Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapCollection error High
A collection error was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Command execution in a Kubernetes pod Informational 2 variations
Container administration commands were executed within a Kubernetes pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Container Administration Command (T1609)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Attackers may use the container administration commands to execute commands within a Kubernetes Pod.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Command execution in a Kubernetes pod for the first time
Low overridden
Container administration commands were executed within a Kubernetes pod. overridden
Command execution in a Kubernetes pod in the kube-system namespace
Informational overridden
Container administration commands were executed within a Kubernetes pod. overridden
Command execution via AWS SSM Medium Cloud
A cloud identity performed multiple unusual activities leading to code execution using AWS Systems Manager service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)ATT&CK techniques: Cloud Administration Command (T1651) Remote Services: Direct Cloud VM Connections (T1021.008)Required data: AWS Audit LogAttacker's goals: Gaining unauthorized access, executing unauthorized commands or compromising sensitive information within the target system.Investigative actions: Investigate the activities related to the suspected identity. Examine the code executed on the target instance(s).Command execution via wmiexec Informational
Attackers may use WMI to execute commands on the target host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Windows Management Instrumentation (T1047)Required data: XDR AgentAttacker's goals: Execute commands on the victim host.Investigative actions: Correlate the RPC call from the source host and understand which process initiated it.Command running with COMSPEC in the command line argument Low
COMSPEC is an environmental variable that points to cmd.exe. Attackers may use this command to obfuscate their command and avoid detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Windows Command Shell (T1059.003)Required data: XDR AgentAttacker's goals: Attackers might use environment variables to try and avoid being detected and obfuscate their commands.Investigative actions: Investigate the actor and the command line that executed with COMSPEC Verify that the command executed from a trusted source.Common third-party software name masquerading Informational 2 variations
An attacker might leverage common third-party software image names to run malicious processes without being caught.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: An attacker is attempting to masquerade as a common third-party software image to execute malicious code.Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.Variations
Common third-party software name masquerading which was downloaded from an unexpected source
Low overridden
An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden
Common third-party software name masquerading with uncommon characteristics by actor with uncommon characteristics
Low overridden
An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden
Commonly abused AutoIT script connects to an external domain Medium
AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Automated Exfiltration (T1020)Required data: XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context. Identify the process contacting the remote domain and determine whether the traffic is malicious.Commonly abused AutoIT script drops an executable file to disk Informational
AutoIT scripts have legitimate uses but are often abused by malware to execute in a signed process context.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Command and Scripting Interpreter: Windows Command Shell (T1059.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Check whether the user from the command line is an administrator or other sensitive account.Commonly abused process launched as a system service Informational
This commonly abused host process has been launched by a services.exe parent, indicating it has been installed as a system service. This behavior can have legitimate uses, but often used by malware as a persistence mechanism.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: System Services: Service Execution (T1569.002)Required data: XDR AgentAttacker's goals: Attackers may use services to persist or execute commands on remote hosts.Investigative actions: Check whether additional malicious commands were executed from the same process. Verify if the command-line seems suspicious or contains malicious indicators.Compressing data using python Low
Usage of a Python module to compress files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Library (T1560.002)Required data: XDR AgentAttacker's goals: Collecting and staging data before exfiltration.Investigative actions: Investigate the process and command line for access to sensitive files.Compute activity in dormant cloud region Informational Cloud 3 variations
A compute resource was created or updated in a cloud region that has been dormant for this project.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Unused/Unsupported Cloud Regions (T1535)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Create compute resources in unmonitored regions to evade detection for purposes such as hijacking resources or establishing persistence.Investigative actions: Verify if compute resources are authorized in this region. Terminate unauthorized compute resources and disable unused regions.Variations
Compute activity in dormant cloud region from a non-VPN IP address
Informational overridden
A compute resource was created or updated in a cloud region that has been dormant for this project. overridden
A cloud compute instance was created in a dormant region
Medium overridden
A compute resource was created or updated in a cloud region that has been dormant for this project. overridden
Compute activity in dormant cloud region by a compromised AWS access key
High overridden
A compute resource was created or updated in a cloud region that has been dormant for this project. overridden
Conditional Access policy removed Low Identity Threat Module
An identity removed a Conditional Access policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. Without a Conditional Access policy, an attacker would be able to access the tenant without possible blockage for later access.Investigative actions: Check implications of the policy being removed. Check whether the user changing the configuration is permitted to perform such actions.Conhost.exe spawned a suspicious cmd process Low 3 variations
Attackers may abuse the conhost process to execute malicious files and evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: Investigate the processes being spawned on the host for malicious activities.Investigative actions: An adversary may use the conhost process to evade detection.Variations
Conhost.exe spawned a suspicious powershell encoded command
High overridden
Attackers may abuse the conhost process to execute malicious files and evade detection. overridden
Conhost.exe spawned a suspicious scripting process with long command line
Medium overridden
Attackers may abuse the conhost process to execute malicious files and evade detection. overridden
Conhost.exe spawned a suspicious child process
Medium overridden
Attackers may abuse the conhost process to execute malicious files and evade detection. overridden
Contained process execution with a rare GitHub URL Low
A contained process was executed with a suspicious GitHub url in the command line. This may be a legitimate use, but this technique is frequently used by attackers to download malicious payloads.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution: Malicious Image (T1204.003)Required data: XDR AgentAttacker's goals: Download a second stage payload for execution.Investigative actions: Check if the initiator process is malicious. Check the user activity on the same container at that time. Check if the container is a development container. Check if this installation was related to more installations at the same time. Check for additional file/network operations by the same process instance.Copy a process memory file High 1 variation
