Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapFailed Login For a Long Username With Special Characters Informational
A long username containing special characters failed to log in to the domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Exploit Public-Facing Application (T1190)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: An attacker is trying to get code execution on internet-facing assets through command injection.Investigative actions: Is the host running internet-facing services? Are we looking at sanction vulnerability scanning?File transfer from unusual IP using known tools Informational 1 variation
An adversary might use known tools to transfer tools/payloads into the compromised machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Ingress Tool Transfer (T1105)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Expand attack vectors and compromise the rest of the network.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
File transfer from unusual IP using known tools in a Kubernetes pod
Low overridden
An adversary might use known tools to transfer tools/payloads into the compromised machine. overridden
First Azure AD PowerShell operation for a user Low Identity Threat Module
A user performed an Azure AD operation using a PowerShell user-agent for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: Achieve initial access to a company's resources.Investigative actions: Follow the actions the user performed using PowerShell. Confirm with the user that the action was intended.First SSO Resource Access in the Organization Informational Identity Analytics 1 variation
A resource was accessed for the first time via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Discovery (TA0007)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Cloud Service Discovery (T1526)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use a possibly compromised account to access privileged resources.Investigative actions: Confirm that the activity is benign (e.g. this is a newly approved resource). Follow further actions done by the user that attempted to access the resource.Variations
Abnormal first access to a resource via SSO in the organization
Low overridden
A resource was accessed for the first time via SSO with suspicious characteristics. overridden
First SSO access from ASN for user Informational Identity Analytics 2 variations
A user successfully authenticated via SSO with a new ASN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOneAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.Variations
First SSO access from ASN for user - suspicious characteristics detected
Low overridden
First SSO access from ASN for user that shows suspicious characteristics. overridden
Google Workspace - First SSO access from ASN for user
Informational overridden
A user successfully authenticated via SSO with a new ASN. overridden
First SSO access from ASN in organization Informational Identity Analytics 2 variations
An SSO authentication was made with a new ASN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOneAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the provider or location is allowed or a new user). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.Variations
First successful SSO access from ASN in the organization
Low overridden
An SSO authentication was made with a new ASN. overridden
Google Workspace - First SSO access from ASN in organization
Informational overridden
An SSO authentication was made with a new ASN. overridden
First VPN access attempt from a country in organization Informational Identity Analytics 1 variation
A user attempted to connect from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.Variations
First successful VPN access from a country in organization
Low overridden
A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden
First VPN access from ASN for user Informational Identity Analytics 1 variation
A user logged in to a VPN with a new ASN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.Variations
Unusual VPN access from ASN
Low overridden
An unusual VPN login was made by a user. overridden
First VPN access from ASN in organization Informational Identity Analytics
A VPN connection was attempted from a new ASN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: See whether the connection was successful. Confirm that the activity is benign (e.g. the provider or location is allowed or a new user). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.First connection from a country in organization Informational Identity Analytics 1 variation
A user connected to an SSO service from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
First successful SSO connection from a country in organization
Informational overridden
A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden
First-seen email from mailbox owner to external recipient's address in the last 30 days Informational Email 6 variations
Internal sender initiated first-time communication with an external recipient in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Microsoft 365 EmailsDetector tags: Exfiltration, Account TakeoverAttacker's goals: Extracting valuable information outside the company.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
First-time email to the disposable domain
Low overridden
Internal sender emailed to external address(es) with disposable domain. overridden
First-time email from organization's domain with the external recipient's domain in the last 30 days
Informational overridden
Internal sender emailed an external address belonging to a domain seen for the first time by the organization domain in the last 30 days. overridden
First-time email from organization with the external recipient in the last 30 days
Informational overridden
Internal sender emailed to external address(es) that first-seen by the the whole organization in the last 30 days. overridden
First-time email from organization's domain to the external recipient in the last 30 days
Informational overridden
Internal sender emailed to external address(es) that first-seen by the organization domain in the last 30 days. overridden
First-time email from mailbox owner to the external recipient's domain in the last 30 days
Informational overridden
Internal sender emailed to external address(es) with domain that first-seen by that sender in the last 30 days. overridden
First-time outbound email from mailbox owner to multiple external recipients without any internal recipients in the last 30 days
Informational overridden
