Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • Collection error High

    A collection error was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Command execution in a Kubernetes pod Informational 2 variations

    Container administration commands were executed within a Kubernetes pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Attackers may use the container administration commands to execute commands within a Kubernetes Pod.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Command execution in a Kubernetes pod for the first time

    Low overridden

    Container administration commands were executed within a Kubernetes pod. overridden

    Command execution in a Kubernetes pod in the kube-system namespace

    Informational overridden

    Container administration commands were executed within a Kubernetes pod. overridden

  • Command execution via AWS SSM Medium Cloud

    A cloud identity performed multiple unusual activities leading to code execution using AWS Systems Manager service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)
    ATT&CK techniques: Cloud Administration Command (T1651) Remote Services: Direct Cloud VM Connections (T1021.008)
    Required data: AWS Audit Log
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands or compromising sensitive information within the target system.
    Investigative actions: Investigate the activities related to the suspected identity. Examine the code executed on the target instance(s).
  • Command execution via wmiexec Informational

    Attackers may use WMI to execute commands on the target host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: Execute commands on the victim host.
    Investigative actions: Correlate the RPC call from the source host and understand which process initiated it.
  • Command running with COMSPEC in the command line argument Low

    COMSPEC is an environmental variable that points to cmd.exe. Attackers may use this command to obfuscate their command and avoid detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
    Required data: XDR Agent
    Attacker's goals: Attackers might use environment variables to try and avoid being detected and obfuscate their commands.
    Investigative actions: Investigate the actor and the command line that executed with COMSPEC Verify that the command executed from a trusted source.
  • Common third-party software name masquerading Informational 2 variations

    An attacker might leverage common third-party software image names to run malicious processes without being caught.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: An attacker is attempting to masquerade as a common third-party software image to execute malicious code.
    Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.

    Variations

    Common third-party software name masquerading which was downloaded from an unexpected source

    Low overridden

    An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden

    Common third-party software name masquerading with uncommon characteristics by actor with uncommon characteristics

    Low overridden

    An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden

  • Commonly abused AutoIT script connects to an external domain Medium

    AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Automated Exfiltration (T1020)
    Required data: XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context. Identify the process contacting the remote domain and determine whether the traffic is malicious.
  • Commonly abused AutoIT script drops an executable file to disk Informational

    AutoIT scripts have legitimate uses but are often abused by malware to execute in a signed process context.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Command and Scripting Interpreter: Windows Command Shell (T1059.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.
  • Commonly abused process launched as a system service Informational

    This commonly abused host process has been launched by a services.exe parent, indicating it has been installed as a system service. This behavior can have legitimate uses, but often used by malware as a persistence mechanism.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: System Services: Service Execution (T1569.002)
    Required data: XDR Agent
    Attacker's goals: Attackers may use services to persist or execute commands on remote hosts.
    Investigative actions: Check whether additional malicious commands were executed from the same process. Verify if the command-line seems suspicious or contains malicious indicators.
  • Compressing data using python Low

    Usage of a Python module to compress files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Library (T1560.002)
    Required data: XDR Agent
    Attacker's goals: Collecting and staging data before exfiltration.
    Investigative actions: Investigate the process and command line for access to sensitive files.
  • Compute activity in dormant cloud region Informational Cloud 3 variations

    A compute resource was created or updated in a cloud region that has been dormant for this project.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Unused/Unsupported Cloud Regions (T1535)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Create compute resources in unmonitored regions to evade detection for purposes such as hijacking resources or establishing persistence.
    Investigative actions: Verify if compute resources are authorized in this region. Terminate unauthorized compute resources and disable unused regions.

    Variations

    Compute activity in dormant cloud region from a non-VPN IP address

    Informational overridden

    A compute resource was created or updated in a cloud region that has been dormant for this project. overridden

    A cloud compute instance was created in a dormant region

    Medium overridden

    A compute resource was created or updated in a cloud region that has been dormant for this project. overridden

    Compute activity in dormant cloud region by a compromised AWS access key

    High overridden

    A compute resource was created or updated in a cloud region that has been dormant for this project. overridden

  • Conditional Access policy removed Low Identity Threat Module

    An identity removed a Conditional Access policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. Without a Conditional Access policy, an attacker would be able to access the tenant without possible blockage for later access.
    Investigative actions: Check implications of the policy being removed. Check whether the user changing the configuration is permitted to perform such actions.
  • Conhost.exe spawned a suspicious cmd process Low 3 variations

    Attackers may abuse the conhost process to execute malicious files and evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: Investigate the processes being spawned on the host for malicious activities.
    Investigative actions: An adversary may use the conhost process to evade detection.

    Variations

    Conhost.exe spawned a suspicious powershell encoded command

    High overridden

    Attackers may abuse the conhost process to execute malicious files and evade detection. overridden

    Conhost.exe spawned a suspicious scripting process with long command line

    Medium overridden

    Attackers may abuse the conhost process to execute malicious files and evade detection. overridden

    Conhost.exe spawned a suspicious child process

    Medium overridden

    Attackers may abuse the conhost process to execute malicious files and evade detection. overridden

  • Contained process execution with a rare GitHub URL Low

    A contained process was executed with a suspicious GitHub url in the command line. This may be a legitimate use, but this technique is frequently used by attackers to download malicious payloads.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution: Malicious Image (T1204.003)
    Required data: XDR Agent
    Attacker's goals: Download a second stage payload for execution.
    Investigative actions: Check if the initiator process is malicious. Check the user activity on the same container at that time. Check if the container is a development container. Check if this installation was related to more installations at the same time. Check for additional file/network operations by the same process instance.
  • Copy a process memory file High 1 variation