Copy a process memory file using the dd utility.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping: Proc Filesystem (T1003.007)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Read another process memory, mainly for credential access.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Copy a process memory file from a Kubernetes pod
High overridden
Copy a process memory file using the dd utility. overridden
Copy a user's GnuPG directory with rsync Low
Copy a user's GnuPG (.gnupg) directory on to a staging folder using the 'find' and 'rsync' commands.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Private Keys (T1552.004)Required data: XDR AgentAttacker's goals: Adversaries may use the rsync tool to exfiltrate secrets.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Correlation rule error Medium
An error was identified while running a correlation rule.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 12 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Creation or modification of the default command executed when opening an application Informational 4 variations
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).Investigative actions: Check the registry data modified for a potentially malicious command line. Look for processes running matching the command line for malicious activity.Variations
Creation or modification of the default command executed when opening the Microsoft optional features settings (Fodhelper.exe)
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Creation or modification of the default command executed when opening an MMC application
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Creation or modification of the default command executed when opening Windows backup and restore (sdclt.exe)
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Creation or modification of the default command executed when opening Windows Store settings (Wsreset.exe)
Medium overridden
Creation or modification of these registry keys can cause the execution of the specified programs, bypassing UAC. overridden
Credentials were added to Azure application Informational Cloud
Credentials were added to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: An attacker can establish a backdoor in the application by adding additional credentials to it, such as secrets or certificates.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.DLP sensitive data exposed to external users Informational Identity Threat Module Email 1 variation
A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to access sensitive information.Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.Variations
High-severity DLP sensitive data exposed to external users
Low overridden
A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information. overridden
DNS Tunneling Low 1 variation
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.Variations
DNS Tunneling
Medium overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents. overridden
DSC (Desired State Configuration) lateral movement using PowerShell Informational 3 variations
An attacker is using the DSC feature with PowerShell to remotely modify / execute content / components on the machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Windows Management Instrumentation (T1047) Remote Services: Windows Remote Management (T1021.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Execute malicious content on and move laterally across machine in the network.Investigative actions: Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102. Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.Variations
DSC (Desired State Configuration) lateral movement using PowerShell to execute a script
High overridden
An attacker may use the DSC feature with PowerShell to execute script remotely on a machine. overridden
DSC (Desired State Configuration) lateral movement using PowerShell to execute a new service
Medium overridden
An attacker may use the DSC feature with PowerShell to create and execute a service on the host. overridden
DSC (Desired State Configuration) lateral movement using PowerShell to modify the registry
Medium overridden
An attacker may use the DSC feature with PowerShell to create/modify/dump registry keys/values. overridden
Data Sharing between GCP and Google Workspace was disabled Informational Identity Threat Module 3 variations
An identity has modified data sharing settings between GCP and Google Workspace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Indicator Removal (T1070) Impair Defenses (T1562) Data Manipulation (T1565) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check whether Google Workspace audit log events were configured to be sent to Google Cloud. Follow further actions done by the account.Variations
Data Sharing between GCP and Google Workspace was disabled by a suspicious identity
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data Sharing between GCP and Google Workspace was disabled from an unusual ASN
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data encryption was disabled Informational Cloud
A cloud identity has disabled data encryption.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Weaken Encryption (T1600) Impair Defenses (T1562)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: An attacker is trying to access sensitive data in plaintext. An attacker might try to exfiltrate plaintext data to an endpoint controlled by the attacker and avoid detection. An attacker can re-encrypt the data with a key that is available only to the attacker.Investigative actions: Check if the identity intended to disable data encryption. Check which cloud assets were affected by manipulating the above-mentioned configuration file. Check if the identity performed additional suspicious actions to affected assets.Data exfiltration from cloud database Low Cloud 2 variations
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation.Variations
Data exfiltration from cloud database containing sensitive data from a production account toa foreign account
High overridden
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden
Suspicious data exfiltration from cloud database
High overridden
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden
Delayed Deletion of Files Low
A command line deleting files used the time-out or ping commands to delay the file deletion. This is suspicious, as malware sometimes uses these techniques to cover their tracks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal: File Deletion (T1070.004)Required data: XDR AgentAttacker's goals: Evade security controls and possibly cover their tracks.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Deletion of AD CS certificate database entries Informational Identity Analytics 1 variation
A user has deleted rows from the certificate database of an AD CS server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to cover their tracks after issuing certificates.Investigative actions: Check the user account deleting the certificate database entries and verify its activity. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Examine recent activity from the user account, including logon patterns and privilege changes.Variations
Abnormal deletion of AD CS certificate database entries
Low overridden
A user has deleted rows from the certificate database of an AD CS server. overridden
Deletion of multiple cloud resources Informational Cloud 2 variations
An identity deleted multiple cloud resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage access to the cloud to delete resources and cause damage to an organization's infrastructure.Investigative actions: Confirm the legitimacy of the suspected identity and what cloud resources have been deleted by the identity. Look for any unusual activity associated with the suspected identity and determine whether they are compromised.Variations
Deletion of multiple cloud resources
Medium overridden
An identity deleted multiple cloud resources.This large volume of deleted cloud resources had not been seen across all projects for the last 30 days. overridden
Deletion of multiple cloud resources
Low overridden
An identity deleted multiple cloud resources.This large volume of deleted cloud resources had not been seen in this project for the last 30 days. overridden
Denied API call by a Kubernetes service account Informational Cloud 2 variations
