removable drives.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Hijack Execution Flow: Services File Permissions Weakness (T1574.010) Replication Through Removable Media (T1091)Required data: XDR AgentAttacker's goals: The Autorun and AutoPlay components of Microsoft Windows operating systems may use 'Autorun.inf' to automatically execute a program (without user interaction). Adversaries can manipulate this mechanism to run a malicious program.Investigative actions: Read the content of the 'Autorun.inf' file from the root directory folder of the drive (the file may be hidden).Azure AD PIM alert disabled Medium Identity Threat Module
An identity disabled an Azure AD PIM alert.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: AzureAD Audit LogAttacker's goals: An attacker might want to disable alerts associated with authentication requirements for privileged access. This may allow malicious activities to go unnoticed.Investigative actions: Check what alert was disabled. Check whether the user that disabled the alert is permitted to perform such actions.Azure AD PIM elevation request Informational Identity Threat Module
An Azure AD PIM elevation request was denied/approved.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: Getting elevated permissions to perform malicious actions.Investigative actions: Check if the elevation is authorized. Follow further actions or suspicious logins from the elevated account.Azure AD PIM role settings change Low Identity Threat Module 1 variation
An identity changed the PIM role settings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.Variations
Suspicious Azure AD PIM role settings change
Medium overridden
An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden
Azure AD account unlock/password reset attempt Informational Identity Threat Module 1 variation
An attempt to unlock an Azure AD identity or reset its password has occurred.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker may switch a valid account's password for persistence.Investigative actions: Check if the password reset is authorized. Check whether the user who reset the password is permitted to perform such actions. Check if the account is in the password reset group or is acting out of scope. Check whether the user has not completed the password reset and cancelled before successfully passing authentication methods. Follow further actions or suspicious logins from the target account.Variations
Azure AD account unlock/successful password reset
Low overridden
An identity successfully reset or changed Azure AD password. overridden
Azure Automation Account Creation Informational Cloud
Azure Automation account was created. An attacker might create an account for persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: Azure Audit LogAttacker's goals: Persistence using a valid account.Investigative actions: Check the identity that created the account and verify its activity.Azure Automation Runbook Creation/Modification Informational Cloud
An Azure Automation Runbook was being modified or created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: Azure Audit LogAttacker's goals: Persistence using a valid account.Investigative actions: Check the identity and its actions after the modify/create action.Azure Automation Runbook Deletion Informational Cloud
An Azure Automation runbook was deleted. This could disrupt business automation processes or remove a malicious runbook that was part of an attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Impair Defenses (T1562) Service Stop (T1489)Required data: Azure Audit LogAttacker's goals: Stop business services.Investigative actions: Check which runbook was deleted and whether it is malicious or valid.Azure Automation Webhook creation Informational Cloud
Azure Automation Webhook can be used to pass a payload with specific attributes to run a malicious Runbook.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit LogAttacker's goals: Persistence using a valid account.Investigative actions: Check the identity actions prior/after the webhook creation. Find which Runbook was executed using the webhook.Azure Blob Container Access Level Modification Informational Cloud
Access level modification for a blob container, this action might be dangerous as sensitive data can be exposed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: File and Directory Permissions Modification (T1222)Required data: Azure Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Access restricted data.Investigative actions: Check if and which data was exposed after the access level modification.Azure Event Hub Authorization rule creation/modification Informational Cloud
An authorization rule is bound with specific rights, once created within a namespace, which has management permissions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133)Required data: Azure Audit LogAttacker's goals: Persistence using the created/updated rule.Investigative actions: Check the identity that created/updated the authorization rule. What actions were taken using the rule.Azure Event Hub Deletion Low Cloud
An Azure event hub was deleted. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Evade detection.Investigative actions: Check what actions were taken by the identity that deleted the event hub.Azure Key Vault Secrets were modified Informational Cloud
Azure key vault secrets were modified. A change or deletion of secrets in Azure Key Vault has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: Azure Audit LogAttacker's goals: Gain access to confidential data stored in the Azure Key Vault.Investigative actions: Investigate what Azure Key Vault Secrets were modified or deleted. Check for any suspicious activity initiated by the identity.Azure Key Vault modification Informational Cloud
Azure Key Vault modifications can be crucial as it stores secrets e.g. encryption keys, certifications, etc.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials (T1552)Required data: Azure Audit LogAttacker's goals: Exfiltrate information, persistence on existing users or damage critical accounts.Investigative actions: Check the identity actions before or after the Key Vault modification. Find which credentials were modified and their usage.Azure Kubernetes events were deleted Informational Cloud
