Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • Failed Login For a Long Username With Special Characters Informational

    A long username containing special characters failed to log in to the domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Exploit Public-Facing Application (T1190)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: An attacker is trying to get code execution on internet-facing assets through command injection.
    Investigative actions: Is the host running internet-facing services? Are we looking at sanction vulnerability scanning?
  • File transfer from unusual IP using known tools Informational 1 variation

    An adversary might use known tools to transfer tools/payloads into the compromised machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Ingress Tool Transfer (T1105)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Expand attack vectors and compromise the rest of the network.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    File transfer from unusual IP using known tools in a Kubernetes pod

    Low overridden

    An adversary might use known tools to transfer tools/payloads into the compromised machine. overridden

  • First Azure AD PowerShell operation for a user Low Identity Threat Module

    A user performed an Azure AD operation using a PowerShell user-agent for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: Achieve initial access to a company's resources.
    Investigative actions: Follow the actions the user performed using PowerShell. Confirm with the user that the action was intended.
  • First SSO Resource Access in the Organization Informational Identity Analytics 1 variation

    A resource was accessed for the first time via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Discovery (TA0007)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Cloud Service Discovery (T1526)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use a possibly compromised account to access privileged resources.
    Investigative actions: Confirm that the activity is benign (e.g. this is a newly approved resource). Follow further actions done by the user that attempted to access the resource.

    Variations

    Abnormal first access to a resource via SSO in the organization

    Low overridden

    A resource was accessed for the first time via SSO with suspicious characteristics. overridden

  • First SSO access from ASN for user Informational Identity Analytics 2 variations

    A user successfully authenticated via SSO with a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOne
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.

    Variations

    First SSO access from ASN for user - suspicious characteristics detected

    Low overridden

    First SSO access from ASN for user that shows suspicious characteristics. overridden

    Google Workspace - First SSO access from ASN for user

    Informational overridden

    A user successfully authenticated via SSO with a new ASN. overridden

  • First SSO access from ASN in organization Informational Identity Analytics 2 variations

    An SSO authentication was made with a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOne
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the provider or location is allowed or a new user). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.

    Variations

    First successful SSO access from ASN in the organization

    Low overridden

    An SSO authentication was made with a new ASN. overridden

    Google Workspace - First SSO access from ASN in organization

    Informational overridden

    An SSO authentication was made with a new ASN. overridden

  • First VPN access attempt from a country in organization Informational Identity Analytics 1 variation

    A user attempted to connect from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.

    Variations

    First successful VPN access from a country in organization

    Low overridden

    A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden

  • First VPN access from ASN for user Informational Identity Analytics 1 variation

    A user logged in to a VPN with a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.

    Variations

    Unusual VPN access from ASN

    Low overridden

    An unusual VPN login was made by a user. overridden

  • First VPN access from ASN in organization Informational Identity Analytics

    A VPN connection was attempted from a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: See whether the connection was successful. Confirm that the activity is benign (e.g. the provider or location is allowed or a new user). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.
  • First connection from a country in organization Informational Identity Analytics 1 variation

    A user connected to an SSO service from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    First successful SSO connection from a country in organization

    Informational overridden

    A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden

  • First-seen email from mailbox owner to external recipient's address in the last 30 days Informational Email 6 variations

    Internal sender initiated first-time communication with an external recipient in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration, Account Takeover
    Attacker's goals: Extracting valuable information outside the company.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    First-time email to the disposable domain

    Low overridden

    Internal sender emailed to external address(es) with disposable domain. overridden

    First-time email from organization's domain with the external recipient's domain in the last 30 days

    Informational overridden

    Internal sender emailed an external address belonging to a domain seen for the first time by the organization domain in the last 30 days. overridden

    First-time email from organization with the external recipient in the last 30 days

    Informational overridden

    Internal sender emailed to external address(es) that first-seen by the the whole organization in the last 30 days. overridden

    First-time email from organization's domain to the external recipient in the last 30 days

    Informational overridden

    Internal sender emailed to external address(es) that first-seen by the organization domain in the last 30 days. overridden