    Copy a process memory file using the dd utility.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping: Proc Filesystem (T1003.007)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Read another process memory, mainly for credential access.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Copy a process memory file from a Kubernetes pod

    High overridden

    Copy a process memory file using the dd utility. overridden

  • Copy a user's GnuPG directory with rsync Low

    Copy a user's GnuPG (.gnupg) directory on to a staging folder using the 'find' and 'rsync' commands.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Private Keys (T1552.004)
    Required data: XDR Agent
    Attacker's goals: Adversaries may use the rsync tool to exfiltrate secrets.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Correlation rule error Medium

    An error was identified while running a correlation rule.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    12 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Creation or modification of the default command executed when opening an application Informational 4 variations

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).
    Investigative actions: Check the registry data modified for a potentially malicious command line. Look for processes running matching the command line for malicious activity.

    Variations

    Creation or modification of the default command executed when opening the Microsoft optional features settings (Fodhelper.exe)

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

    Creation or modification of the default command executed when opening an MMC application

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

    Creation or modification of the default command executed when opening Windows backup and restore (sdclt.exe)

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

    Creation or modification of the default command executed when opening Windows Store settings (Wsreset.exe)

    Medium overridden

    Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden

  • Credentials were added to Azure application Informational Cloud

    Credentials were added to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: An attacker can establish a backdoor in the application by adding additional credentials to it, such as secrets or certificates.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • DLP sensitive data exposed to external users Informational Identity Threat Module Email 1 variation

    A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to access sensitive information.
    Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.

    Variations

    High-severity DLP sensitive data exposed to external users

    Low overridden

    A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information. overridden

  • DNS Tunneling Low 1 variation

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.

    Variations

    DNS Tunneling

    Medium overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents. overridden

  • DSC (Desired State Configuration) lateral movement using PowerShell Informational 3 variations

    An attacker is using the DSC feature with PowerShell to remotely modify / execute content / components on the machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Remote Services: Windows Remote Management (T1021.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Execute malicious content on and move laterally across machine in the network.
    Investigative actions: Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102. Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.

    Variations

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a script

    High overridden

    An attacker may use the DSC feature with PowerShell to execute script remotely on a machine. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a new service

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create and execute a service on the host. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to modify the registry

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create/modify/dump registry keys/values. overridden

  • Data Sharing between GCP and Google Workspace was disabled Informational Identity Threat Module 3 variations

    An identity has modified data sharing settings between GCP and Google Workspace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Indicator Removal (T1070) Impair Defenses (T1562) Data Manipulation (T1565) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check whether Google Workspace audit log events were configured to be sent to Google Cloud. Follow further actions done by the account.

    Variations

    Data Sharing between GCP and Google Workspace was disabled by a suspicious identity

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled from an unusual ASN

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

  • Data encryption was disabled Informational Cloud

    A cloud identity has disabled data encryption.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Weaken Encryption (T1600) Impair Defenses (T1562)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: An attacker is trying to access sensitive data in plaintext. An attacker might try to exfiltrate plaintext data to an endpoint controlled by the attacker and avoid detection. An attacker can re-encrypt the data with a key that is available only to the attacker.
    Investigative actions: Check if the identity intended to disable data encryption. Check which cloud assets were affected by manipulating the above-mentioned configuration file. Check if the identity performed additional suspicious actions to affected assets.
  • Data exfiltration from cloud database Low Cloud 2 variations

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation.

    Variations

    Data exfiltration from cloud database containing sensitive data from a production account toa foreign account

    High overridden

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden

    Suspicious data exfiltration from cloud database

    High overridden

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden

  • Delayed Deletion of Files Low

    A command line deleting files used the time-out or ping commands to delay the file deletion. This is suspicious, as malware sometimes uses these techniques to cover their tracks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal: File Deletion (T1070.004)
    Required data: XDR Agent
    Attacker's goals: Evade security controls and possibly cover their tracks.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Deletion of AD CS certificate database entries Informational Identity Analytics 1 variation

    A user has deleted rows from the certificate database of an AD CS server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indicator Removal (T1070)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to cover their tracks after issuing certificates.
    Investigative actions: Check the user account deleting the certificate database entries and verify its activity. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Examine recent activity from the user account, including logon patterns and privilege changes.

    Variations

    Abnormal deletion of AD CS certificate database entries

    Low overridden

    A user has deleted rows from the certificate database of an AD CS server. overridden

  • Deletion of multiple cloud resources Informational Cloud 2 variations

    An identity deleted multiple cloud resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage access to the cloud to delete resources and cause damage to an organization's infrastructure.
    Investigative actions: Confirm the legitimacy of the suspected identity and what cloud resources have been deleted by the identity. Look for any unusual activity associated with the suspected identity and determine whether they are compromised.

    Variations

    Deletion of multiple cloud resources

    Medium overridden

    An identity deleted multiple cloud resources.This large volume of deleted cloud resources had not been seen across all projects for the last 30 days. overridden

    Deletion of multiple cloud resources

    Low overridden

    An identity deleted multiple cloud resources.This large volume of deleted cloud resources had not been seen in this project for the last 30 days. overridden

  • Denied API call by a Kubernetes service account Informational Cloud 2 variations

    A Kubernetes service account API call was denied.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the Kubernetes cluster.
    Investigative actions: Check whether the service account should be making this API call. Check service account's activity, including additional executed API calls.