Events have been deleted in Azure Kubernetes. This could indicate malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Remove evidence or hinder defenses.Investigative actions: Look for any suspicious activity initiated by the identity.Azure Network Watcher Deletion Low Cloud
Azure Network Watchers are used for monitoring and diagnosing Azure resources. An attacker might use this technique to avoid security mitigations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Avoid security mitigations and detections.Investigative actions: Check which devices are monitored by the deleted Network Watcher.Azure Privilege Escalation Using an Application Medium Identity Threat Module
An Azure application was observed assigning an Azure administrator role to a user. This might indicate a privilege escalation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.Investigative actions: Check if the affected account is new to the organization. Check whether the application that added the account to the role is permitted to perform such actions. Check what can be affected by the assigned role Follow further actions done by the account that was added to the role.Azure Resource Group Deletion Informational Cloud
Resource group deletion permanently deletes all resources within the group, An attacker might use this technique to avoid detection or destroy procedures/data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Evade detection.Investigative actions: Check which resource group was deleted.Azure Service principal/Application creation Informational Cloud
An Azure Service principal/Application was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To gain persistent access and elevate privileges within the environment.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Azure Storage Account key generated Informational Cloud
Azure storage access keys rotation, might affect services/applications depended on the key set.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528)Required data: Azure Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate information or damage critical services.Investigative actions: Check what actions were made by the users a few hours prior/after to the generation operation. Which actions were taken using the newly generated access keys.Azure Temporary Access Pass (TAP) registered to an account Informational Identity Threat Module 2 variations
An identity registered an Azure Temporary Access Pass (TAP) to an account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: A TAP can allow setting of other authentication methods and can be used as an initial replacement of a multifactor authentication.Investigative actions: Check if the account that got the TAP should get it. Check whether the account that registered the TAP is supposed to perform such actions. Check if the TAP was registered to a privileged account. Follow further actions done by the initiator and the account with the TAP.Variations
Azure Temporary Access Pass (TAP) registered to a privileged account
Medium overridden
An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden
Abnormal Azure Temporary Access Pass (TAP) account registration
Low overridden
An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden
Azure account creation by a non-standard account Informational Identity Threat Module 1 variation
An Azure AD account creation was performed by a user that doesn't typically create users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Create Account (T1136)Required data: AzureAD Audit LogAttacker's goals: Create a backdoor account for later access to Azure AD or Azure resources, or delete evidence of such an account.Investigative actions: Follow further actions by the initiator. Check for new resource creations by the new user. Check if the new user was added to a privileged role. Follow further actions done by the new user.Variations
Unusual Azure account creation by a non-standard account
Low overridden
An Azure AD account creation was performed by a user that doesn't typically create users. overridden
Azure account deletion by a non-standard account Low Identity Threat Module 2 variations
An Azure AD account deletion was performed by a user that doesn't typically delete users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: AzureAD Audit LogAttacker's goals: Interrupt availability and access to Azure by deleting access accounts.Investigative actions: Follow further actions by the initiator. Check what services, groups and applications are affected by the deleted user being removed. Check if the deleted user had a privileged role.Variations
Azure account deletion by a non-standard account with high administrative activity
Informational overridden
An Azure AD account deletion was performed by an identity with high administrative activity that doesn't typically delete users. overridden
A suspicious Azure account deletion by a non-standard account
Medium overridden
An Azure AD account deletion was performed by a user that doesn't typically delete users in a suspicious manner. overridden
Azure application URI modification Informational Identity Threat Module 1 variation
An identity added or updated an Azure application's URI.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: AzureAD Audit LogAttacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.Investigative actions: Check whether the account that modified the URI is supposed to perform such actions. Check for possible logins from the application modified. Check for possible account consents or credential changes regarding the application. Follow further actions done by the application.Variations
Suspicious Azure application URI modification
Low overridden
An identity added or updated an Azure application's URI. overridden
Azure application consent Informational Identity Threat Module 1 variation