Internal sender emailed first-time to multiple external recipients with no internal recipients included in the last 30 days. overridden
First-time directory sync of an on-premises domain user to an existing cloud account Informational Identity Threat Module
First-time synchronization of an on-premises domain user with an existing cloud account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: Attackers may leverage DirectorySync to move laterally from a compromised on-premise environment into the cloud tenant, allowing them to bypass the cloud's security boundaries and take over high-value cloud identities.Investigative actions: Check if the cloud account was an administrator (Global Admin, etc.) before this sync. Determine if the on-premise user was recently created or if its 'proxyAddress' attribute was recently modified. Confirm if the organization intended to transition this account from Cloud-Only to Hybrid. Verify the consistency between the on-premises 'ObjectGUID' and the newly assigned 'ImmutableID' in Azure AD.Fodhelper.exe UAC bypass Medium
Attackers may use Fodhelper.exe to bypass UAC (User Account Control) by having it spawn their malicious process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)Required data: XDR AgentAttacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).Investigative actions: Search for a registry event that changes the key Software\Classes\ms-settings. Review the process that made the registry key. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Foreign account was granted permissions to S3 bucket via resource-based policy Informational Cloud 1 variation
Foreign account was granted access to S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: The attacker wants to maintain control over the resource.Investigative actions: Check if the {cloud_best_identity_match} intended to modify {aws_s3bucket_identifier} policy. Check the permissions that were granted to the {aws_grantee_project}. Restrict permissions for the {aws_grantee_project} if needed.Variations
Foreign account was granted permissions to S3 bucket containing sensitive information via resource-based policy
Low overridden
Foreign account was granted access to S3 bucket. overridden
GCP Firewall Rule Modification Informational Cloud
A GCP firewall rule was modified. An attacker might use this technique to access restricted resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Gcp Audit LogAttacker's goals: Access restricted resources.Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.GCP Firewall Rule creation Informational Cloud
A GCP VPN firewall rule was created. An attacker might use this technique to block or open access to/from restricted areas.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Gcp Audit LogAttacker's goals: Access restricted resources.Investigative actions: Check if there were any network attempts that fit the created rule. Check the cloud identity activity before and after the rule creation.GCP IAM Role Deletion Informational Cloud
A GCP IAM role was created. An attacker might use this technique to interrupt users' actions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Gcp Audit LogAttacker's goals: Inhibit users from accessing resources.Investigative actions: Check which users were affected by the role deletion. Check what other actions were taken by the identity that deleted the role.GCP IAM Service Account Key Deletion Informational Cloud
A GCP IAM service account key was deleted. An attacker might use this technique to interrupt business operations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Gcp Audit LogAttacker's goals: Account access removal.Investigative actions: Check which operations were corrupted after the deletion.GCP IAM deny policy creation Low Cloud 1 variation
An identity created a GCP IAM deny policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Gcp Audit LogAttacker's goals: Interrupt availability of cloud resources by inhibiting access to accounts utilized by legitimate users.Investigative actions: Examine the details of the created deny policy. Review the recent activity of the identity.Variations
Unusual GCP IAM deny policy creation
Medium overridden
An identity created a GCP IAM deny policy. overridden
GCP Logging Bucket Deletion Informational Cloud
A GCP logging bucket was deleted. An attacker might delete the bucket to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Evade detection.Investigative actions: Check which logs were affected by the bucket deletion. Check The cloud identity activity prior/after to the bucket deletion.GCP Pub/Sub Subscription Deletion Informational Cloud
A GCP Pub/Sub subscription was deleted. An attacker might use this technique to affect business workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Service Stop (T1489)Required data: Gcp Audit LogAttacker's goals: Interrupt business services.Investigative actions: Check which services were affected due to the Pub/Sub deletion. Check The cloud identity activity prior/after the subscription deletion.GCP Pub/Sub Topic Deletion Informational Cloud
A GCP Pub/Sub topic was deleted, might affect workflows due to interrupts within the Pub/Sub pipeline.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Service Stop (T1489)Required data: Gcp Audit LogAttacker's goals: Interrupt business services.Investigative actions: Check which services were affected due to the Pub/Sub topic deletion. Check The cloud identity activity prior/after the topic deletion.GCP Service Account Deletion Informational Cloud
A GCP service account was deleted. An attacker might use this technique to remove access to valid accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Gcp Audit LogAttacker's goals: Account access removal.Investigative actions: Check which operations were corrupted after the deletion.GCP Service Account Disable Informational Cloud
A GCP service account was disabled. An attacker might use this technique to interrupt business procedures and workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Gcp Audit LogAttacker's goals: Account access removal.Investigative actions: Check if there were any services/procedures affected by the disable operation.GCP Service Account creation Informational Cloud
A GCP service account was created. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account (T1136)Required data: Gcp Audit LogAttacker's goals: Persistence with service account. An attacker might use this technique to evade detection.Investigative actions: Check the identity that created the account and its actions.GCP Service Account key creation Informational Cloud