    Variations

    Denied API call by Kubernetes service account for the first time in the cluster

    Low overridden

    A Kubernetes service account API call was denied. overridden

    Suspicious denied API call by a Kubernetes service account

    Informational overridden

    A Kubernetes service account API call was denied. overridden

  • Device Registration Policy modification Informational Identity Threat Module 1 variation

    An identity changed the Device Registration policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Device Registration policy, an attacker might be able to access the tenant without possible blockage for later access.
    Investigative actions: Check what policy has been changed. Check whether the user changing the configuration is permitted to perform such actions.

    Variations

    A user modified the Device Registration Policy for the first time

    Low overridden

    An identity changed the Device Registration policy. overridden

  • Disable Microsoft Defender Antivirus via registry Low

    Disable Microsoft Defender Antivirus via registry.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to disable defender antivirus to execute malicious tools and move through the network without triggering alarms.
    Investigative actions: Investigate the process that set or create the registry key.
  • Disable encryption operations Low Cloud

    Encryption was disabled on the servers that host EC2 instances, both for data-at-rest and data-in-transit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation (T1565)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Decrypt sensitive data host on EC2 instance, this may be a step in a flow for data exfiltration.
    Investigative actions: Check if Identity intended to disable the encryption.
  • Discovery of accounts with pre-authentication disabled via LDAP Low Identity Analytics 1 variation

    A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server), LDAP Analytics (Client)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Correlate logs from the same host or user for related LDAP queries or other unusual activities. Audit accounts flagged as not requiring pre-authentication and verify compliance with security policies. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Suspicious discovery of accounts without pre-authentication required via LDAP

    Medium overridden

    A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

  • Discovery of host users via WMIC Informational

    Attackers may use wmic.exe to list the users of a host, and potentially its owner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: System Owner/User Discovery (T1033)
    Required data: XDR Agent
    Attacker's goals: Attackers can attempt to use the command to discover host users and enumerate a huge amount of information.
    Investigative actions: Verify whether the command that was executed is benign or normal for the host and/or user performing it (for example, it may be an IT script).
  • Discovery of misconfigured certificate templates using LDAP Medium 1 variation

    An LDAP query searching for misconfigured certificate templates was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services Analytics
    Attacker's goals: An attacker can use misconfigured certificate templates for escalation and authentication.
    Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.

    Variations

    Frequent LDAP discovery of misconfigured certificate templates by a common process

    Low overridden

    An LDAP query searching for misconfigured certificate templates was executed regularly by a common process. overridden

  • Download a script using the python requests module Low

    Download a shell script from a remote location using the Python requests module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: Python (T1059.006)
    Required data: XDR Agent
    Attacker's goals: Adversaries may abuse Python commands and scripts to download additional malicious files or for exfiltration.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Download pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.
  • EBS snapshots were created from an EC2 instance Informational Cloud 2 variations

    One or more EBS snapshots were created from an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Clone existing compute volumes for exfiltration purposes. This action may be a preliminary action before downloading snapshot blocks or creating volumes from the snapshots.
    Investigative actions: Confirm that the identity intended to create the described snapshots. Monitor the source instance for additional suspicious activities. Follow further actions done by the identity.

    Variations

    EBS snapshots were created from an EC2 instance attached one or more volumes with sensitive data

    Informational overridden

    One or more EBS snapshots were created from an EC2 instance.The instance has one or more volumes attached containing sensitive data. overridden

    An unusual creation of EBS snapshots from an EC2 instances

    Low overridden

    One or more EBS snapshots were created from an EC2 instance.The operation was not performed by this identity in the last 30 days. overridden

  • EBS volume attachment attempt Informational Cloud 2 variations

    An attempt was made to attach an EBS volume to an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)
    Required data: AWS Audit Log
    Attacker's goals: Attach a volume to a cloud instance to exfiltrate sensitive data stored on EBS volumes.
    Investigative actions: Review recent activity related to the identity, the attached volume and the cloud instance.

    Variations

    EBS volume attachment attempt for volume with sensitive data

    Informational overridden

    An attempt was made to attach an EBS volume with sensitive data to an EC2 instance. overridden

    EBS volume attachment attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to attach an EBS volume to an EC2 instance. overridden

  • EBS volume detachment attempt Informational Cloud 1 variation

    An attempt was made to detach an AWS EBS volume from an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive data stored on the detached volume.
    Investigative actions: Review recent activity related to the identity and the detached volume.

    Variations

    EBS volume detachment attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to detach an AWS EBS volume from an EC2 instance. overridden

  • EC2 instance Amazon machine image was created Informational Cloud

    Amazon machine image was created from elastic compute cloud instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Attacker's goals: Creating Amazon machine images might be part of elastic compute cloud instance exfiltration chain.
    Investigative actions: Check if {identity_name} to create Amazon machine image. Check if the {cloud_aws_instance_id} instance did not contain any sensitive data.
  • EC2 snapshot attribute has been modified Informational Cloud

    The snapshot's permissions were modified (added/removed).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate backup/stored information.
    Investigative actions: Check if the snapshot is shared with an unwanted account/actor.
  • Elevation to SYSTEM via services Low 2 variations

    Services were affected by a non SYSTEM integrity level process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Malicious Service Analytics
    Attacker's goals: Escalate privileges to system and execute commands.
    Investigative actions: Investigate the service being spawned on the host for malicious activities.