An identity consented permissions to an application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Phishing (T1566) Phishing: Spearphishing Link (T1566.002) Steal Application Access Token (T1528) Trusted Relationship (T1199)Required data: AzureAD Audit LogAttacker's goals: Get access to credentials, data or an organization via applications with sufficient permissions.Investigative actions: Follow further actions by the consenting user. Check for new resource creations by the new user. Check how the consenting user got to the application. Verify the application creators. Check what permissions the application requested. Check for possible phishing in the organization.Variations
First seen Azure admin consent to an application
Low overridden
An administrative identity consented permissions to an application. overridden
Azure application credentials added Informational Identity Threat Module 2 variations
An identity added credentials to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: AzureAD Audit LogAttacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.Investigative actions: Check if the modified application is new to the organization. Check whether the account that modified the credentials is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.Variations
Suspicious credential operation on an Azure application
Medium overridden
An identity added a certificate to an Azure application in a suspicious way. overridden
Unusual certificate operation on an Azure application
Low overridden
An identity added a certificate to an Azure application with some unusual parameters. overridden
Azure application removed Informational Cloud
An Azure application has been deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts (T1564)Required data: Azure Audit LogAttacker's goals: Delete apps used for malicious activities. Delete evidence of activity.Investigative actions: Check the Azure Portal for any changes in applications. Review the activities performed by the application.Azure conditional access policy creation or modification Informational Cloud
An Azure conditional access policy was created or modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Bypass authentication controls.Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Azure device code authentication flow used Informational Identity Analytics 3 variations
An Azure AD login was performed with device code flow.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: Azure Audit LogAttacker's goals: An attacker may use a device to access resources in the tenant using an access token from device code authentication flows.Investigative actions: Check what devices are listed with the logged-in user. Check if the account is authorized to use such devices to access resources. Check for possible logins from the device. Follow further actions done by the account and device.Variations
Suspicious Azure device code authentication flow used by an Azure AD privileged user
Medium overridden
An Azure AD login was performed with device code flow. overridden
Suspicious Azure device code authentication flow used
Low overridden
An Azure AD login was performed with device code flow. overridden
Azure device code authentication flow used by an Azure AD privileged user
Low overridden
An Azure AD login was performed with device code flow. overridden
Azure diagnostic configuration deletion Informational Cloud
An attacker might delete the Azure diagnostic settings to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Evade detection.Investigative actions: Check the identity and its actions after the deletion action.Azure domain federation settings modification attempt Low Identity Threat Module 1 variation
A user or application attempted to modify the federation settings of the domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.Variations
A successful Azure domain federation settings modification
Medium overridden
A user or application successfully modified the federation settings of the domain. overridden
Azure enumeration activity using Microsoft Graph API Informational Cloud 1 variation
The Microsoft Graph API was used to enumerate an Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Map the Azure tenant and detect potential resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.Variations
Azure sensitive resources enumeration activity using Microsoft Graph API
Informational overridden
Microsoft Graph API was used to enumerate sensitive resources in Azure tenant. overridden
Azure group creation/deletion Informational Cloud
A group in Azure was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain persistence to the environment.Investigative actions: Check group's assigned roles. Check which members were added to the group.Azure mailbox rule creation Informational Cloud 1 variation
A Mailbox rule in Azure was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Defense Evasion (TA0005)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Indicator Removal: Clear Mailbox Data (T1070.008)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Intercept or exfiltrate sensitive information.Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Variations
Unusual Azure mailbox rule creation
Low overridden
A Mailbox rule in Azure was created. overridden
Azure permission delegation granted Informational Cloud 1 variation
An identity delegated permissions to access a certain resource or application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit LogAttacker's goals: Gain control over user accounts.Investigative actions: Check the user access logs for any suspicious activity. Review the permissions granted and the scope of the permissions.Variations
Azure permission delegation granted by an Azure AD privileged user
Low overridden
An identity delegated permissions to access a certain resource or application. overridden
Azure service principal assigned app role Informational Identity Threat Module