    First-time email from mailbox owner to the external recipient's domain in the last 30 days

    Informational overridden

    Internal sender emailed to external address(es) with domain that first-seen by that sender in the last 30 days. overridden

    First-time outbound email from mailbox owner to multiple external recipients without any internal recipients in the last 30 days

    Informational overridden

    Internal sender emailed first-time to multiple external recipients with no internal recipients included in the last 30 days. overridden

  • First-time directory sync of an on-premises domain user to an existing cloud account Informational Identity Threat Module

    First-time synchronization of an on-premises domain user with an existing cloud account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: Attackers may leverage DirectorySync to move laterally from a compromised on-premise environment into the cloud tenant, allowing them to bypass the cloud's security boundaries and take over high-value cloud identities.
    Investigative actions: Check if the cloud account was an administrator (Global Admin, etc.) before this sync. Determine if the on-premise user was recently created or if its 'proxyAddress' attribute was recently modified. Confirm if the organization intended to transition this account from Cloud-Only to Hybrid. Verify the consistency between the on-premises 'ObjectGUID' and the newly assigned 'ImmutableID' in Azure AD.
  • Fodhelper.exe UAC bypass Medium

    Attackers may use Fodhelper.exe to bypass UAC (User Account Control) by having it spawn their malicious process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
    Required data: XDR Agent
    Attacker's goals: Gain higher privileges by bypassing the User Account Control (UAC).
    Investigative actions: Search for a registry event that changes the key Software\Classes\ms-settings. Review the process that made the registry key. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Foreign account was granted permissions to S3 bucket via resource-based policy Informational Cloud 1 variation

    Foreign account was granted access to S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: The attacker wants to maintain control over the resource.
    Investigative actions: Check if the {cloud_best_identity_match} intended to modify {aws_s3bucket_identifier} policy. Check the permissions that were granted to the {aws_grantee_project}. Restrict permissions for the {aws_grantee_project} if needed.

    Variations

    Foreign account was granted permissions to S3 bucket containing sensitive information via resource-based policy

    Low overridden

    Foreign account was granted access to S3 bucket. overridden

  • GCP Firewall Rule Modification Informational Cloud

    A GCP firewall rule was modified. An attacker might use this technique to access restricted resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Gcp Audit Log
    Attacker's goals: Access restricted resources.
    Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.
  • GCP Firewall Rule creation Informational Cloud

    A GCP VPN firewall rule was created. An attacker might use this technique to block or open access to/from restricted areas.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Gcp Audit Log
    Attacker's goals: Access restricted resources.
    Investigative actions: Check if there were any network attempts that fit the created rule. Check the cloud identity activity before and after the rule creation.
  • GCP IAM Role Deletion Informational Cloud

    A GCP IAM role was created. An attacker might use this technique to interrupt users' actions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Gcp Audit Log
    Attacker's goals: Inhibit users from accessing resources.
    Investigative actions: Check which users were affected by the role deletion. Check what other actions were taken by the identity that deleted the role.
  • GCP IAM Service Account Key Deletion Informational Cloud

    A GCP IAM service account key was deleted. An attacker might use this technique to interrupt business operations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Gcp Audit Log
    Attacker's goals: Account access removal.
    Investigative actions: Check which operations were corrupted after the deletion.
  • GCP IAM deny policy creation Low Cloud 1 variation

    An identity created a GCP IAM deny policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Gcp Audit Log
    Attacker's goals: Interrupt availability of cloud resources by inhibiting access to accounts utilized by legitimate users.
    Investigative actions: Examine the details of the created deny policy. Review the recent activity of the identity.