A Kubernetes service account API call was denied.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the Kubernetes cluster.Investigative actions: Check whether the service account should be making this API call. Check service account's activity, including additional executed API calls.Variations
Denied API call by Kubernetes service account for the first time in the cluster
Low overridden
A Kubernetes service account API call was denied. overridden
Suspicious denied API call by a Kubernetes service account
Informational overridden
A Kubernetes service account API call was denied. overridden
Device Registration Policy modification Informational Identity Threat Module 1 variation
An identity changed the Device Registration policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Device Registration policy, an attacker might be able to access the tenant without possible blockage for later access.Investigative actions: Check what policy has been changed. Check whether the user changing the configuration is permitted to perform such actions.Variations
A user modified the Device Registration Policy for the first time
Low overridden
An identity changed the Device Registration policy. overridden
Disable Microsoft Defender Antivirus via registry Low
Disable Microsoft Defender Antivirus via registry.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversary may attempt to disable defender antivirus to execute malicious tools and move through the network without triggering alarms.Investigative actions: Investigate the process that set or create the registry key.Disable encryption operations Low Cloud
Encryption was disabled on the servers that host EC2 instances, both for data-at-rest and data-in-transit.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation (T1565)Required data: AWS Audit LogDetector tags: Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Decrypt sensitive data host on EC2 instance, this may be a step in a flow for data exfiltration.Investigative actions: Check if Identity intended to disable the encryption.Discovery of accounts with pre-authentication disabled via LDAP Low Identity Analytics 1 variation
A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server), LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Correlate logs from the same host or user for related LDAP queries or other unusual activities. Audit accounts flagged as not requiring pre-authentication and verify compliance with security policies. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Suspicious discovery of accounts without pre-authentication required via LDAP
Medium overridden
A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Discovery of host users via WMIC Informational
Attackers may use wmic.exe to list the users of a host, and potentially its owner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: System Owner/User Discovery (T1033)Required data: XDR AgentAttacker's goals: Attackers can attempt to use the command to discover host users and enumerate a huge amount of information.Investigative actions: Verify whether the command that was executed is benign or normal for the host and/or user performing it (for example, it may be an IT script).Discovery of misconfigured certificate templates using LDAP Medium 1 variation
An LDAP query searching for misconfigured certificate templates was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: File and Directory Discovery (T1083)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker can use misconfigured certificate templates for escalation and authentication.Investigative actions: Check if the LDAP search query was allowed for the user (logged on at event time) or process. Investigate the LDAP search query for any suspicious indicators.Variations
Frequent LDAP discovery of misconfigured certificate templates by a common process
Low overridden
An LDAP query searching for misconfigured certificate templates was executed regularly by a common process. overridden
Download a script using the python requests module Low
Download a shell script from a remote location using the Python requests module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: Python (T1059.006)Required data: XDR AgentAttacker's goals: Adversaries may abuse Python commands and scripts to download additional malicious files or for exfiltration.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Download pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.EBS snapshots were created from an EC2 instance Informational Cloud 2 variations
One or more EBS snapshots were created from an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: AWS Audit LogAttacker's goals: Clone existing compute volumes for exfiltration purposes. This action may be a preliminary action before downloading snapshot blocks or creating volumes from the snapshots.Investigative actions: Confirm that the identity intended to create the described snapshots. Monitor the source instance for additional suspicious activities. Follow further actions done by the identity.Variations
EBS snapshots were created from an EC2 instance attached one or more volumes with sensitive data
Informational overridden
One or more EBS snapshots were created from an EC2 instance.The instance has one or more volumes attached containing sensitive data. overridden
An unusual creation of EBS snapshots from an EC2 instances
Low overridden
One or more EBS snapshots were created from an EC2 instance.The operation was not performed by this identity in the last 30 days. overridden
EBS volume attachment attempt Informational Cloud 2 variations
An attempt was made to attach an EBS volume to an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)Required data: AWS Audit LogAttacker's goals: Attach a volume to a cloud instance to exfiltrate sensitive data stored on EBS volumes.Investigative actions: Review recent activity related to the identity, the attached volume and the cloud instance.Variations
EBS volume attachment attempt for volume with sensitive data
Informational overridden
An attempt was made to attach an EBS volume with sensitive data to an EC2 instance. overridden
EBS volume attachment attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to attach an EBS volume to an EC2 instance. overridden
EBS volume detachment attempt Informational Cloud 1 variation
An attempt was made to detach an AWS EBS volume from an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive data stored on the detached volume.Investigative actions: Review recent activity related to the identity and the detached volume.Variations
EBS volume detachment attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to detach an AWS EBS volume from an EC2 instance. overridden
EC2 instance Amazon machine image was created Informational Cloud
Amazon machine image was created from elastic compute cloud instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogAttacker's goals: Creating Amazon machine images might be part of elastic compute cloud instance exfiltration chain.Investigative actions: Check if {identity_name} to create Amazon machine image. Check if the {cloud_aws_instance_id} instance did not contain any sensitive data.EC2 snapshot attribute has been modified Informational Cloud
The snapshot's permissions were modified (added/removed).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate backup/stored information.Investigative actions: Check if the snapshot is shared with an unwanted account/actor.Elevation to SYSTEM via services Low 2 variations
Services were affected by a non SYSTEM integrity level process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Escalate privileges to system and execute commands.Investigative actions: Investigate the service being spawned on the host for malicious activities.Variations
Elevation to SYSTEM via service creation
Low overridden
A service was created from a non SYSTEM integrity level process. overridden
Elevation to SYSTEM via service modification
Low overridden
An existing service was modified from a non SYSTEM integrity level process. overridden
Email attachment with Right-to-Left Override Unicode character Low Email
The email message contains an attachment with a hidden Right-to-Left Override Unicode character.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: EvasionAttacker's goals: Bypass security filters and deliver malicious content to users Mislead recipients into opening a malicious file by obscuring its true nature Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.Email attachment with a potentially malicious file extension Informational Email 2 variations