An identity assigned an app role (permissions) to a service principal.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker may add roles to service principals that will allow them to access sensitive information and perform other actions.Investigative actions: Check if the added service principle is new to the organization. Check whether the account that added the app role is supposed to perform such actions. Check for possible logins and actions from the service principle with the role. Follow further actions done by the application and the assigner.Azure storage account blob anonymous access is enabled Informational Cloud
It is possible to configure anonymous access to blobs within the storage account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: Azure Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the blobs within the storage account should be accessed from all networks. Disable public network access or disable blob anonymous access to storage account if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.Azure storage account cross-tenant object replication was enabled Informational Cloud 1 variation
Azure cross-tenant object replication in a storage account was enabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Azure Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Enable unauthorized data transfer to an external or attacker-controlled environment. Establish a persistent channel for ongoing data exfiltration. Conceal malicious activity by utilizing legitimate cross-tenant object replication functionality.Investigative actions: Confirm that the identity intended to enable cross-tenant replication. Follow further actions done by the identity. Monitor the storage account for other suspicious activities.Variations
Azure storage account cross-tenant object replication was enabled for the first time in a subscription
Low overridden
Azure cross-tenant object replication in a storage account was enabled for the first time in a subscription. overridden
Azure storage account was publicly shared Informational Cloud
Azure Storage Account network permissions modified to public, exposing data to any network and unauthorized identities.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogDetector tags: Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: Attackers want to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the storage account should be accessed from all networks. Disable public network access if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.Azure user creation/deletion Informational Cloud
A user in Azure was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain persistence into the account.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Azure user password reset Informational Cloud
The password of an Azure AD user was reset.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: An attacker may attempt to gain access to the account.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Azure virtual machine commands execution Informational Cloud
An Azure virtual machine executed PowerShell commands with System privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter (T1059)Required data: Azure Audit LogAttacker's goals: Executing malicious commands for discovery, privilege escalation, etc.Investigative actions: Check the VM that executed the commands and their results.Bedrock model shared with a foreign account Low Cloud
A bedrock model was shared with a foreign account through AWS resource access manager.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Exfiltrate the proprietary model to a foreign account and establish persistent access to it.Investigative actions: Investigate the foreign cloud accounts that gained access to the models. Assess the sensitivity of the shared models to determine the potential impact of this exposure. Identify the actor and investigate their identity for compromise.BigQuery table or query results exfiltrated to a foreign project Informational Cloud 2 variations
A cloud identity exfiltrated BigQuery table data to a foreign storage service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Gcp Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides inside BigQuery table.Investigative actions: Check if {cloud_best_identity_match} intended to transfer data from BigQuery table. Verify if the affected table did not contain any sensitive information.Variations
BigQuery table or query results exfiltrated to a foreign project by cloud admin identity
Informational overridden
A cloud identity exfiltrated BigQuery table data to a foreign storage service. overridden
BigQuery table or query results exfiltrated to a foreign project by an unknown identity
Low overridden
A cloud identity exfiltrated BigQuery table data to a foreign storage service. overridden
Billing admin role was removed Low Cloud
Sensitive Action - Billing admin role was removed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Prevent billing notifications from being sent to the billing admin.Investigative actions: Check if the identity intended to remove the billing admin. Check if the identity performed additional malicious operations in the cloud environment.BitLocker key retrieval Informational Identity Threat Module
An identity retrieved a BitLocker Key.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: BitLocker keys are used for mitigating unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive. An attacker that retrieves this key, can potentially access the data that should be encrypted.Investigative actions: Check what key was retrieved. Check for a possible compromised device. Check whether the user is permitted to perform such actions.Bitsadmin.exe persistence using command-line callback Medium
BITSAdmin.exe was used with a command-line that may indicate malware trying to gain persistence on the machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: BITS Jobs (T1197)Required data: XDR AgentAttacker's goals: Gain persistence using the legitimate bitsadmin 'setnotifycmdline' mechanism, which triggers process executions once a Bits job is done or fails.Investigative actions: Check if the command line contains any malicious indicators. Check if the parent process is suspicious. Check if the command-line used to persist is malicious or references a malicious binary.Broker Collection Error Informational 2 variations