    Variations

    Unusual GCP IAM deny policy creation

    Medium overridden

    An identity created a GCP IAM deny policy. overridden

  • GCP Logging Bucket Deletion Informational Cloud

    A GCP logging bucket was deleted. An attacker might delete the bucket to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Evade detection.
    Investigative actions: Check which logs were affected by the bucket deletion. Check The cloud identity activity prior/after to the bucket deletion.
  • GCP Pub/Sub Subscription Deletion Informational Cloud

    A GCP Pub/Sub subscription was deleted. An attacker might use this technique to affect business workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: Gcp Audit Log
    Attacker's goals: Interrupt business services.
    Investigative actions: Check which services were affected due to the Pub/Sub deletion. Check The cloud identity activity prior/after the subscription deletion.
  • GCP Pub/Sub Topic Deletion Informational Cloud

    A GCP Pub/Sub topic was deleted, might affect workflows due to interrupts within the Pub/Sub pipeline.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: Gcp Audit Log
    Attacker's goals: Interrupt business services.
    Investigative actions: Check which services were affected due to the Pub/Sub topic deletion. Check The cloud identity activity prior/after the topic deletion.
  • GCP Service Account Deletion Informational Cloud

    A GCP service account was deleted. An attacker might use this technique to remove access to valid accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Gcp Audit Log
    Attacker's goals: Account access removal.
    Investigative actions: Check which operations were corrupted after the deletion.
  • GCP Service Account Disable Informational Cloud

    A GCP service account was disabled. An attacker might use this technique to interrupt business procedures and workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Gcp Audit Log
    Attacker's goals: Account access removal.
    Investigative actions: Check if there were any services/procedures affected by the disable operation.
  • GCP Service Account creation Informational Cloud

    A GCP service account was created. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: Gcp Audit Log
    Attacker's goals: Persistence with service account. An attacker might use this technique to evade detection.
    Investigative actions: Check the identity that created the account and its actions.
  • GCP Service Account key creation Informational Cloud

    A GCP service account key was created. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Gcp Audit Log
    Attacker's goals: Persistence using the created key.
    Investigative actions: Check what actions were taken using the newly created service account key. Check what other actions were taken by the identity that created the key.
  • GCP Storage Bucket Configuration Modification Informational Cloud

    A GCP storage bucket configuration has been modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Manipulate stored data.
    Investigative actions: Check if there were any services/procedures affected by the modification. Check what other actions were taken by the identity that modified the configuration.
  • GCP Storage Bucket Permissions Modification Informational Cloud

    A GCP storage bucket's IAM permissions were modified. An attacker might use this technique to expose sensitive data or cause data loss.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: File and Directory Permissions Modification (T1222)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate information.
    Investigative actions: Check which data exists in the modified bucket and its classification. Look for events that involve actions for the bucket data.
  • GCP Storage Bucket deletion Informational Cloud 1 variation

    A GCP bucket was deleted. An attacker might use this technique to destroy business data and its workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Data destruction.
    Investigative actions: Check which data was deleted from the bucket.

    Variations

    GCP Storage Bucket containing sensitive data was deleted

    Informational overridden

    A GCP bucket was deleted. An attacker might use this technique to destroy business data and its workflows. overridden

  • GCP VPC Firewall Rule Deletion Informational Cloud

    A GCP VPC firewall rule was deleted. An attacker might use this technique to access restricted resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Gcp Audit Log
    Attacker's goals: Access restricted resources.
    Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.
  • GCP Virtual Private Cloud (VPC) Network Deletion Informational Cloud

    A GCP VPC network was deleted. An attacker might use this technique to interrupt business resources and workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Gcp Audit Log
    Attacker's goals: Block the availability of targeted resources to users/services.
    Investigative actions: Check which services were affected by the VPC deletion. Check the cloud identity activity before and after the VPC network deletion.
  • GCP Virtual Private Network Route Creation Informational Cloud

    A GCP VPC route was created. An attacker might use this technique to impact business workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Gcp Audit Log
    Attacker's goals: Block the availability of targeted resources to users/services.
    Investigative actions: Check which services were affected by the route creation. Check the cloud identity activity before or after the route creation.
  • GCP Virtual Private Network Route Deletion Informational Cloud

    A GCP VPC route was deleted. An attacker might use this technique to impact business workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Gcp Audit Log
    Attacker's goals: Block the availability of targeted resources to users/services.
    Investigative actions: Check which services were affected by the route deletion. Check The cloud identity activity prior/after the route deletion.
  • GCP administrative role granted to a cloud identity Informational Cloud

    A cloud identity granted an administrative IAM role to another identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.
  • GCP data asset shared public Low Cloud

    The GCP data asset was publicly shared.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.
  • GCP logging sink deletion Informational Cloud 1 variation

    A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Gcp Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Identify the logs impacted by the deletion. Review cloud identity activity before and after the deletion.