    Variations

    Elevation to SYSTEM via service creation

    Low overridden

    A service was created from a non SYSTEM integrity level process. overridden

    Elevation to SYSTEM via service modification

    Low overridden

    An existing service was modified from a non SYSTEM integrity level process. overridden

  • Email attachment with Right-to-Left Override Unicode character Low Email

    The email message contains an attachment with a hidden Right-to-Left Override Unicode character.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion
    Attacker's goals: Bypass security filters and deliver malicious content to users Mislead recipients into opening a malicious file by obscuring its true nature Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.
  • Email attachment with a potentially malicious file extension Informational Email 2 variations

    The email message includes attachments with file types that are typically blocked by the email vendor as a precaution due to their suspicious nature.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's domain to confirm its legitimacy. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before. Verify if the sender's IP address is identifiable.

    Variations

    Attachment(s) with a potentially malicious file extension unusual for the organization

    Informational overridden

    At least one attachment with a potentially malicious file extension was received in an email for the first time within the organization in the past 30 days. overridden

    Attachment(s) with a potentially malicious file extension unusual for the recipient

    Informational overridden

    At least one attachment with a potentially malicious file extension was received in an email for the first time for the recipient in the past 30 days. overridden

  • Email attachment with multiple extensions Informational Email 2 variations

    This may indicate an attempt at masquerading the true file type through the misuse of multiple extensions in the attachment name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems or gain unauthorized access.
    Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings or missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address.

    Variations

    Email executable attachment with multiple extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

    Email executable attachment with multiple executable extensions

    Low overridden

    This could be a potential attempt to trick the user into executing such file(s). overridden

  • Email attachment(s) with potentially malicious MIME type Informational Email 2 variations

    The email message contains an attachment(s) with a potentially malicious MIME type.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.

    Variations

    Attachment(s) with potentially malicious MIME type unusual for the organization

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time within the organization in the past 30 days. overridden

    Attachment(s) with a potentially malicious MIME type that is unusual for the recipient

    Informational overridden

    At least one attachment with a potentially malicious file mime-type was received in an email for the first time for the recipient in the past 30 days. overridden

  • Email containing a link with an IP address convention was detected Informational Email

    A link with IP address convention was detected within the email body.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Masquerading (T1036) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user into clicking the link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email containing a redirected link Informational Email 1 variation

    An email with a redirected link has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)
    ATT&CK techniques: Hide Artifacts (T1564) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Attackers can use link redirection to disguise malicious URLs.
    Investigative actions: Carefully analyze the full redirection chain. Be cautious with this process, as clicking on links can pose security risks. Use URL reputation services to check if the final destination or any of the intermediate URLs are known to be malicious or associated with phishing. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Email containing a redirected link with multiple redirections

    Informational overridden

    An email with a redirected link has been detected.The email contains at least one redirected link with multiple redirection patterns, which is concerning as it can obscure malicious URLs and evade security filters. overridden

  • Email contains URL delivering high-risk file type Informational Email 1 variation

    Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: To bypass attachment-based blocking by delivering malware or exploiting payloads via URLs pointing to file types commonly blocked by email vendors.
    Investigative actions: Review the URLs and determine if they host executable or script-based content. Check threat intelligence sources for reputation or known associations with malware. Investigate whether any users clicked the URL or downloaded the file. Analyze the file content using sandbox or static analysis tools.

    Variations

    External email with URL delivers blocked file types

    Low overridden

    Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery. overridden

  • Email marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values Informational Email 4 variations

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Spam
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Email with high Spam Confidence Level and Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with high Spam Confidence Level or Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with medium Spam Confidence Level and Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with medium Spam Confidence Level or Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

  • Email mimics replies or forwards without an actual ongoing conversation Informational Email

    An email with a subject line or body that includes signs of a reply or forward without an actual ongoing conversation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566) Trusted Relationship (T1199)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Create the illusion of being part of an existing email conversation to build trust and reduce the target's suspicion, mislead recipients by concealing harmful intents such as phishing or malware distribution.
    Investigative actions: Analyze the full set of email headers to confirm the absence of legitimate References and In-Reply-To headers and verify if the email was altered or forged. Investigate if the sender's domain is known, flagged, or associated with suspicious activity to detect possible impersonation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email was received from an unknown address using a public provider domain Informational Email

    The email was received from an unknown address, that was seen for the first time in the organization in the past month, and registered under a public provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email was received from an unknown sender using a disposable domain Low Email

    The email was received from an unknown sender using a disposable email provider, first seen in the organization in the past month.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email with URL shortener detected Informational Email

    A URL shortener was detected in the email body.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts (T1564)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Attackers use URL shorteners to hide the true destination of a link, making it easier to trick recipients into clicking on it.
    Investigative actions: Examine the sender's IP ֿֿaddress and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email with file-sharing link containing auto-download parameter Low Email 1 variation

    The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing: Spearphishing Link (T1566.002) User Execution: Malicious File (T1204.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: The attacker may be attempting to deliver malware or exfiltrate data using auto-download file-sharing links.
    Investigative actions: Analyze the linked file(s) to determine if they pose any security risk. Check the sender's communication history within the organization. Analyze the file reputation using sandbox or threat intelligence sources. Verify whether similar links were sent to other users.