A collection error was detected on a broker VM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Variations
Broker Collector Critical Error
High overridden
A collection error was detected on a broker VM. overridden
Broker Collection Issue
Medium overridden
A collection error was detected on a broker VM. overridden
Bronze-Bit exploit High
A forwardable Kerberos ticket for delegation of a Protected User was observed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain a special user's Kerberos ticket to move laterally.Investigative actions: Check the initiating service account delegation privileges. Check the delegated account credentials and if it has high privileges. Check the ticket destination to verify whether it is a sensitive asset.Browser Extension Installed Informational 1 variation
Uncommon browser extension installed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Chromium Extensions AnalyticsAttacker's goals: Establish persistent access to victim systems through Chromium-based browser, steal sensitive data such credentials, cookies hijacking and financial data.Investigative actions: Investigate the extension and how it was loaded. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.Variations
Uncommon Browser Extension Installed
Low overridden
Uncommon browser extension installed. overridden
Browser bookmark files accessed by a rare non-browser process Informational
Browser bookmark files accessed by a rare non-browser process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Browser Information Discovery (T1217)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Accessing these files is done by attackers to collect information about the endpoint.Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.Brute-force attempt on a local account Informational Identity Analytics 1 variation
A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the account.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
Brute force on a local account
Low overridden
A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack. overridden
Bucket's block public access setting turned off Informational Cloud
S3 bucket block public access setting turned off.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Expose bucket to the public and maintain access to bucket's resources avoiding detection.Investigative actions: Check if {cloud_best_identity_match} intended to modify block public access settings. Check if the {bucket_name} bucket contains any sensitive information.Bucket's object ownership controls were modified Informational Cloud
S3 bucket object ownership controls were modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Maintain control and access to data that resides inside the S3 bucket.Investigative actions: Check if {cloud_best_identity_match} intended to modify bucket's object ownership. Check if the {aws_s3bucket_identifier} bucket contains any sensitive information.Cached credentials discovery with cmdkey Low 2 variations
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: OS Credential Dumping (T1003) Account Discovery (T1087)Required data: XDR AgentAttacker's goals: Access cached user credentials.Investigative actions: Check the initiator process for additional suspicious activity. Check if the host is a shared host that multiple users' credentials can be extracted from.Variations
The process cmdkey runs with modified name and extract cached credentials
High overridden
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden
Transfer cached credentials with cmdkey to other standard output
Medium overridden
Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines, Attackers can access cached user credentials using cmdkey /list. overridden
Certutil pfx parsing Low
Certutil was used to parse a pfx certificate file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Local System (T1005)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers want to check pfx details. If details suffice, the correct certificate can be used for authentication, persistence or NTLM extraction.Investigative actions: Check if the pfx parsing is legitimate for the user (Testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).Change of sudo caching configuration Low 1 variation
Change of sudo caching configuration may have been intended to enable privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may use the sudoers file to elevate privileges.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Change of sudo caching configuration in a Kubernetes pod
Low overridden
Change of sudo caching configuration may have been intended to enable privilege escalation. overridden
Chrome Extension Installed By User Informational Identity Threat Module
A Chrome extension was installed or updated by a Google Workspace user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) Software Extensions: Browser Extensions (T1176.001)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may leverage browser extensions installation to gain Initial Access and Persistence, enabling them to intercept credentials and hijack active web sessions.Investigative actions: Review the extension installed, it's OAuth scopes, reputation and permissions. Analyze subsequent network traffic from the user's device or browser for connections to newly registered domains. Investigate the source IP and identity for previous malicious activity or anomalies.Chrome OS Remote Access policy was modified in Google Workspace Informational Identity Threat Module 1 variation
A user modified Chrome OS Remote Access configuration in Google Workspace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Lateral Movement (TA0008)ATT&CK techniques: Impair Defenses (T1562) Remote Services (T1021)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may modify remote access settings to maintain persistent access and bypass security controls.Investigative actions: Verify if the configuration change was authorized. Investigate the source IP address and account involved for malicious activity. Follow further actions performed by the account and Remote Access connections performed.Variations