    Variations

    GCP logging sink deletion

    Low overridden

    A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection. overridden

  • GCP logging sink modification Informational Cloud 2 variations

    A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Gcp Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Identify the relevant logs impacted by the modification. Review The cloud identity activity before and after the logging sink modification.

    Variations

    GCP logging sink modification

    Medium overridden

    A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden

    GCP logging sink modification

    Low overridden

    A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden

  • GCP sensitive Cloud Run role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Cloud Run IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within the cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Cloud Run role granted

    Medium overridden

    A cloud identity granted itself a sensitive Cloud Run IAM role. overridden

  • GCP sensitive Deployment Manager role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Deployment Manager IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within the cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Deployment Manager role granted

    Medium overridden

    A cloud identity granted itself a sensitive Deployment Manager IAM role. overridden

  • GCP sensitive Functions role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Functions IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Functions role granted

    Medium overridden

    A cloud identity granted itself a sensitive Functions IAM role. overridden

  • GCP sensitive IAM role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive IAM role granted

    Medium overridden

    A cloud identity granted itself a sensitive IAM role. overridden

  • GCP sensitive Secret Manager role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Secret Manager IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Secret Manager role granted

    Medium overridden

    A cloud identity granted itself a sensitive Secret Manager IAM role. overridden

  • GCP sensitive compute role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive compute IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive compute role granted

    Medium overridden

    A cloud identity granted itself a sensitive compute IAM role. overridden

  • GCP sensitive role granted to group Low Cloud 1 variation

    A cloud identity granted a sensitive role to a group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the group.

    Variations

    GCP sensitive role granted to group

    Medium overridden

    A cloud identity granted a sensitive role to a group. overridden

  • GCP sensitive storage role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive storage IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive storage role granted

    Medium overridden

    A cloud identity granted itself a sensitive storage IAM role. overridden

  • GCP service account impersonation attempt Informational Cloud

    An attempt to impersonate the GCP service account failed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: Gcp Audit Log
    Attacker's goals: Escalate privileges to gain elevated access to cloud resources.
    Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.
  • GCP set IAM policy activity Informational Cloud

    A cloud identity had modified a resource policy bindings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.
  • Globally uncommon IP address by a common process (sha256) Informational 4 variations

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.
    Investigative actions: Check the destination IP address reputation. Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon IP address by a common process (sha256) from an injected thread

    High overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon IP address by a common process (sha256) from a known vendor

    Medium overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare IP address by a common process (sha256)

    Medium overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and a rare IP address by a common process (sha256)

    Low overridden

    A process with a common sha256 connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon IP address connection from a signed process Informational 3 variations

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.

    Variations

    Globally uncommon IP address connection from an injected thread in a signed process

    Medium overridden

    An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon IP address connection from a signed process from a known vendor

    Medium overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare IP address connection from a signed process

    Low overridden

    A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon high entropy module was loaded Informational 1 variation

    A module with high entropy and a globally uncommon hash was loaded.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.
    Investigative actions: Check if the module is either compressed, encrypted, obfuscated or packed.

    Variations

    Globally uncommon high entropy module was loaded by process which was executed by a scheduled task

    Low overridden

    A module with high entropy and a globally uncommon hash was loaded. overridden

  • Globally uncommon high entropy process was executed Informational 4 variations

    A process with high entropy and a globally uncommon hash was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Obfuscated Files or Information (T1027)
    Required data: XDR Agent
    Attacker's goals: Adversaries may attempt to make an executable difficult to discover or analyze by compressing, encrypting, encoding, or otherwise obfuscating its contents.
    Investigative actions: Check if the process' file is either compressed, encrypted, obfuscated or packed.