The email message includes attachments with file types that are typically blocked by the email vendor as a precaution due to their suspicious nature.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution (T1204)Required data: Microsoft 365 EmailsAttacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's domain to confirm its legitimacy. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before. Verify if the sender's IP address is identifiable.Variations
Attachment(s) with a potentially malicious file extension unusual for the organization
Informational overridden
At least one attachment with a potentially malicious file extension was received in an email for the first time within the organization in the past 30 days. overridden
Attachment(s) with a potentially malicious file extension unusual for the recipient
Informational overridden
At least one attachment with a potentially malicious file extension was received in an email for the first time for the recipient in the past 30 days. overridden
Email attachment with multiple extensions Informational Email 2 variations
This may indicate an attempt at masquerading the true file type through the misuse of multiple extensions in the attachment name.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)Required data: Microsoft 365 EmailsAttacker's goals: Deploy malicious attachments through emails to compromise systems or gain unauthorized access.Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings or missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address.Variations
Email executable attachment with multiple extensions
Low overridden
This could be a potential attempt to trick the user into executing such file(s). overridden
Email executable attachment with multiple executable extensions
Low overridden
This could be a potential attempt to trick the user into executing such file(s). overridden
Email attachment(s) with potentially malicious MIME type Informational Email 2 variations
The email message contains an attachment(s) with a potentially malicious MIME type.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)Required data: Microsoft 365 EmailsAttacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.Variations
Attachment(s) with potentially malicious MIME type unusual for the organization
Informational overridden
At least one attachment with a potentially malicious file mime-type was received in an email for the first time within the organization in the past 30 days. overridden
Attachment(s) with a potentially malicious MIME type that is unusual for the recipient
Informational overridden
At least one attachment with a potentially malicious file mime-type was received in an email for the first time for the recipient in the past 30 days. overridden
Email containing a link with an IP address convention was detected Informational Email
A link with IP address convention was detected within the email body.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading (T1036) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user into clicking the link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Email containing a redirected link Informational Email 1 variation
An email with a redirected link has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Hide Artifacts (T1564) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Attackers can use link redirection to disguise malicious URLs.Investigative actions: Carefully analyze the full redirection chain. Be cautious with this process, as clicking on links can pose security risks. Use URL reputation services to check if the final destination or any of the intermediate URLs are known to be malicious or associated with phishing. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Email containing a redirected link with multiple redirections
Informational overridden
An email with a redirected link has been detected.The email contains at least one redirected link with multiple redirection patterns, which is concerning as it can obscure malicious URLs and evade security filters. overridden
Email contains URL delivering high-risk file type Informational Email 1 variation
Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: To bypass attachment-based blocking by delivering malware or exploiting payloads via URLs pointing to file types commonly blocked by email vendors.Investigative actions: Review the URLs and determine if they host executable or script-based content. Check threat intelligence sources for reputation or known associations with malware. Investigate whether any users clicked the URL or downloaded the file. Analyze the file content using sandbox or static analysis tools.Variations
External email with URL delivers blocked file types
Low overridden
Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery. overridden
Email marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values Informational Email 4 variations
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: SpamAttacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Email with high Spam Confidence Level and Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with high Spam Confidence Level or Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with medium Spam Confidence Level and Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with medium Spam Confidence Level or Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email mimics replies or forwards without an actual ongoing conversation Informational Email
An email with a subject line or body that includes signs of a reply or forward without an actual ongoing conversation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566) Trusted Relationship (T1199)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Create the illusion of being part of an existing email conversation to build trust and reduce the target's suspicion, mislead recipients by concealing harmful intents such as phishing or malware distribution.Investigative actions: Analyze the full set of email headers to confirm the absence of legitimate References and In-Reply-To headers and verify if the email was altered or forged. Investigate if the sender's domain is known, flagged, or associated with suspicious activity to detect possible impersonation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Email was received from an unknown address using a public provider domain Informational Email
The email was received from an unknown address, that was seen for the first time in the organization in the past month, and registered under a public provider.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Email was received from an unknown sender using a disposable domain Low Email
The email was received from an unknown sender using a disposable email provider, first seen in the organization in the past month.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Email with URL shortener detected Informational Email
A URL shortener was detected in the email body.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts (T1564)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Attackers use URL shorteners to hide the true destination of a link, making it easier to trick recipients into clicking on it.Investigative actions: Examine the sender's IP ֿֿaddress and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Email with file-sharing link containing auto-download parameter Low Email 1 variation
The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)ATT&CK techniques: Phishing: Spearphishing Link (T1566.002) User Execution: Malicious File (T1204.002)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: The attacker may be attempting to deliver malware or exfiltrate data using auto-download file-sharing links.Investigative actions: Analyze the linked file(s) to determine if they pose any security risk. Check the sender's communication history within the organization. Analyze the file reputation using sandbox or threat intelligence sources. Verify whether similar links were sent to other users.Variations
External email with file-sharing link containing auto-download parameter
Low overridden
The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download. overridden
Encoded information using Windows certificate management tool Medium