Suspicious Chrome OS Remote Access policy was modified in Google Workspace
Low overridden
This is the first time the user performs this operation in the last 30 days. overridden
ClickFix - PowerShell executed through the run application Low 4 variations
An attacker may be trying to trick a user to execute PowerShell through the run application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: User Execution (T1204) Phishing (T1566)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may be trying to trick a user to execute PowerShell through the run application.Investigative actions: Check if the command line is known in the organization or malicious. And ask the user what is the source of it.Variations
ClickFix - PowerShell command executed through the run application and using Invoke-Expression cmdlet
High overridden
An attacker may be trying to trick a user to execute PowerShell through the run application. overridden
ClickFix - Long PowerShell command executed through the run application with URL in the command
High overridden
An attacker may be trying to trick a user to execute PowerShell through the run application. overridden
ClickFix - Long encoded PowerShell command executed through the run application
High overridden
An attacker may be trying to trick a user to execute PowerShell through the run application. overridden
ClickFix - Schedule task PowerShell command executed through the run application
High overridden
An attacker may be trying to trick a user to execute PowerShell through the run application. overridden
Cloud AI agent was modified Informational Cloud 1 variation
A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Modify AI agents to evade certain restrictions and potentially access sensitive data.Investigative actions: Examine changed AI agent and determine how it was affected. Investigate any unusual activity originating from the suspected identity.Variations
Unusual modification of AI agent
Low overridden
A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden
Cloud IMDS access followed by remote token usage Medium Cloud
A request was made to the cloud Instance Metadata Service (IMDS) followed by a remote usage of EC2 role token.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)Required data: AWS Audit Log XDR AgentAttacker's goals: Gain unauthorized access by leveraging valid cloud credentials.Investigative actions: Identify the process that accessed the IMDS on the cloud instance. Examine the AWS API calls made by the stolen token, focusing on unusual or sensitive actions. Assess the role's permissions and rotate credentials if compromise is confirmed.Cloud Organizational policy was created or modified Informational Cloud 1 variation
Cloud organizational policy was created or modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484)Required data: Gcp Audit LogAttacker's goals: Gain elevated privileges, disable security measures, misuse resources or cause disruption.Investigative actions: Check which services were affected by the policy creation. Check The cloud identity activity prior/after the policy creation.Variations
Cloud Organizational policy was created or modified
Low overridden
Cloud organizational policy was created or modified. overridden
Cloud Watch alarm deletion Informational Cloud
A Cloud Watch alarm was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Delete alarm to evade detection.Investigative actions: Check the identity that deleted the alarm. Check the which resource were related to the deleted alarm.Cloud access key creation Informational Cloud 2 variations
Cloud access key creation by a cloud identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Persist in the environment.Investigative actions: investigate the identity who created the access keys. Check the access key activity in the organization.Variations
Successful access key creation by an unusual identity type
Informational overridden
Cloud access key creation by a cloud identity. overridden
Unusual successful cloud access key creation
Informational overridden
Cloud access key creation by a cloud identity. overridden
Cloud activity from a high-risk IP address Informational Cloud 1 variation
An identity executed a cloud API from a high-risk IP address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Gain initial access using a compromised identity while obfuscating origin.Investigative actions: Verify if the user is authorized to use anonymizing services. Review subsequent actions by the user for suspicious activity. Check for other users accessing from the same IP or tunnel operator.Variations
Cloud activity from an unusual high-risk IP
Low overridden
An identity executed a cloud API from a high-risk IP address. overridden
Cloud compute instance user data script modification Informational Cloud 1 variation
The user data of a cloud compute instance was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Cloud Administration Command (T1651)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Execute commands within virtual machines.Investigative actions: Verify whether this action is expected. Inspect the user data script for malicious content.Variations
Unusual Cloud compute instance user data script modification
Low overridden
The user data of a cloud compute instance was modified. overridden
Cloud compute serial console access Informational Cloud 2 variations
An identity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Utilize direct access to virtual infrastructure to pivot through a cloud environment.Investigative actions: Verify whether the identity should be making this action. Investigate which actions were performed via serial console access.Variations
Cloud compute serial console access by an identity with high administrative activity
Informational overridden
An identity with high administrative activity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances. overridden