    Variations

    Globally uncommon high entropy process was executed by an untrusted CGO

    Low overridden

    A process with high entropy and a globally uncommon hash was executed by an untrusted CGO. overridden

    Globally uncommon high entropy process was executed by a web server process or CGO

    Low overridden

    A process with high entropy and a globally uncommon hash was executed by a web server process or CGO. overridden

    Globally uncommon high entropy process was extracted from an internet-downloaded archive and executed

    Low overridden

    A process with high entropy and a globally uncommon hash was extracted from an internet-downloaded archive and executed. overridden

    Globally uncommon high entropy process was downloaded from an uncommon source and executed

    Low overridden

    A process with high entropy and a globally uncommon hash was downloaded from an uncommon source and executed. overridden

  • Globally uncommon image load from a signed process Informational 5 variations

    A signed process loaded a DLL that, on a global level, it usually doesn't load.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics, DLL Hijacking Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon image load from a signed process from a known vendor

    Medium overridden

    A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon unsigned image side loaded to a signed process

    Medium overridden

    A signed process side loaded an unsigned DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon and very rare image load from a signed process

    Medium overridden

    A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon image load from an injected thread in a signed process

    Low overridden

    An injected thread in a signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

    Globally uncommon DLL was downloaded from an uncommon source and loaded by a signed process

    Low overridden

    A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden

  • Globally uncommon injection from a signed process Informational 3 variations

    A signed process injected into another process that it does not normally target at a global level.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Process Injection (T1055) Compromise Host Software Binary (T1554)
    Required data: XDR Agent
    Detector tags: Injection Analytics, Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon suspicious injection from a signed process

    Medium overridden

    A non-injected thread in a signed process with a suspicious injection type injected into another process that it does not normally target at a global level. overridden

    Globally uncommon injection from a signed process which was executed by a scheduled task

    Low overridden

    A signed process injected into another process that it does not normally target at a global level. overridden

    Globally uncommon injection from a signed process

    Low overridden

    A signed process injected into another process that it does not normally target at a global level. overridden

  • Globally uncommon process execution from a signed process Informational 4 variations

    A signed process has executed a process that, on a global level, it usually doesn't execute.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Check if the actor process was injected or loaded a suspicious DLL before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon process execution from a signed process from a known vendor

    Medium overridden

    A signed process has executed a process that, on a global level, it usually doesn't execute. overridden

    Globally rare process execution from a signed process

    Medium overridden

    A signed process has executed a process that, on a global level, it usually doesn't execute. overridden

    Globally uncommon process execution from an injected thread in a signed process

    Low overridden

    An injected thread in a signed process has executed a process that, on a global level, it usually doesn't execute. overridden

    Globally uncommon process execution from a web server process or CGO

    Low overridden

    A web server process or CGO has executed a process that, on a global level, it usually doesn't execute. overridden

  • Globally uncommon root domain from a signed process Low 4 variations

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root domain from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    High overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root domain from a signed process

    Medium overridden

    A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root-domain port combination by a common process (sha256) Informational 4 variations

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code from the context of another process to avoid detection.
    Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root-domain port combination by a common process (sha256) from an injected thread

    High overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and very rare root-domain port combination by a common process (sha256)

    Medium overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination by a common process (sha256) from a known vendor

    Medium overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon and rare root-domain port combination by a common process (sha256)

    Low overridden

    A process with a common sha256 connected to an external domain in a specific port that, on a global level, it usually doesn't connect to. overridden

  • Globally uncommon root-domain port combination from a signed process Low 4 variations

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)
    Required data: XDR Agent
    Detector tags: Global Anomaly Analytics
    Attacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.
    Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.

    Variations

    Globally uncommon root-domain port combination from an injected thread in a signed process

    High overridden

    An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    High overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

    Globally uncommon root-domain port combination from a signed process

    Medium overridden

    A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden

  • Gmail delegation was turned on for the organization Informational Identity Threat Module

    A Google Workspace admin turned on Gmail delegation for all the organization's users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Email Collection.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if any user in the organization granted other users access to their mail inbox. Follow further actions done by the account.
  • Gmail routing settings changed Informational Identity Threat Module 1 variation

    Gmail routing settings were modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged (T1074) Email Collection (T1114)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Email Collection.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new routing settings look suspicious. Investigate the IP address associated with the routing settings. Follow further actions done by the account.