    Variations

    External email with file-sharing link containing auto-download parameter

    Low overridden

    The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download. overridden

  • Encoded information using Windows certificate management tool Medium

    Encoding/decoding to/from using certutil.exe could be used to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information: Encrypted/Encoded File (T1027.013) Deobfuscate/Decode Files or Information (T1140)
    Required data: XDR Agent
    Attacker's goals: Evade detection by executing processes with obfuscated arguments.
    Investigative actions: Check encoded/decoded command content and see whether it is benign or malicious.
  • Error in event forwarding Medium

    An error was detected in event forwarding.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    4 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Excessive user account lockouts Low Identity Analytics 2 variations

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Determine if any programs have stored outdated credentials, causing account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.

    Variations

    Excessive user account lockouts from a suspicious source

    Medium overridden

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden

    Excessive account lockouts on suspicious users

    Medium overridden

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden

  • Exchange DKIM signing configuration disabled Low Identity Threat Module Email 1 variation

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    A recently configured Exchange DKIM signing configuration was disabled

    Informational overridden

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed. overridden

  • Exchange Safe Attachment policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Attachment policy, which provides phishing protection to email attachments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Attachment (T1566.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may attempt to disable the Safe Attachment policy to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.
  • Exchange Safe Link policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Link policy, which provides phishing protection to emails that contain hyperlinks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Link (T1566.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to bypass security measures associated with hyperlinks in email messages.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for email messages received with hyperlinks. Check for a possible phishing campaign on the organization.
  • Exchange anti-phish policy disabled or removed Low Identity Threat Module Email 1 variation

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    Recently configured Exchange anti-phish policy disabled or removed

    Informational overridden

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign. overridden

  • Exchange audit log disabled Low Identity Threat Module Email

    A user disabled the Exchange audit log. This may indicate an attempt to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Exchange compliance search created Informational Identity Threat Module Email 2 variations

    A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is searching mailboxes to access sensitive information.
    Investigative actions: Follow further actions done by the account. Check to see if the search contained sensitive information. Check if any data was exfiltrated after the search. Look for suspicious search terms.

    Variations

    Suspicious Exchange compliance search created

    Low overridden

    A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization. The query contains potentially suspicious keywords, which could indicate an attempt of sensitive data collection. overridden

    Exchange compliance search created for the first time

    Low overridden

    A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization. overridden

  • Exchange email-hiding inbox rule Informational Identity Threat Module Email 3 variations

    A user configured an Exchange inbox rule that may be used to hide emails.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)
    Required data: Office 365 Audit
    Attacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule keywords look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures inbox rules.

    Variations

    Possible BEC Exchange email-hiding inbox rule

    Medium overridden

    A user configured an Exchange inbox rule that may be used to hide emails. The rule contains characteristics that resemble a business email compromise (BEC) attack. overridden

    Suspicious Exchange email-hiding inbox rule

    Medium overridden

    A user configured an Exchange inbox rule that may be used to hide emails. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden

    Abnormal Exchange email-hiding inbox rule

    Low overridden

    A user configured an Exchange inbox rule that may be used to hide emails. overridden

  • Exchange email-hiding transport rule Informational Identity Threat Module Email 2 variations

    A user configured an Exchange transport rule that may be used to hide emails in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)
    Required data: Office 365 Audit
    Attacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule contains keywords and if they look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures transport rules.

    Variations

    Suspicious Exchange email-hiding transport rule

    Medium overridden

    A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden

    Exchange email-hiding transport rule based on message keywords

    Low overridden

    A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain certain keywords, which may be a sign of a compromised account. overridden

  • Exchange inbox forwarding rule configured Informational Identity Threat Module Email 3 variations

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Create an inbox rule using a compromised user account to automatically forward emails containing specific conditions to an external recipient.
    Investigative actions: Check what conditions are met in the inbox rule (e.g. specific keywords in the subject or body). Determine if any of the conditions and keywords look suspicious. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.

    Variations

    Exchange inbox forwarding rule configured by a delegate user

    Informational overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange inbox forwarding rule configured

    Medium overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. overridden

    External Exchange inbox forwarding rule configured

    Low overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The rule forwards emails to a public domain, which may be a sign of compromise. overridden

  • Exchange mailbox audit bypass Low Identity Threat Module Email

    A user added mailbox audit bypass for an account. This will allow the account to perform actions without being logged, and may indicate an attempt to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may abuse the audit bypass mechanism to conceal actions and evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected.
  • Exchange mailbox delegation permissions added Informational Identity Threat Module Email 1 variation

    A user added delegation permissions to an Exchange mailbox.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    4 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)
    Required data: Office 365 Audit
    Attacker's goals: Add delegation permissions to a mailbox for persistence reasons.
    Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents).

    Variations

    Addition of Exchange mailbox delegation permissions with suspicious characteristics

    Low overridden

    A user added delegation permissions to an Exchange mailbox. overridden

  • Exchange mailbox folder permission modification Informational Identity Threat Module Email 1 variation

    A user modified permissions to an Exchange mailbox folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may add permissions to a mailbox folder for persistence reasons. For instance, an attacker may assign the Default or Anonymous user permissions. This will allow them to maintain persistent access to the mailbox folder, which may lead to exfiltration of the messages.
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Check for abnormal Azure AD non-interactive logins by the user. Monitor for changes that may indicate excessively broad permissions.