A GCP service account key was created. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Gcp Audit LogAttacker's goals: Persistence using the created key.Investigative actions: Check what actions were taken using the newly created service account key. Check what other actions were taken by the identity that created the key.GCP Storage Bucket Configuration Modification Informational Cloud
A GCP storage bucket configuration has been modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Manipulate stored data.Investigative actions: Check if there were any services/procedures affected by the modification. Check what other actions were taken by the identity that modified the configuration.GCP Storage Bucket Permissions Modification Informational Cloud
A GCP storage bucket's IAM permissions were modified. An attacker might use this technique to expose sensitive data or cause data loss.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: File and Directory Permissions Modification (T1222)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate information.Investigative actions: Check which data exists in the modified bucket and its classification. Look for events that involve actions for the bucket data.GCP Storage Bucket deletion Informational Cloud 1 variation
A GCP bucket was deleted. An attacker might use this technique to destroy business data and its workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Data destruction.Investigative actions: Check which data was deleted from the bucket.Variations
GCP Storage Bucket containing sensitive data was deleted
Informational overridden
A GCP bucket was deleted. An attacker might use this technique to destroy business data and its workflows. overridden
GCP VPC Firewall Rule Deletion Informational Cloud
A GCP VPC firewall rule was deleted. An attacker might use this technique to access restricted resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Gcp Audit LogAttacker's goals: Access restricted resources.Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.GCP Virtual Private Cloud (VPC) Network Deletion Informational Cloud
A GCP VPC network was deleted. An attacker might use this technique to interrupt business resources and workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: Gcp Audit LogAttacker's goals: Block the availability of targeted resources to users/services.Investigative actions: Check which services were affected by the VPC deletion. Check the cloud identity activity before and after the VPC network deletion.GCP Virtual Private Network Route Creation Informational Cloud
A GCP VPC route was created. An attacker might use this technique to impact business workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: Gcp Audit LogAttacker's goals: Block the availability of targeted resources to users/services.Investigative actions: Check which services were affected by the route creation. Check the cloud identity activity before or after the route creation.GCP Virtual Private Network Route Deletion Informational Cloud
A GCP VPC route was deleted. An attacker might use this technique to impact business workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: Gcp Audit LogAttacker's goals: Block the availability of targeted resources to users/services.Investigative actions: Check which services were affected by the route deletion. Check The cloud identity activity prior/after the route deletion.GCP administrative role granted to a cloud identity Informational Cloud
A cloud identity granted an administrative IAM role to another identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.GCP data asset shared public Low Cloud
The GCP data asset was publicly shared.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.GCP logging sink deletion Informational Cloud 1 variation
A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Gcp Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Identify the logs impacted by the deletion. Review cloud identity activity before and after the deletion.Variations
GCP logging sink deletion
Low overridden
A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection. overridden
GCP logging sink modification Informational Cloud 2 variations
A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Gcp Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Identify the relevant logs impacted by the modification. Review The cloud identity activity before and after the logging sink modification.Variations
GCP logging sink modification
Medium overridden
A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden
GCP logging sink modification
Low overridden
A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden
GCP sensitive Cloud Run role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Cloud Run IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within the cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Cloud Run role granted
Medium overridden
A cloud identity granted itself a sensitive Cloud Run IAM role. overridden
GCP sensitive Deployment Manager role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Deployment Manager IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within the cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Deployment Manager role granted
Medium overridden
A cloud identity granted itself a sensitive Deployment Manager IAM role. overridden
GCP sensitive Functions role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Functions IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Functions role granted
Medium overridden
A cloud identity granted itself a sensitive Functions IAM role. overridden
GCP sensitive IAM role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive IAM role granted
Medium overridden
A cloud identity granted itself a sensitive IAM role. overridden
GCP sensitive Secret Manager role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Secret Manager IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Secret Manager role granted
Medium overridden
A cloud identity granted itself a sensitive Secret Manager IAM role. overridden
GCP sensitive compute role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive compute IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive compute role granted
Medium overridden
A cloud identity granted itself a sensitive compute IAM role. overridden
GCP sensitive role granted to group Low Cloud 1 variation
A cloud identity granted a sensitive role to a group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the group.Variations
GCP sensitive role granted to group