    Variations

    Gmail routing settings changed by a non-administrative Google Workspace identity

    Low overridden

    Gmail routing settings were modified. overridden

  • Google Marketplace restrictions were modified Informational Identity Threat Module 3 variations

    An identity modified Google Marketplace Restrictions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious Apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    Google Marketplace restrictions were modified by a suspicious identity

    Low overridden

    An identity modified Google Marketplace Restrictions. overridden

    Google Marketplace restrictions were modified from an unusual ASN

    Low overridden

    An identity modified Google Marketplace Restrictions. overridden

    Google Marketplace restrictions were modified by a non Google Workspace administrative user

    Informational overridden

    An identity modified Google Marketplace Restrictions. overridden

  • Google Workspace automation was created Informational Identity Threat Module 1 variation

    Google Workspace automation was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)
    ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.
    Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.

    Variations

    Google Workspace automation was created for a public document

    Low overridden

    The document that the automation was created for is publicly shared. overridden

  • Google Workspace organizational unit was modified Informational Identity Threat Module

    A Google Workspace admin modified an organizational unit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may change the organizational unit the user belongs to, so they could inherit permissions for applications and resources that were inaccessible before.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.
  • Google Workspace third-party application's security settings were changed Informational Identity Threat Module 3 variations

    An identity changed Google Workspace third-party application's security settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    Google Workspace third-party application's security settings were changed by a suspicious identity

    Low overridden

    An identity changed Google Workspace third-party application's security settings. overridden

    Google Workspace third-party application's security settings were changed from an unusual ASN

    Low overridden

    An identity changed Google Workspace third-party application's security settings. overridden

    Google Workspace third-party application's security settings were changed by a non Google Workspace administrative user

    Informational overridden

    An identity changed Google Workspace third-party application's security settings. overridden

  • Google Workspace user authentication information changed Informational Identity Threat Module 2 variations

    Google Workspace authentication information was changed for a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006) Account Manipulation (T1098)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may manipulate user authentication information to obtain Persistence or Bypass Multi-Factor Authentication (MFA) controls.
    Investigative actions: Verify if the authentication information change was authorized. Follow further actions done by the user and IP address.

    Variations

    Google Workspace administrative user authentication information changed

    Low overridden

    Google Workspace authentication information was changed for a user. overridden

    Google Workspace user authentication information changed by another account

    Low overridden

    Google Workspace authentication information was changed for a user. overridden

  • Granting Access to an Account Informational Cloud

    Azure access has been granted to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)
    Required data: Azure Audit Log
    Attacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.
    Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.
  • HTTP with suspicious characteristics Low 3 variations

    Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this uncommon connection. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.

    Variations

    HTTP with suspicious characteristics which is repetitive

    Low overridden

    Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities. overridden

    HTTP with suspicious characteristics to an IP address

    Low overridden

    Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden

    HTTP with suspicious characteristics that always fails

    Informational overridden

    Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden

  • Hidden Attribute was added to a file using attrib.exe Informational

    Hidden attribute was added to a file using attrib.exe, adversaries may set files to be hidden to evade detection mechanisms.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: Hidden Files and Directories (T1564.001)
    Required data: XDR Agent
    Attacker's goals: Hide malware or staged files from standard file explorers.
    Investigative actions: Check if the hidden file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.
  • Hydra Password Brute-Force Tool Execution High 1 variation

    Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: The attacker attempts to gain access to the account or host.
    Investigative actions: Verify that the commands are executed from a trusted source. Audit the victim account or host and verify that they haven't been compromised.