Suspicious cloud compute serial console access in a project
Low overridden
An identity connected to a compute instance using serial console access.This may indicate an attacker attempting to move laterally between cloud instances. overridden
Cloud compute volume creation attempt Informational Cloud 1 variation
An attempt was made to create an EBS volume.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive data stored on snapshots.Investigative actions: Review recent activity related to the identity, the created volume and the cloud snapshot.Variations
Cloud compute volume creation attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to create an EBS volume. overridden
Cloud email infrastructure enumeration activity Informational Cloud
A cloud identity attempted to discover available email sending resources within the cloud environment.This may indicate an adversary attempting to map the organization's email sending environment and discover cloud resources that may assist to send phishing emails or spam.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit LogAttacker's goals: Map the cloud email environment and detect potential email resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which available email resources were discovered. Investigate if the discovered email resources were used to send phishing emails or spam, or perform other attacks in the cloud environment.Cloud email sending was enabled Informational Cloud 1 variation
Cloud email sending was enabled for the cloud account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Compromise Accounts: Email Accounts (T1586.002)Required data: AWS Audit LogAttacker's goals: Use the existing account to send phishing or spread malware.Investigative actions: Check if the identity has performed any email-related operations in the past. Check if this account should be used for email sending.Variations
Cloud email sending was enabled by an unusual identity
Low overridden
Cloud email sending was enabled for the cloud account.The identity was not seen performing any operations in SES in the last 30 days. overridden
Cloud email service activity Informational Cloud 2 variations
A cloud Identity performed an email service operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Internal Spearphishing (T1534)Required data: AWS Audit Log Azure Audit LogAttacker's goals: Abuse the cloud email service for sending phishing emails.Investigative actions: Check for any following actions related to this activity. Verify that the identity did not abuse the email service to send phishing emails to victims.Variations
Unusual cloud email service activity
Low overridden
A cloud Identity performed an email service operation for the first time in the tenant. overridden
Cloud email service entity creation
Low overridden
A cloud Identity created a new cloud email identity. overridden
Cloud identity reached a throttling API rate Informational Cloud 3 variations
A cloud identity has executed a high volume of API calls, causing a throttling error.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse cloud resource, such behavior is usually seen during cryptocurrency attacks.Investigative actions: Check the identity created resources and their legitimacy. Look for any unusual behavior originated from the suspected identity.Variations
Cloud identity reached a highly unusual throttling API rate
Low overridden
A cloud identity has executed a high volume of API calls, causing a throttling error.This indicates on a high volume of cloud instances allocation, such activity may be related to a cryptocurrency attack. overridden
Cloud identity reached an unusual throttling API rate in the cloud project
Informational overridden
A cloud identity has executed a high volume of API calls, causing a throttling error.This API rate is unusual on the project level. overridden
Cloud identity reached an unusual throttling API rate
Informational overridden
A cloud identity has executed a high volume of API calls, causing a throttling error.This activity is unusual for The cloud identity, and was not seen in the last 30 days. overridden
Cloud impersonation attempt by unusual identity type Informational Cloud 2 variations
A suspicious identity type has attempted to impersonate another identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges to bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform sensitive operation on behalf of the impersonated identity.Variations
Cloud impersonation attempt of a management role by unusual identity type
Informational overridden
An unusual cloud identity type attempted to impersonate a management role. overridden
Successful cloud impersonation by an unusual identity type
Medium overridden
A suspicious identity type has successfully impersonated another identity. overridden
Cloud infrastructure enumeration activity Informational Cloud 1 variation
A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Map the cloud environment and detect potential resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.Variations
Suspicious cloud infrastructure enumeration activity
Low overridden
A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment. overridden
Cloud instance creation attempt Informational Cloud
An attempt was made to create a cloud compute instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure: Create Cloud Instance (T1578.002)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Create a new cloud instance to evade detection or leverage it for further malicious activity.Investigative actions: Review recent activity related to the identity and the created cloud instance.Cloud instance deletion attempt Informational Cloud 1 variation
An attempt was made to delete a cloud compute instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: To remove evidence or disrupt operations.Investigative actions: Review recent activity associated with the identity and the deleted instance.Variations
Cloud instance deletion attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to delete a cloud compute instance. overridden