Encoding/decoding to/from using certutil.exe could be used to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information: Encrypted/Encoded File (T1027.013) Deobfuscate/Decode Files or Information (T1140)Required data: XDR AgentAttacker's goals: Evade detection by executing processes with obfuscated arguments.Investigative actions: Check encoded/decoded command content and see whether it is benign or malicious.Error in event forwarding Medium
An error was detected in event forwarding.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 4 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Excessive user account lockouts Low Identity Analytics 2 variations
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Determine if any programs have stored outdated credentials, causing account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.Variations
Excessive user account lockouts from a suspicious source
Medium overridden
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden
Excessive account lockouts on suspicious users
Medium overridden
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden
Exchange DKIM signing configuration disabled Low Identity Threat Module Email 1 variation
A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Variations
A recently configured Exchange DKIM signing configuration was disabled
Informational overridden
A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed. overridden
Exchange Safe Attachment policy disabled or removed Low Identity Threat Module Email
A user disabled an Exchange Safe Attachment policy, which provides phishing protection to email attachments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Attachment (T1566.001)Required data: Office 365 AuditAttacker's goals: An attacker may attempt to disable the Safe Attachment policy to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Exchange Safe Link policy disabled or removed Low Identity Threat Module Email
A user disabled an Exchange Safe Link policy, which provides phishing protection to emails that contain hyperlinks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Link (T1566.002)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to bypass security measures associated with hyperlinks in email messages.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for email messages received with hyperlinks. Check for a possible phishing campaign on the organization.Exchange anti-phish policy disabled or removed Low Identity Threat Module Email 1 variation
A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Variations
Recently configured Exchange anti-phish policy disabled or removed
Informational overridden
A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign. overridden
Exchange audit log disabled Low Identity Threat Module Email
A user disabled the Exchange audit log. This may indicate an attempt to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).Exchange compliance search created Informational Identity Threat Module Email 2 variations
A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: An attacker is searching mailboxes to access sensitive information.Investigative actions: Follow further actions done by the account. Check to see if the search contained sensitive information. Check if any data was exfiltrated after the search. Look for suspicious search terms.Variations
Suspicious Exchange compliance search created
Low overridden
A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization. The query contains potentially suspicious keywords, which could indicate an attempt of sensitive data collection. overridden
Exchange compliance search created for the first time
Low overridden
A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization. overridden
Exchange email-hiding inbox rule Informational Identity Threat Module Email 3 variations
A user configured an Exchange inbox rule that may be used to hide emails.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)Required data: Office 365 AuditAttacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule keywords look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures inbox rules.Variations
Possible BEC Exchange email-hiding inbox rule
Medium overridden
A user configured an Exchange inbox rule that may be used to hide emails. The rule contains characteristics that resemble a business email compromise (BEC) attack. overridden
Suspicious Exchange email-hiding inbox rule
Medium overridden
A user configured an Exchange inbox rule that may be used to hide emails. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden
Abnormal Exchange email-hiding inbox rule
Low overridden
A user configured an Exchange inbox rule that may be used to hide emails. overridden
Exchange email-hiding transport rule Informational Identity Threat Module Email 2 variations
A user configured an Exchange transport rule that may be used to hide emails in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Email Hiding Rules (T1564.008)Required data: Office 365 AuditAttacker's goals: Prevent an organization from warning users that they've been compromised (e.g. an internal spear-phishing campaign).Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the rule contains keywords and if they look suspicious. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for multiple instances of email hiding, which may be an indication of a larger campaign. Check if the user regularly configures transport rules.Variations
Suspicious Exchange email-hiding transport rule
Medium overridden
A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain suspicious keywords, which may be a sign of a compromised account. overridden
Exchange email-hiding transport rule based on message keywords
Low overridden
A user configured an Exchange transport rule that may be used to hide emails in the organization. The rule hides emails that contain certain keywords, which may be a sign of a compromised account. overridden
Exchange inbox forwarding rule configured Informational Identity Threat Module Email 3 variations
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Create an inbox rule using a compromised user account to automatically forward emails containing specific conditions to an external recipient.Investigative actions: Check what conditions are met in the inbox rule (e.g. specific keywords in the subject or body). Determine if any of the conditions and keywords look suspicious. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.Variations
Exchange inbox forwarding rule configured by a delegate user
Informational overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange inbox forwarding rule configured
Medium overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. overridden
External Exchange inbox forwarding rule configured
Low overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The rule forwards emails to a public domain, which may be a sign of compromise. overridden
Exchange mailbox audit bypass Low Identity Threat Module Email
A user added mailbox audit bypass for an account. This will allow the account to perform actions without being logged, and may indicate an attempt to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Office 365 AuditAttacker's goals: An attacker may abuse the audit bypass mechanism to conceal actions and evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected.Exchange mailbox delegation permissions added Informational Identity Threat Module Email 1 variation
A user added delegation permissions to an Exchange mailbox.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 4 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)Required data: Office 365 AuditAttacker's goals: Add delegation permissions to a mailbox for persistence reasons.Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents).Variations
Addition of Exchange mailbox delegation permissions with suspicious characteristics
Low overridden
A user added delegation permissions to an Exchange mailbox. overridden
Exchange mailbox folder permission modification Informational Identity Threat Module Email 1 variation