    Variations

    Exchange mailbox folder permission modification for a default user

    Low overridden

    A user modified permissions to an Exchange mailbox folder. The user granted the permission is a default user, which effectively grants the permission to any user. overridden

  • Exchange malware filter policy removed Low Identity Threat Module Email

    A user removed an Exchange malware filter policy, which may prevent the detection of malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed. Monitor for signs of malware in future messages.
  • Exchange transport forwarding rule configured Low Identity Threat Module Email 2 variations

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.
    Investigative actions: Check what mailboxes are affected by the transport rule. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.

    Variations

    Exchange transport forwarding rule configured by a delegate user

    Informational overridden

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange transport forwarding rule configured

    Medium overridden

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. overridden

  • Exchange user mailbox forwarding Low Identity Threat Module Email 2 variations

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Leverage a compromised user account to modify a mailbox's settings to forward emails to an external recipient and collect sensitive information.
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain. Investigate the IP address associated with the rule. Follow further actions done by the account.

    Variations

    Exchange user mailbox forwarding by a delegate user

    Informational overridden

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange user mailbox forwarding

    Medium overridden

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. overridden

  • Executable created to disk by lsass.exe Medium

    Lsass.exe does not normally create executables to disk. This activity was seen as part of several exploits, like EternalBlue and DoublePulsar, used during the WannaCry attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: This activity was an important stage for several exploits.
    Investigative actions: Check the file that was written to the disk for malicious activities.
  • Executable moved to Windows system folder Informational 4 variations

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: An attacker may be trying to avoid detection by moving an executable to a Windows system folder.
    Investigative actions: Check if the file is known in organization or malicious. Check if the digital signature of the file is valid and belongs to a known good software vendor. Investigate the process that has moved the file to the system folder.

    Variations

    Rare executable moved to Windows system folder by rare causality actor

    Medium overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

    Executable moved to Windows system folder by remote causality and a rare actor

    Medium overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

    Rare executable moved to Windows system folder by rare actor

    Low overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

    Executable moved to Windows system folder by rare and unsigned actor

    Low overridden

    An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden

  • Executable or Script file written by a web server process Low 3 variations

    An uncommon executable or script file was created, written, or renamed by a web server process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gain the ability to execute commands on the host and establish persistence.
    Investigative actions: Review web server access logs for suspicious requests or uploads. Inspect the dropped file to determine whether it contains malicious content.

    Variations

    A driver was written by a web server process

    Low overridden

    An uncommon driver file was created, written, or renamed by a web server process. overridden

    Executable or Script file written by a web server process in an internet facing server

    Low overridden

    An uncommon executable or script file was created, written, or renamed by a web server process. overridden

    Executable or Script file written by a web server process with connections from various sources and high web traffic

    Low overridden

    An uncommon executable or script file was created, written, or renamed by a web server process. overridden

  • Execution of an uncommon process at an early startup stage Informational 2 variations

    Uncommon execution of an executable found in an early startup stage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Adversaries continuously find and develop new undetectable, novel methods of launching malware during startup. Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.

    Variations

    Execution of an uncommon process at an early startup stage with suspicious characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage. overridden

    Execution of an uncommon process at an early startup stage with uncommon characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage. overridden

  • Execution of an uncommon process at an early startup stage by Windows system binary Low 2 variations

    Uncommon execution of an executable found in an early startup stage by Windows system binary.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.

    Variations

    Execution of an uncommon process at an early startup stage by Windows system binary with suspicious characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden

    Execution of an uncommon process at an early startup stage by Windows system binary with uncommon characteristics

    Low overridden

    Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden

  • Execution of an uncommon process with a local/domain user SID at an early startup stage Informational 2 variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the CGO (causality group owner) is familiar and if any configuration, parameters, or registry keys have been modified.

    Variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage with suspicious characteristics

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage with uncommon characteristics

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden

  • Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary Low 3 variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Boot or Logon Autostart Execution (T1547)
    Required data: XDR Agent
    Detector tags: Generic Persistence Analytics
    Attacker's goals: Attackers aim to get persistence to continue operating even after a reboot.
    Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.

    Variations

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary - Explorer CGO

    Informational overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage with a suspicious characteristics by Windows system binary

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage with an uncommon characteristics by Windows system binary

    Low overridden

    Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden

  • Execution of command from within a Kubernetes pod using kubelet credentials Low 1 variation

    A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Access Token Manipulation (T1134)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Unusual execution of command from within a Kubernetes pod using kubelet credentials

    Medium overridden

    A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API. overridden

  • Execution of dllhost.exe with an empty command line Low 2 variations

    The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218)
    Required data: XDR Agent
    Attacker's goals: Evade detection when running suspicious commands.
    Investigative actions: Check if an entry for dllhost.exe was added in the registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.

    Variations

    Execution of unsigned dllhost from a non-typical path with empty command line

    High overridden

    An unsigned process was executed with the name dllhost.exe from a non-typical path, this behavior is suspicious and maybe performed by a malicious actor in an attempt to hide their actions. overridden

    Globally uncommon execution of dllhost.exe with an empty command line

    Low overridden

    The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection. overridden

  • Execution of masqueraded third-party utility Informational 2 variations

    An attacker may be trying to avoid detection of third-party utility execution by renaming it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: Detection avoidance via file masquerading.
    Investigative actions: Check the process origin or whether it comes with any packages the user has used.