Medium overridden
A cloud identity granted a sensitive role to a group. overridden
GCP sensitive storage role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive storage IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive storage role granted
Medium overridden
A cloud identity granted itself a sensitive storage IAM role. overridden
GCP service account impersonation attempt Informational Cloud
An attempt to impersonate the GCP service account failed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: Gcp Audit LogAttacker's goals: Escalate privileges to gain elevated access to cloud resources.Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.GCP set IAM policy activity Informational Cloud
A cloud identity had modified a resource policy bindings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Globally uncommon IP address by a common process (sha256) Informational 4 variations
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.Investigative actions: Check the destination IP address reputation. Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon IP address by a common process (sha256) from an injected thread
High overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address by a common process (sha256) from a known vendor
Medium overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare IP address by a common process (sha256)
Medium overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and a rare IP address by a common process (sha256)
Low overridden
A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address connection from a signed process Informational 3 variations
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.Variations
Globally uncommon IP address connection from an injected thread in a signed process
Medium overridden
An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address connection from a signed process from a known vendor
Medium overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare IP address connection from a signed process
Low overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon high entropy module was loaded Informational 1 variation
A module with high entropy and a globally uncommon hash was loaded.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.Investigative actions: Check if the module is either compressed, encrypted, obfuscated or packed.Variations
Globally uncommon high entropy module was loaded by process which was executed by a scheduled task
Low overridden
A module with high entropy and a globally uncommon hash was loaded. overridden
Globally uncommon high entropy process was executed Informational 4 variations
A process with high entropy and a globally uncommon hash was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.Investigative actions: Check if the process' file is either compressed, encrypted, obfuscated or packed.Variations
Globally uncommon high entropy process was executed by an untrusted CGO
Low overridden
A process with high entropy and a globally uncommon hash was executed by an untrusted CGO. overridden
Globally uncommon high entropy process was executed by a web server process or CGO
Low overridden
A process with high entropy and a globally uncommon hash was executed by a web server process or CGO. overridden
Globally uncommon high entropy process was extracted from an internet-downloaded archive and executed
Low overridden
A process with high entropy and a globally uncommon hash was extracted from an internet-downloaded archive and executed. overridden
Globally uncommon high entropy process was downloaded from an uncommon source and executed
Low overridden
A process with high entropy and a globally uncommon hash was downloaded from an uncommon source and executed. overridden
Globally uncommon image load from a signed process Informational 5 variations
A signed process loaded a DLL that, on a global level, it usually doesn't load.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218) Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: Global Anomaly Analytics, DLL Hijacking AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon image load from a signed process from a known vendor
Medium overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon unsigned image side loaded to a signed process
Medium overridden
A signed process side loaded an unsigned DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon and very rare image load from a signed process
Medium overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon image load from an injected thread in a signed process
Low overridden
An injected thread in a signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon DLL was downloaded from an uncommon source and loaded by a signed process
Low overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon injection from a signed process Informational 3 variations
A signed process injected into another process that it does not normally target at a global level.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: System Binary Proxy Execution (T1218) Process Injection (T1055) Compromise Host Software Binary (T1554)Required data: XDR AgentDetector tags: Injection Analytics, Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon suspicious injection from a signed process
Medium overridden
A non-injected thread in a signed process with a suspicious injection type injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process which was executed by a scheduled task
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden
Globally uncommon injection from a signed process
Low overridden
A signed process injected into another process that it does not normally target at a global level. overridden
Globally uncommon process execution from a signed process Informational 4 variations
A signed process has executed a process that, on a global level, it usually doesn't execute.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.Investigative actions: Check if the actor process was injected or loaded a suspicious DLL before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon process execution from a signed process from a known vendor
Medium overridden
A signed process has executed a process that, on a global level, it usually doesn't execute. overridden
Globally rare process execution from a signed process
Medium overridden
A signed process has executed a process that, on a global level, it usually doesn't execute. overridden
Globally uncommon process execution from an injected thread in a signed process
Low overridden