A user modified permissions to an Exchange mailbox folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)Required data: Office 365 AuditAttacker's goals: An attacker may add permissions to a mailbox folder for persistence reasons. For instance, an attacker may assign the Default or Anonymous user permissions. This will allow them to maintain persistent access to the mailbox folder, which may lead to exfiltration of the messages.Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Check for abnormal Azure AD non-interactive logins by the user. Monitor for changes that may indicate excessively broad permissions.Variations
Exchange mailbox folder permission modification for a default user
Low overridden
A user modified permissions to an Exchange mailbox folder. The user granted the permission is a default user, which effectively grants the permission to any user. overridden
Exchange malware filter policy removed Low Identity Threat Module Email
A user removed an Exchange malware filter policy, which may prevent the detection of malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed. Monitor for signs of malware in future messages.Exchange transport forwarding rule configured Low Identity Threat Module Email 2 variations
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.Investigative actions: Check what mailboxes are affected by the transport rule. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.Variations
Exchange transport forwarding rule configured by a delegate user
Informational overridden
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange transport forwarding rule configured
Medium overridden
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. overridden
Exchange user mailbox forwarding Low Identity Threat Module Email 2 variations
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Leverage a compromised user account to modify a mailbox's settings to forward emails to an external recipient and collect sensitive information.Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain. Investigate the IP address associated with the rule. Follow further actions done by the account.Variations
Exchange user mailbox forwarding by a delegate user
Informational overridden
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange user mailbox forwarding
Medium overridden
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. overridden
Executable created to disk by lsass.exe Medium
Lsass.exe does not normally create executables to disk. This activity was seen as part of several exploits, like EternalBlue and DoublePulsar, used during the WannaCry attacks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: This activity was an important stage for several exploits.Investigative actions: Check the file that was written to the disk for malicious activities.Executable moved to Windows system folder Informational 4 variations
An attacker may be trying to avoid detection by moving an executable to a Windows system folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: An attacker may be trying to avoid detection by moving an executable to a Windows system folder.Investigative actions: Check if the file is known in organization or malicious. Check if the digital signature of the file is valid and belongs to a known good software vendor. Investigate the process that has moved the file to the system folder.Variations
Rare executable moved to Windows system folder by rare causality actor
Medium overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Executable moved to Windows system folder by remote causality and a rare actor
Medium overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Rare executable moved to Windows system folder by rare actor
Low overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Executable moved to Windows system folder by rare and unsigned actor
Low overridden
An attacker may be trying to avoid detection by moving an executable to a Windows system folder. overridden
Executable or Script file written by a web server process Low 3 variations
An uncommon executable or script file was created, written, or renamed by a web server process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gain the ability to execute commands on the host and establish persistence.Investigative actions: Review web server access logs for suspicious requests or uploads. Inspect the dropped file to determine whether it contains malicious content.Variations
A driver was written by a web server process
Low overridden
An uncommon driver file was created, written, or renamed by a web server process. overridden
Executable or Script file written by a web server process in an internet facing server
Low overridden
An uncommon executable or script file was created, written, or renamed by a web server process. overridden
Executable or Script file written by a web server process with connections from various sources and high web traffic
Low overridden
An uncommon executable or script file was created, written, or renamed by a web server process. overridden
Execution of an uncommon process at an early startup stage Informational 2 variations
Uncommon execution of an executable found in an early startup stage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Adversaries continuously find and develop new undetectable, novel methods of launching malware during startup. Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the CGO (causality group owner) is familiar and if one of it configuration/parameters/registry keys has been modified.Variations
Execution of an uncommon process at an early startup stage with suspicious characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage. overridden
Execution of an uncommon process at an early startup stage with uncommon characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage. overridden
Execution of an uncommon process at an early startup stage by Windows system binary Low 2 variations
Uncommon execution of an executable found in an early startup stage by Windows system binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.Variations
Execution of an uncommon process at an early startup stage by Windows system binary with suspicious characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden
Execution of an uncommon process at an early startup stage by Windows system binary with uncommon characteristics
Low overridden
Uncommon execution of an executable found in an early startup stage by Windows system binary. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage Informational 2 variations
Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the CGO (causality group owner) is familiar and if any configuration, parameters, or registry keys have been modified.Variations
Execution of an uncommon process with a local/domain user SID at an early startup stage with suspicious characteristics
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage with uncommon characteristics
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary Low 3 variations
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution (T1547)Required data: XDR AgentDetector tags: Generic Persistence AnalyticsAttacker's goals: Attackers aim to get persistence to continue operating even after a reboot.Investigative actions: Check if the Causality Group Owner (CGO) has a related persistence mechanism that may have been abused by an attacker.Variations
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary - Explorer CGO
Informational overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage with a suspicious characteristics by Windows system binary
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage with an uncommon characteristics by Windows system binary
Low overridden
Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary may be an indication of a persistent mechanism on boot that is being actively abused. overridden
Execution of command from within a Kubernetes pod using kubelet credentials Low 1 variation
A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Access Token Manipulation (T1134)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Unusual execution of command from within a Kubernetes pod using kubelet credentials
Medium overridden
A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API. overridden
Execution of dllhost.exe with an empty command line Low 2 variations
The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: Evade detection when running suspicious commands.Investigative actions: Check if an entry for dllhost.exe was added in the registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.Variations
Execution of unsigned dllhost from a non-typical path with empty command line
High overridden