    Variations

    Execution of masqueraded third-party automation utility

    Medium overridden

    An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden

    Execution of significantly masqueraded third-party utility

    Low overridden

    An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden

  • Execution of renamed lolbin Informational 1 variation

    An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)
    Required data: XDR Agent
    Detector tags: EDR Windows Disguised Processes
    Attacker's goals: Detection avoidance via file rename.
    Investigative actions: Check the lolbin's origin or whether it comes with any packages the user has used.

    Variations

    Execution of significantly renamed lolbin

    Medium overridden

    An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin. overridden

  • External Login Password Spray Informational Identity Analytics 6 variations

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Check the amount of time in between each login attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful login attempts and the ratio of login success versus login failures.

    Variations

    External Login Password Spray Involving a Honey User

    Medium overridden

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden

    External Login Password Spray from Multiple Source Hosts

    Informational overridden

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden

    Successful External Login Password Spray on a Domain Controller

    Medium overridden

    An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden

    Successful External Login Password Spray on a sensitive server

    Medium overridden

    An abnormally high amount of user account login attempts were seen on a sensitive server within a short period of time. overridden

    Successful External Login Password Spray

    Low overridden

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden

    External Login Password Spray on a Domain Controller

    Low overridden

    An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden

  • External SaaS file-sharing activity Informational Identity Threat Module 1 variation

    A user shared files from within a SaaS service to an external domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker may share files from a SaaS service to exfiltrate sensitive data.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Determine if the files are shared with users outside the organization and if the recipients are familiar. Review the files that were shared to determine if they contain sensitive data. Analyze the file types that were shared. Monitor the account for any further suspicious actions.

    Variations

    SaaS external file sharing to an abnormal domain

    Low overridden

    A user shared files to an external domain, which the organization does not typically share files with. overridden

  • External Sharing was turned on for Google Drive Informational Identity Threat Module 3 variations

    An identity has modified Google Drive sharing settings and allowed external sharing.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may exfiltrate data, such as sensitive documents.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). check the new setting details. Follow further actions done by the account.

    Variations

    External Sharing was turned on for Google Drive by a non Google Workspace administrative user from an unusual ASN

    Low overridden

    An identity has modified Google Drive sharing settings and allowed external sharing. overridden

    External Sharing was turned on for Google Drive by a non Google Workspace administrative user

    Low overridden

    An identity has modified Google Drive sharing settings and allowed external sharing. overridden

    External Sharing was turned on for Google Drive from an unusual ASN

    Low overridden

    An identity has modified Google Drive sharing settings and allowed external sharing. overridden

  • External email display name impersonation of internal personnel Informational Email 1 variation

    The sender's email address appears unusual in relation to the provided display name, suggesting a possible impersonation attempt targeting an internal user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impersonation (T1656)
    Required data: Microsoft 365 Emails
    Detector tags: Employee Impersonation, Spear Phishing
    Attacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    External email display name impersonation of internal personnel, using a public provider

    Informational overridden

    The sender's email address appears unusual in relation to the provided display name, suggesting a possible impersonation attempt targeting an internal user. overridden

  • External email with a single internal recipient hidden in BCC Informational Email 1 variation

    External email with mailbox owner hidden in BCC as the only internal recipient.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Attacker's goals: BCC enables sending the same email to multiple hidden recipients without revealing them to each other.
    Investigative actions: Review the headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.

    Variations

    External email with only a hidden internal BCC recipient

    Informational overridden

    External email with no visible recipients, mailbox owner is hidden in BCC. overridden

  • External user added a link to a Microsoft Teams chat Informational Identity Threat Module 1 variation

    An external user added a link to a Microsoft Teams chat.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Confirm that the external tenant and user are authorized to share links or files with users in the organization. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that have been sent in the conversation. Evaluate the external domain reputation. Review past communication from the external user. Follow further actions done by the account.

    Variations

    An external user sent a link via Microsoft Teams with suspicious parameters

    Low overridden

    An external user sent a link with suspicious parameters in a Microsoft Teams conversation. overridden

  • External user call via Microsoft Teams Informational Identity Threat Module 2 variations

    An external user called a user in the organization via Microsoft Teams.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing: Spearphishing Voice (T1566.004)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct voice phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Confirm that the external tenant and external user are authorized to call users in the organization. Check external domain reputation. Follow further actions performed by the user who participated in the call. Verify if the user account was compromised or was a victim of a voice phishing campaign.

    Variations

    A first seen external user with a suspicious name initiated a Microsoft Teams call

    Medium overridden

    A first seen external user with a suspicious name successfully called via Microsoft Teams a user in the organization. overridden

    An external user with a suspicious name initiated a Microsoft Teams call

    Low overridden

    An external user with a suspicious name called via Microsoft Teams a user in the organization. overridden

  • External user created a Microsoft Teams conversation with suspicious operations Informational Identity Threat Module 9 variations

    An external user created a Microsoft Teams conversation with users in the organization with additional suspicious operations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Confirm that the tenant and user are authorized to start a conversation with users in the organization. Verify whether any user was removed from the conversation, and determine the reason for their removal. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that might have been sent in the conversation. Check external domain reputation. Review past communication from the external user. Follow further actions done by the account.