    Variations

    Hydra Password Brute-Force Tool Execution from a Kubernetes pod

    High overridden

    Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown. overridden

  • IAM Enumeration sequence Informational Cloud 1 variation

    An identity has executed a sequence of events which may be related to an IAM recon enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    7 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Gather information about the cloud environment, including IAM users, groups, roles, and policies.
    Investigative actions: Verify whether the API calls were made by the identity and check for any additional related calls.

    Variations

    IAM Enumeration sequence executed from a cloud Internet facing instance

    Low overridden

    A cloud Internet facing instance performed an unusual IAM enumeration. overridden

  • IAM User added to an IAM group Informational Cloud

    An IAM user was added to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add a user to a group to establish persistence or escalate privileges within a cloud account.
    Investigative actions: Identify the identity that executed the API call. Determine which IAM user was added to the group. Evaluate the group's permissions to determine their applicability to the IAM user.
  • IAM inline policy was added to group Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM inline policy was added to role Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM inline policy was added to user Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM instance profile associations were described Informational Cloud

    AWS IAM instance profile associations were described.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover infrastructure and resources that are available within a cloud environment.
    Investigative actions: Determine which instance profile associations were described. Investigate any suspicious activities related to the identity.
  • IAM instance profile was associated with EC2 instance Informational Cloud

    An AWS IAM instance profile was associated with EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM instance profile was created Informational Cloud

    An AWS IAM instance profile was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM instance profile was replaced for EC2 instance Informational Cloud

    An AWS IAM instance profile was replaced for EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM instance profiles were listed Informational Cloud

    AWS IAM instance profiles associated with a role were listed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Identify users and roles in a cloud environment to find privileged accounts for further exploitation.
    Investigative actions: Determine which instance profiles were listed. Investigate any suspicious activities related to the identity and the role.
  • IAM policy default version was changed Informational Cloud

    A cloud identity set the specified version of an AWS IAM policy as the policy's default.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy version was created Informational Cloud

    A cloud identity created an AWS-managed IAM policy version.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy was attached to group Informational Cloud

    A cloud identity attached an AWS IAM policy to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy was attached to role Informational Cloud 1 variation

    An AWS IAM policy was attached to this role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.

    Variations

    Administrative IAM policy was attached to role

    Informational overridden

    An AWS IAM policy was attached to this role. overridden

  • IAM role trust policy modification Informational Cloud

    A cloud identity updated the trust policy of an AWS IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM role was created Informational Cloud

    An IAM role was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity or role.
  • IAM role-attached managed policies were listed Informational Cloud

    AWS IAM managed policies that are attached to a role were listed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Identify users and roles in a cloud environment to find privileged accounts for further exploitation.
    Investigative actions: Determine which managed policies were listed. Investigate any suspicious activities related to the identity and the role.
  • IP Rotation Pattern in SSO Spray Informational Identity Analytics 2 variations

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker may be attempting to compromise user accounts through unauthorized access attempts.
    Investigative actions: Determine if the activity was performed by a legitimate user. Check for any successful logins that occurred following a series of failed attempts. Investigate the AS organization and evaluate the ASN's reputation for malicious activity. Review historical login behavior from the same IP addresses or ASN. Validate whether MFA was triggered or bypassed during the authentication attempts.

    Variations

    Potential Targeted SSO Password Spray Activity Detected

    Medium overridden

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden

    Suspicious SSO Login Attempts from Multiple IPs

    Low overridden

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden

  • Identity assigned an Azure AD Administrator Role Informational Identity Threat Module 2 variations

    An identity was assigned an Azure AD Administrator role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.
    Investigative actions: Check if the added account is new to the organization. Check whether the account that added the account to the role is permitted to perform such actions. Check what can be affected by the assigned role Follow further actions done by the account that was added to the role.

    Variations

    Identity assigned an Azure AD Administrator Role by an Application

    Medium overridden

    An identity was assigned an Azure AD Administrator role by an application. overridden

    Suspicious Azure AD Administrator Role assignment

    Low overridden

    An identity was assigned an Azure AD Administrator role. overridden

  • Image file execution options (IFEO) registry key set Low 3 variations

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Event Triggered Execution: Image File Execution Options Injection (T1546.012)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Look at the debugged process and what it is executing to determine if it is malicious.