An unsigned process was executed with the name dllhost.exe from a non-typical path, this behavior is suspicious and maybe performed by a malicious actor in an attempt to hide their actions. overridden
Globally uncommon execution of dllhost.exe with an empty command line
Low overridden
The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection. overridden
Execution of masqueraded third-party utility Informational 2 variations
An attacker may be trying to avoid detection of third-party utility execution by renaming it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: Detection avoidance via file masquerading.Investigative actions: Check the process origin or whether it comes with any packages the user has used.Variations
Execution of masqueraded third-party automation utility
Medium overridden
An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden
Execution of significantly masqueraded third-party utility
Low overridden
An attacker may be trying to avoid detection of third-party utility execution by renaming it. overridden
Execution of renamed lolbin Informational 1 variation
An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036) Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: Detection avoidance via file rename.Investigative actions: Check the lolbin's origin or whether it comes with any packages the user has used.Variations
Execution of significantly renamed lolbin
Medium overridden
An attacker may be trying to avoid detection of lolbin's execution using a renamed lolbin. overridden
External Login Password Spray Informational Identity Analytics 6 variations
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: XDR AgentAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Check the amount of time in between each login attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful login attempts and the ratio of login success versus login failures.Variations
External Login Password Spray Involving a Honey User
Medium overridden
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden
External Login Password Spray from Multiple Source Hosts
Informational overridden
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden
Successful External Login Password Spray on a Domain Controller
Medium overridden
An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden
Successful External Login Password Spray on a sensitive server
Medium overridden
An abnormally high amount of user account login attempts were seen on a sensitive server within a short period of time. overridden
Successful External Login Password Spray
Low overridden
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden
External Login Password Spray on a Domain Controller
Low overridden
An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden
External SaaS file-sharing activity Informational Identity Threat Module 1 variation
A user shared files from within a SaaS service to an external domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker may share files from a SaaS service to exfiltrate sensitive data.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Determine if the files are shared with users outside the organization and if the recipients are familiar. Review the files that were shared to determine if they contain sensitive data. Analyze the file types that were shared. Monitor the account for any further suspicious actions.Variations
SaaS external file sharing to an abnormal domain
Low overridden
A user shared files to an external domain, which the organization does not typically share files with. overridden
External Sharing was turned on for Google Drive Informational Identity Threat Module 3 variations
An identity has modified Google Drive sharing settings and allowed external sharing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may exfiltrate data, such as sensitive documents.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). check the new setting details. Follow further actions done by the account.Variations
External Sharing was turned on for Google Drive by a non Google Workspace administrative user from an unusual ASN
Low overridden
An identity has modified Google Drive sharing settings and allowed external sharing. overridden
External Sharing was turned on for Google Drive by a non Google Workspace administrative user
Low overridden
An identity has modified Google Drive sharing settings and allowed external sharing. overridden
External Sharing was turned on for Google Drive from an unusual ASN
Low overridden
An identity has modified Google Drive sharing settings and allowed external sharing. overridden
External email display name impersonation of internal personnel Informational Email 1 variation
The sender's email address appears unusual in relation to the provided display name, suggesting a possible impersonation attempt targeting an internal user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impersonation (T1656)Required data: Microsoft 365 EmailsDetector tags: Employee Impersonation, Spear PhishingAttacker's goals: Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
External email display name impersonation of internal personnel, using a public provider
Informational overridden
The sender's email address appears unusual in relation to the provided display name, suggesting a possible impersonation attempt targeting an internal user. overridden
External email with a single internal recipient hidden in BCC Informational Email 1 variation
External email with mailbox owner hidden in BCC as the only internal recipient.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsAttacker's goals: BCC enables sending the same email to multiple hidden recipients without revealing them to each other.Investigative actions: Review the headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.Variations
External email with only a hidden internal BCC recipient
Informational overridden
External email with no visible recipients, mailbox owner is hidden in BCC. overridden
External user added a link to a Microsoft Teams chat Informational Identity Threat Module 1 variation
An external user added a link to a Microsoft Teams chat.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Confirm that the external tenant and user are authorized to share links or files with users in the organization. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that have been sent in the conversation. Evaluate the external domain reputation. Review past communication from the external user. Follow further actions done by the account.Variations
An external user sent a link via Microsoft Teams with suspicious parameters
Low overridden
An external user sent a link with suspicious parameters in a Microsoft Teams conversation. overridden
External user call via Microsoft Teams Informational Identity Threat Module 2 variations
An external user called a user in the organization via Microsoft Teams.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing: Spearphishing Voice (T1566.004)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct voice phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Confirm that the external tenant and external user are authorized to call users in the organization. Check external domain reputation. Follow further actions performed by the user who participated in the call. Verify if the user account was compromised or was a victim of a voice phishing campaign.Variations
A first seen external user with a suspicious name initiated a Microsoft Teams call
Medium overridden
A first seen external user with a suspicious name successfully called via Microsoft Teams a user in the organization. overridden
An external user with a suspicious name initiated a Microsoft Teams call
Low overridden
An external user with a suspicious name called via Microsoft Teams a user in the organization. overridden
External user created a Microsoft Teams conversation with suspicious operations Informational Identity Threat Module 9 variations
An external user created a Microsoft Teams conversation with users in the organization with additional suspicious operations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Confirm that the tenant and user are authorized to start a conversation with users in the organization. Verify whether any user was removed from the conversation, and determine the reason for their removal. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that might have been sent in the conversation. Check external domain reputation. Review past communication from the external user. Follow further actions done by the account.Variations