Cloud penetration testing tool activity High Cloud 3 variations
A cloud API was successfully executed using a known cloud penetration testing tool.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Leverage known attack tools to enumerate resources, identify vulnerabilities, or exploit cloud configurations.Investigative actions: Confirm if authorized penetration testing activity is currently scheduled. Review the API operations performed by the identity to determine the intent and scope of the activity.Variations
Cloud penetration testing tool usage attempt
Informational overridden
A failed cloud API was executed using a known cloud penetration testing tool. overridden
Cloud security assessment tool activity
Low overridden
A cloud API was successfully executed using a known cloud security assessment tool. overridden
Cloud penetration testing tool activity by Azure application
Informational overridden
A cloud API was successfully executed using a known cloud penetration testing tool by an Azure application. overridden
Cloud resource logging was disabled Informational Cloud 3 variations
Cloud resource logging was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Avoiding detection of their activities by limiting the amount of data collected. This action may be preliminary to resource deletion or data exhilaration from the resource. Setting the stage for further attacks, like a Ransomware Attack.Investigative actions: Confirm that the identity intended to disable logging on this resource. Follow further actions done by the identity. Monitor other (non-disabled) activity logs related to this resource.Variations
Cloud resource logging was disabled - failed attempt
Informational overridden
A failed attempt to disable cloud resource logging. overridden
Cloud resource logging was disabled on an Azure DB/storage resource
Informational overridden
Cloud resource logging was disabled on a DB/storage resource. overridden
Cloud resource logging was disabled on a GCP DB/storage resource
Low overridden
Cloud resource logging was disabled on a DB/storage resource. overridden
Cloud snapshot created or modified Informational Cloud 3 variations
A cloud identity has created or modified a cloud snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.Variations
Cloud snapshot was configured for public access
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Cloud snapshot was shared with an unusual AWS account(s)
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Previously unseen GCP principal was bound to cloud snapshot
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Cloud snapshot of a database or storage instance was publicly shared Medium Cloud
A cloud identity has publicly shared a snapshot of a database or storage instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to share the snapshot publicly. Check if the identity performed additional malicious operations within the cloud environment.Cloud storage automatic backup disabled Informational Cloud 1 variation
Automatic backup of a cloud storage resource was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Impair built-in protection of the cloud environment. This action may be a preliminary action before deleting the cloud resource itself.Investigative actions: Confirm that the identity intended to disable automatic backup on this resource. Follow further actions done by the identity. Monitor this resource for other suspicious activities.Variations
Cloud storage automatic backup disabled from a CLI
Informational overridden
Automatic backup of a cloud storage resource was disabled from a CLI. overridden
Cloud storage delete protection disabled Informational Cloud 1 variation
Delete protection of a cloud storage resource was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Impair built-in protection of the cloud environment. This action may be a preliminary action before deleting the cloud resource itself.Investigative actions: Confirm that the identity intended to disable deletion protection on this resource. Follow further actions done by the identity. Monitor this resource for other suspicious activities.Variations
Cloud storage delete protection disabled by an unusual identity
Informational overridden
Delete protection of a cloud storage resource was disabled by an unusual identity. overridden
Cloud storage object discovery Informational Cloud
Cloud storage object discovery.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Storage Object Discovery (T1619)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Identify sensitive data, valuable files, configuration details or other information that can be leveraged for further attacks.Investigative actions: Review the identity's permissions and historical access to the storage resource. Analyze the identity's immediate post-listing actions on the storage resource. Correlate this event with other discovery activity or suspicious logins by the identity.Cloud user performed multiple actions that were denied Informational Cloud 1 variation
An identity performed multiple actions that were denied, which may indicate it is being misused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Execute various commands to explore the cloud environment.Investigative actions: Check if the API calls were made by the identity.Check if there are additional calls executed by the identity.Variations
Cloud non-user identity performed multiple actions that were denied
Low overridden
An identity performed multiple actions that were denied, which may indicate it is being misused. overridden
CloudTrail logging deletion Informational Cloud 2 variations
CloudTrail logging trail deletion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Verify whether the identity attempted to delete the trail. Determine whether an additional trail needs to be enabled.Variations
Successful CloudTrail logging deletion by a non-admin identity
Medium overridden
CloudTrail logging trail deletion. overridden
Successful CloudTrail logging deletion by an unusual identity
Low overridden
CloudTrail logging trail deletion. overridden