An injected thread in a signed process has executed a process that, on a global level, it usually doesn't execute. overridden
Globally uncommon process execution from a web server process or CGO
Low overridden
A web server process or CGO has executed a process that, on a global level, it usually doesn't execute. overridden
Globally uncommon root domain from a signed process Low 4 variations
A signed process connected to an external domain that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root domain from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
Medium overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination by a common process (sha256) Informational 4 variations
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root-domain port combination by a common process (sha256) from an injected thread
High overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare root-domain port combination by a common process (sha256)
Medium overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination by a common process (sha256) from a known vendor
Medium overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and rare root-domain port combination by a common process (sha256)
Low overridden
A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process Low 4 variations
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root-domain port combination from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
Medium overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Gmail delegation was turned on for the organization Informational Identity Threat Module
A Google Workspace admin turned on Gmail delegation for all the organization's users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Email Collection.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if any user in the organization granted other users access to their mail inbox. Follow further actions done by the account.Gmail routing settings changed Informational Identity Threat Module 1 variation
Gmail routing settings were modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged (T1074) Email Collection (T1114)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Email Collection.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new routing settings look suspicious. Investigate the IP address associated with the routing settings. Follow further actions done by the account.Variations
Gmail routing settings changed by a non-administrative Google Workspace identity
Low overridden
Gmail routing settings were modified. overridden
Google Marketplace restrictions were modified Informational Identity Threat Module 3 variations
An identity modified Google Marketplace Restrictions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious Apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
Google Marketplace restrictions were modified by a suspicious identity
Low overridden
An identity modified Google Marketplace Restrictions. overridden
Google Marketplace restrictions were modified from an unusual ASN
Low overridden
An identity modified Google Marketplace Restrictions. overridden
Google Marketplace restrictions were modified by a non Google Workspace administrative user
Informational overridden
An identity modified Google Marketplace Restrictions. overridden
Google Workspace automation was created Informational Identity Threat Module 1 variation
Google Workspace automation was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.Variations
Google Workspace automation was created for a public document
Low overridden
The document that the automation was created for is publicly shared. overridden
Google Workspace organizational unit was modified Informational Identity Threat Module
A Google Workspace admin modified an organizational unit.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may change the organizational unit the user belongs to, so they could inherit permissions for applications and resources that were inaccessible before.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.Google Workspace third-party application's security settings were changed Informational Identity Threat Module 3 variations
An identity changed Google Workspace third-party application's security settings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
Google Workspace third-party application's security settings were changed by a suspicious identity
Low overridden
An identity changed Google Workspace third-party application's security settings. overridden
Google Workspace third-party application's security settings were changed from an unusual ASN
Low overridden
An identity changed Google Workspace third-party application's security settings. overridden
Google Workspace third-party application's security settings were changed by a non Google Workspace administrative user
Informational overridden
An identity changed Google Workspace third-party application's security settings. overridden
Google Workspace user authentication information changed Informational Identity Threat Module 2 variations
Google Workspace authentication information was changed for a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006) Account Manipulation (T1098)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may manipulate user authentication information to obtain Persistence or Bypass Multi-Factor Authentication (MFA) controls.Investigative actions: Verify if the authentication information change was authorized. Follow further actions done by the user and IP address.Variations
Google Workspace administrative user authentication information changed
Low overridden
Google Workspace authentication information was changed for a user. overridden
Google Workspace user authentication information changed by another account
Low overridden
Google Workspace authentication information was changed for a user. overridden
Granting Access to an Account Informational Cloud
Azure access has been granted to an account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)Required data: Azure Audit LogAttacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.HTTP with suspicious characteristics Low 3 variations
Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this uncommon connection. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
HTTP with suspicious characteristics which is repetitive
Low overridden
Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics to an IP address
Low overridden
Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics that always fails
Informational overridden
Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden
Hidden Attribute was added to a file using attrib.exe Informational
Hidden attribute was added to a file using attrib.exe, adversaries may set files to be hidden to evade detection mechanisms.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)Required data: XDR AgentAttacker's goals: Hide malware or staged files from standard file explorers.Investigative actions: Check if the hidden file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.Hydra Password Brute-Force Tool Execution High 1 variation
Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: The attacker attempts to gain access to the account or host.Investigative actions: Verify that the commands are executed from a trusted source. Audit the victim account or host and verify that they haven't been compromised.Variations
Hydra Password Brute-Force Tool Execution from a Kubernetes pod
High overridden
Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown. overridden
IAM Enumeration sequence Informational Cloud 1 variation
An identity has executed a sequence of events which may be related to an IAM recon enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Gather information about the cloud environment, including IAM users, groups, roles, and policies.Investigative actions: Verify whether the API calls were made by the identity and check for any additional related calls.Variations
IAM Enumeration sequence executed from a cloud Internet facing instance
Low overridden
A cloud Internet facing instance performed an unusual IAM enumeration. overridden
IAM User added to an IAM group Informational Cloud
An IAM user was added to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add a user to a group to establish persistence or escalate privileges within a cloud account.Investigative actions: Identify the identity that executed the API call. Determine which IAM user was added to the group. Evaluate the group's permissions to determine their applicability to the IAM user.IAM inline policy was added to group Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM inline policy was added to role Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM inline policy was added to user Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM instance profile associations were described Informational Cloud
AWS IAM instance profile associations were described.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover infrastructure and resources that are available within a cloud environment.Investigative actions: Determine which instance profile associations were described. Investigate any suspicious activities related to the identity.IAM instance profile was associated with EC2 instance Informational Cloud
An AWS IAM instance profile was associated with EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM instance profile was created Informational Cloud
An AWS IAM instance profile was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM instance profile was replaced for EC2 instance Informational Cloud
An AWS IAM instance profile was replaced for EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM instance profiles were listed Informational Cloud
AWS IAM instance profiles associated with a role were listed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify users and roles in a cloud environment to find privileged accounts for further exploitation.Investigative actions: Determine which instance profiles were listed. Investigate any suspicious activities related to the identity and the role.IAM policy default version was changed Informational Cloud
A cloud identity set the specified version of an AWS IAM policy as the policy's default.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy version was created Informational Cloud
A cloud identity created an AWS-managed IAM policy version.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy was attached to group Informational Cloud
A cloud identity attached an AWS IAM policy to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy was attached to role Informational Cloud 1 variation
An AWS IAM policy was attached to this role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.Variations
Administrative IAM policy was attached to role
Informational overridden
An AWS IAM policy was attached to this role. overridden
IAM role trust policy modification Informational Cloud
A cloud identity updated the trust policy of an AWS IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM role was created Informational Cloud
An IAM role was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity or role.IAM role-attached managed policies were listed Informational Cloud
AWS IAM managed policies that are attached to a role were listed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify users and roles in a cloud environment to find privileged accounts for further exploitation.Investigative actions: Determine which managed policies were listed. Investigate any suspicious activities related to the identity and the role.IP Rotation Pattern in SSO Spray Informational Identity Analytics 2 variations
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker may be attempting to compromise user accounts through unauthorized access attempts.Investigative actions: Determine if the activity was performed by a legitimate user. Check for any successful logins that occurred following a series of failed attempts. Investigate the AS organization and evaluate the ASN's reputation for malicious activity. Review historical login behavior from the same IP addresses or ASN. Validate whether MFA was triggered or bypassed during the authentication attempts.Variations
Potential Targeted SSO Password Spray Activity Detected
Medium overridden
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden
Suspicious SSO Login Attempts from Multiple IPs
Low overridden
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden
Identity assigned an Azure AD Administrator Role Informational Identity Threat Module 2 variations
An identity was assigned an Azure AD Administrator role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AzureAD Audit LogAttacker's goals: An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.Investigative actions: Check if the added account is new to the organization. Check whether the account that added the account to the role is permitted to perform such actions. Check what can be affected by the assigned role Follow further actions done by the account that was added to the role.Variations
Identity assigned an Azure AD Administrator Role by an Application
Medium overridden