    Variations

    Image file execution options (IFEO) registry key set to execute a shell or scripting engine process

    High overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden

    Image file execution options (IFEO) registry key set to activate Windows licenses illegally

    Medium overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. This is also used by tools that were made to activate Windows licenses illegally. overridden

    Image file execution options (IFEO) registry key set using reg.exe

    High overridden

    Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. overridden

  • Impossible traveler - SSO Low Identity Analytics 3 variations

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    6 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.

    Variations

    Impossible traveler - non-interactive SSO authentication

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

    Possible Impossible traveler via SSO

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

    SSO impossible traveler from a VPN or proxy

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

  • Impossible traveler - VPN Low Identity Analytics 3 variations

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user routed their traffic via a proxy, or shared their credentials with a remote employee.

    Variations

    Possible Impossible traveler via VPN

    Informational overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

    VPN impossible traveler from a VPN or proxy

    Informational overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

    VPN impossible traveler with an unusual parameter

    Medium overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

  • Increase in Job-Related Site Visits Informational Identity Threat Module

    A user has visited multiple job-related sites in the past day.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Search Open Websites/Domains (T1593)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: This may be an early indicator of an insider threat.
    Investigative actions: Investigate the domains accessed and how popular they are in the organization. Check how long the user has been part of the organization. Verify that the user is not part of a department that accesses job sites as part of daily operations.
  • Indicator blocking Informational 1 variation

    Auditing or logging configuration changes on Linux host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Impairing host defenses.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Indicator blocking in a Kubernetes pod

    Low overridden

    Auditing or logging configuration changes on Linux host. overridden

  • Indirect command execution using the Program Compatibility Assistant Medium

    Pcalua.exe (Program Compatibility Assistant) is used for running old programs that have compatibility issues. Attackers can use pcalua.exe to indirectly execute their malicious programs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Indirect Command Execution (T1202)
    Required data: XDR Agent
    Attacker's goals: Evading detection by indirectly executing their malicious programs.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Injection into rundll32.exe Informational 1 variation

    A process injected into an instance of rundll32.exe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Injection into rundll32.exe which was executed by a scheduled task

    Low overridden

    A process injected into an instance of rundll32.exe. overridden

  • Installation of a new System-V service Low 1 variation

    Installation of a new System-V service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Create or Modify System Process: Systemd Service (T1543.002)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may create systemd services to run malicious payloads.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Installation of a new System-V service in a Kubernetes pod

    Low overridden

    Installation of a new System-V service. overridden

  • Intense SSO failures Informational Identity Analytics 1 variation

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check whether a successful login was made after unsuccessful attempts.

    Variations

    Intense SSO failures with suspicious characteristics

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt. overridden

  • Interactive at.exe privilege escalation method Low

    Detects an interactive AT scheduled task, which may be used as a form of privilege escalation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Scheduled Task/Job (T1053) Scheduled Task/Job: At (T1053.002)
    Required data: XDR Agent
    Detector tags: Scheduled tasks Analytics
    Attacker's goals: Attackers may attempt to use the command to gain persistence on the endpoint using recurring tasks.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Interactive local account enumeration Low Identity Analytics

    Multiple non-existing accounts attempted interactive local logins to a host within a short period.This may indicate that an attacker has physical access to the host and is trying to enumerate accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Discover valid accounts to gain credentials.
    Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.
  • Interactive login by a machine account Informational Identity Analytics 1 variation

    A machine account performed an interactive or remote interactive login.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.
    Investigative actions: See whether the login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Successful interactive login by a machine account

    Low overridden

    A machine account performed a successful interactive or remote interactive login. overridden

  • Interactive login by a service account Low Identity Analytics 2 variations

    A service account performed an interactive or remote interactive login.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.
    Investigative actions: See whether the login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Interactive login by a service account to a sensitive server

    Medium overridden

    Interactive login by a service account to a sensitive server. overridden

    Failed interactive login by a service account

    Informational overridden

    A service account performed an interactive or remote interactive login. overridden