    Variations

    An external user initiated a Microsoft Teams chat in which a suspicious link was shared and a member was removed

    Low overridden

    An external user initiated a Microsoft Teams chat in which a link, with a domain that hasn't been seen the last 30 days, was shared, and a member was removed. overridden

    An external user created a chat and shortly after sent a link with a newly seen domain name

    Low overridden

    An external user created a chat and shortly after sent a link to a conversation via Microsoft Teams that refers to a domain that was seen for the first time in the past 30 days. overridden

    An external user initiated a Microsoft Teams chat in which a link was shared and a member was removed

    Low overridden

    An external user initiated a Microsoft Teams chat in which a link with a rarely seen domain was shared, and a member was removed. overridden

    An external user created a chat then sent a link with a file for the first time via Microsoft Teams

    Low overridden

    An external user sent a link for the first time during the past 30 days in a Microsoft Teams conversation, and the link points to a file. overridden

    An external user created a chat with a suspicious user or chat name and then sent a link via Microsoft Teams

    Low overridden

    An external user created a chat with a suspicious user or chat name and sent a link in Microsoft Teams, which can be a phishing attempt. overridden

    External user created a Microsoft Teams conversation with a suspicious user or chat name and shortly after removed a user from it

    Low overridden

    An external user created a conversation with a suspicious user or chat name, and then removed a member, which could indicate potential suspicious activity. overridden

    An external user created a chat then sent a link via Microsoft Teams

    Informational overridden

    An external user created a chat and sent a link in Microsoft Teams, which can be a phishing attempt. overridden

    An external user created a chat and then sent a link via Microsoft Teams

    Informational overridden

    An external user created a chat and sent a link in Microsoft Teams, which can be a phishing attempt. overridden

    External user created a Microsoft Teams conversation and shortly after removed a user from it

    Informational overridden

    An external user created a conversation and then removed a member, which could indicate potential suspicious activity. overridden

  • External user invitation to Azure tenant Informational Cloud

    An external user was invited to Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain unauthorized access to the tenant.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • External user started a Microsoft Teams conversation Informational Identity Threat Module 5 variations

    An external user started a Microsoft Teams conversation with users in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Confirm that the tenant and user are authorized to start a conversation with users in the organization. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that might have been sent in the conversation. Check external domain reputation. Review past communication from the external user. Follow further actions done by the account.

    Variations

    An external user started multiple conversations in Microsoft Teams with suspicious chat names

    Low overridden

    An external user started a Microsoft Teams conversation with users in the organization. overridden

    An external user started a conversation in Microsoft Teams with a suspicious user or chat name

    Low overridden

    An external user started a Microsoft Teams conversation with users in the organization. overridden

    An external user started multiple conversations in Microsoft Teams

    Low overridden

    An external user started a Microsoft Teams conversation with users in the organization. overridden

    External user started a Microsoft Teams conversation and sent a message

    Informational overridden

    An external user started a Microsoft Teams conversation with users in the organization. overridden

    An external user started conversations in Microsoft Teams with many internal users

    Informational overridden

    An external user started a Microsoft Teams conversation with users in the organization. overridden

  • Extracting credentials from Unix files Low

    Suspicious Unix files containing insecurely stored credentials were accessed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)
    Required data: XDR Agent
    Attacker's goals: Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
    Investigative actions: Investigate the process activities and use of the extracted credentials.
  • FTP Connection Using an Anonymous Login or Default Credentials Low

    An FTP connection using an anonymous login was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this FTP. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.
  • Failed Connections Low 2 variations

    The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: An attacker does not know your network and is exploring it for new or unknown subnets.
    Investigative actions: Validate that the source is not a sanctioned port scanner. Check for suspicious artifacts in the endpoint profile.

    Variations

    Failed Connections

    Informational overridden

    The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network. overridden

    Failed Connections with a rare causality and actor processes relations

    Informational overridden

    The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.These failed connections originated from a rare relation between an actor process and its causality. overridden

  • Failed DNS Low

    The endpoint is performing DNS lookups that are failing at an excessively high rate when compared to its peer group. This alert might be symptomatic of malware that is trying to connect to its command and control (C2) servers.The attacker's C2 server runs on one or more domains that can eventually be identified and blacklisted. To avoid this, malware will sometimes use Domain Generation Algorithms (DGA) that produce many domain names every day. Because only a few of these domains are ever registered, the installed malware must blindly try to access each generated domain name in an effort to locate an active one.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    2 Hours
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Dynamic Resolution: Domain Generation Algorithms (T1568.002)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Make sure your DNS servers are not misconfigured and are responsive. This detector assumes that most DNS lookups succeed, and will only raise an alert when it sees large numbers of failed lookups. Misconfigured or unresponsive DNS servers can result in a false positive. Make sure you do not have external domains configured as internal domains. This can result in clients attempting to (for example) resolve google.com.local first, before resolving google.com. This can result in a false-positive for this alert. Make sure the endpoint is configured properly for your DNS servers. For example, make sure it is configured to use the correct DNS IP address, and that the IP address is not for a firewalled DNS server. Misconfigured DNS clients can result in many failed lookups, which will result in a false-positive for this alert. Make sure the endpoint is not a DNS, Proxy, NAT or VPN gateway server. If these have been misdetected by Cortex XDR Analytics, then their ordinary operations can trigger this alert.
  • Failed Login For Locked-Out Account Informational

    A locked-out user account (event ID 4725 or 4740) was used in a Kerberos TGT pre-authentication attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Authenticate using the principal in the TGT, not knowing that it has been revoked.
    Investigative actions: Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory. Check whether the attempt to use the principals (user accounts) specified in the alert are legitimate. For example, a user or a script that was not updated that the account has been revoked. The lockout can be temporary, for example, in the case of too many login attempts, and may not be visible after the account was released. Search for Windows Event Log 4740 to ascertain whether the account was locked out during the time of the alert.