An external user initiated a Microsoft Teams chat in which a suspicious link was shared and a member was removed
Low overridden
An external user initiated a Microsoft Teams chat in which a link, with a domain that hasn't been seen the last 30 days, was shared, and a member was removed. overridden
An external user created a chat and shortly after sent a link with a newly seen domain name
Low overridden
An external user created a chat and shortly after sent a link to a conversation via Microsoft Teams that refers to a domain that was seen for the first time in the past 30 days. overridden
An external user initiated a Microsoft Teams chat in which a link was shared and a member was removed
Low overridden
An external user initiated a Microsoft Teams chat in which a link with a rarely seen domain was shared, and a member was removed. overridden
An external user created a chat then sent a link with a file for the first time via Microsoft Teams
Low overridden
An external user sent a link for the first time during the past 30 days in a Microsoft Teams conversation, and the link points to a file. overridden
An external user created a chat with a suspicious user or chat name and then sent a link via Microsoft Teams
Low overridden
An external user created a chat with a suspicious user or chat name and sent a link in Microsoft Teams, which can be a phishing attempt. overridden
External user created a Microsoft Teams conversation with a suspicious user or chat name and shortly after removed a user from it
Low overridden
An external user created a conversation with a suspicious user or chat name, and then removed a member, which could indicate potential suspicious activity. overridden
An external user created a chat then sent a link via Microsoft Teams
Informational overridden
An external user created a chat and sent a link in Microsoft Teams, which can be a phishing attempt. overridden
An external user created a chat and then sent a link via Microsoft Teams
Informational overridden
An external user created a chat and sent a link in Microsoft Teams, which can be a phishing attempt. overridden
External user created a Microsoft Teams conversation and shortly after removed a user from it
Informational overridden
An external user created a conversation and then removed a member, which could indicate potential suspicious activity. overridden
External user invitation to Azure tenant Informational Cloud
An external user was invited to Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain unauthorized access to the tenant.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.External user started a Microsoft Teams conversation Informational Identity Threat Module 5 variations
An external user started a Microsoft Teams conversation with users in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.Investigative actions: Confirm that the tenant and user are authorized to start a conversation with users in the organization. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that might have been sent in the conversation. Check external domain reputation. Review past communication from the external user. Follow further actions done by the account.Variations
An external user started multiple conversations in Microsoft Teams with suspicious chat names
Low overridden
An external user started a Microsoft Teams conversation with users in the organization. overridden
An external user started a conversation in Microsoft Teams with a suspicious user or chat name
Low overridden
An external user started a Microsoft Teams conversation with users in the organization. overridden
An external user started multiple conversations in Microsoft Teams
Low overridden
An external user started a Microsoft Teams conversation with users in the organization. overridden
External user started a Microsoft Teams conversation and sent a message
Informational overridden
An external user started a Microsoft Teams conversation with users in the organization. overridden
An external user started conversations in Microsoft Teams with many internal users
Informational overridden
An external user started a Microsoft Teams conversation with users in the organization. overridden
Extracting credentials from Unix files Low
Suspicious Unix files containing insecurely stored credentials were accessed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Credentials In Files (T1552.001)Required data: XDR AgentAttacker's goals: Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.Investigative actions: Investigate the process activities and use of the extracted credentials.FTP Connection Using an Anonymous Login or Default Credentials Low
An FTP connection using an anonymous login was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.Investigative actions: Examine the legitimacy of the application that produced this FTP. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.Failed Connections Low 2 variations
The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: An attacker does not know your network and is exploring it for new or unknown subnets.Investigative actions: Validate that the source is not a sanctioned port scanner. Check for suspicious artifacts in the endpoint profile.Variations
Failed Connections
Informational overridden
The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network. overridden
Failed Connections with a rare causality and actor processes relations
Informational overridden
The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.These failed connections originated from a rare relation between an actor process and its causality. overridden
Failed DNS Low
The endpoint is performing DNS lookups that are failing at an excessively high rate when compared to its peer group. This alert might be symptomatic of malware that is trying to connect to its command and control (C2) servers.The attacker's C2 server runs on one or more domains that can eventually be identified and blacklisted. To avoid this, malware will sometimes use Domain Generation Algorithms (DGA) that produce many domain names every day. Because only a few of these domains are ever registered, the installed malware must blindly try to access each generated domain name in an effort to locate an active one.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 2 Hours
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Dynamic Resolution: Domain Generation Algorithms (T1568.002)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Make sure your DNS servers are not misconfigured and are responsive. This detector assumes that most DNS lookups succeed, and will only raise an alert when it sees large numbers of failed lookups. Misconfigured or unresponsive DNS servers can result in a false positive. Make sure you do not have external domains configured as internal domains. This can result in clients attempting to (for example) resolve google.com.local first, before resolving google.com. This can result in a false-positive for this alert. Make sure the endpoint is configured properly for your DNS servers. For example, make sure it is configured to use the correct DNS IP address, and that the IP address is not for a firewalled DNS server. Misconfigured DNS clients can result in many failed lookups, which will result in a false-positive for this alert. Make sure the endpoint is not a DNS, Proxy, NAT or VPN gateway server. If these have been misdetected by Cortex XDR Analytics, then their ordinary operations can trigger this alert.Failed Login For Locked-Out Account Informational
A locked-out user account (event ID 4725 or 4740) was used in a Kerberos TGT pre-authentication attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Authenticate using the principal in the TGT, not knowing that it has been revoked.Investigative actions: Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory. Check whether the attempt to use the principals (user accounts) specified in the alert are legitimate. For example, a user or a script that was not updated that the account has been revoked. The lockout can be temporary, for example, in the case of too many login attempts, and may not be visible after the account was released. Search for Windows Event Log 4740 to ascertain whether the account was locked out during the time of the alert.