An identity was assigned an Azure AD Administrator role by an application. overridden
Suspicious Azure AD Administrator Role assignment
Low overridden
An identity was assigned an Azure AD Administrator role. overridden
Image file execution options (IFEO) registry key set Low 3 variations
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Event Triggered Execution: Image File Execution Options Injection (T1546.012)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Look at the debugged process and what it is executing to determine if it is malicious.Variations
Image file execution options (IFEO) registry key set to execute a shell or scripting engine process
High overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden
Image file execution options (IFEO) registry key set to activate Windows licenses illegally
Medium overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. This is also used by tools that were made to activate Windows licenses illegally. overridden
Image file execution options (IFEO) registry key set using reg.exe
High overridden
Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden
Impossible traveler - SSO Low Identity Analytics 3 variations
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 6 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.Variations
Impossible traveler - non-interactive SSO authentication
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
Possible Impossible traveler via SSO
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
SSO impossible traveler from a VPN or proxy
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
Impossible traveler - VPN Low Identity Analytics 3 variations
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user routed their traffic via a proxy, or shared their credentials with a remote employee.Variations
Possible Impossible traveler via VPN
Informational overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
VPN impossible traveler from a VPN or proxy
Informational overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
VPN impossible traveler with an unusual parameter
Medium overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
Increase in Job-Related Site Visits Informational Identity Threat Module
A user has visited multiple job-related sites in the past day.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Search Open Websites/Domains (T1593)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: This may be an early indicator of an insider threat.Investigative actions: Investigate the domains accessed and how popular they are in the organization. Check how long the user has been part of the organization. Verify that the user is not part of a department that accesses job sites as part of daily operations.Indicator blocking Informational 1 variation
Auditing or logging configuration changes on Linux host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Impairing host defenses.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Indicator blocking in a Kubernetes pod
Low overridden
Auditing or logging configuration changes on Linux host. overridden
Indirect command execution using the Program Compatibility Assistant Medium
Pcalua.exe (Program Compatibility Assistant) is used for running old programs that have compatibility issues. Attackers can use pcalua.exe to indirectly execute their malicious programs.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indirect Command Execution (T1202)Required data: XDR AgentAttacker's goals: Evading detection by indirectly executing their malicious programs.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Injection into rundll32.exe Informational 1 variation
A process injected into an instance of rundll32.exe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Injection into rundll32.exe which was executed by a scheduled task
Low overridden
A process injected into an instance of rundll32.exe. overridden
Installation of a new System-V service Low 1 variation
Installation of a new System-V service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may create systemd services to run malicious payloads.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Installation of a new System-V service in a Kubernetes pod
Low overridden
Installation of a new System-V service. overridden
Intense SSO failures Informational Identity Analytics 1 variation
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check whether a successful login was made after unsuccessful attempts.Variations
Intense SSO failures with suspicious characteristics
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt. overridden
Interactive at.exe privilege escalation method Low
Detects an interactive AT scheduled task, which may be used as a form of privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Scheduled Task/Job (T1053) Scheduled Task/Job: At (T1053.002)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using recurring tasks.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Interactive local account enumeration Low Identity Analytics
Multiple non-existing accounts attempted interactive local logins to a host within a short period.This may indicate that an attacker has physical access to the host and is trying to enumerate accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Discover valid accounts to gain credentials.Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.Interactive login by a machine account Informational Identity Analytics 1 variation
A machine account performed an interactive or remote interactive login.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: XDR AgentAttacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.Investigative actions: See whether the login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Successful interactive login by a machine account
Low overridden
A machine account performed a successful interactive or remote interactive login. overridden
Interactive login by a service account Low Identity Analytics 2 variations
A service account performed an interactive or remote interactive login.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: XDR AgentAttacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.Investigative actions: See whether the login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Interactive login by a service account to a sensitive server
Medium overridden
Interactive login by a service account to a sensitive server. overridden
Failed interactive login by a service account
Informational overridden
A service account performed an interactive or remote interactive login. overridden