Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapInteractive login from a shared user account Informational Identity Analytics
A user account has been seen active on multiple hosts.Shared accounts are often considered 'bad practice' and may present multiple security risks to the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Gaining access to a shared account and multiple hosts and systems throughout the organization.Investigative actions: Ensure that the shared account is legitimate and has a justified role in the organization.Internal Login Password Spray Informational Identity Analytics 5 variations
An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: XDR AgentAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Check the amount of time in between each authentication attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful authentication attempts and the ratio of login success versus login failures. Monitor for potential abuse of MFA on users who have successfully logged in.Variations
Suspicious intensive and short internal Login Password Spray
Medium overridden
An abnormally high number of login attempts within a very short period of time and suspicious automated behavior. overridden
High-Volume Internal Password Spray Attack
Medium overridden
Over 500 user accounts failed to login within a short period of time. overridden
Internal Login Password Spray with many wrong password attempts
Low overridden
An abnormally high amount of user account login attempts with wrong password were seen with a wrong password within a short period of time. overridden
Internal Login Password Spray attempt on local user
Low overridden
An abnormally high number of login attempts with the same username to different domains or local machines within a short period of time. overridden
Internal Login Password Spray on many users
Low overridden
An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack. overridden
Invalid SAML Detected Informational Identity Threat Module 1 variation
A user attempted to sign in using an invalid SAML. This might indicate a Golden SAML attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002)Required data: AzureAD OktaDetector tags: Active Directory Federation Services AnalyticsAttacker's goals: An attacker might forge a valid SAML token to impersonate other user accounts. This is used to gain persistent, unauthorized access to cloud resources, and bypassing MFA.Investigative actions: Check for recent changes to the SAML signing certificate on both the Identity Provider and the Service Provider to rule out a configuration drift or expiration issue. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).Variations
Suspicious Invalid SAML Detected
Low overridden
A user attempted to sign in using an invalid SAML. This might indicate a Golden SAML attack. overridden
Iptables configuration command was executed Informational 7 variations
The iptables process was executed with a command to add or delete rules on the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR AgentAttacker's goals: Adding or deleting system firewalls rules to avoid possible detection.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Rare iptables port forward command was executed
Low overridden
An iptables command was executed to perform port forward, This command is unpopular. overridden
Uncommon iptables port forward command was executed on the host
Informational overridden
An iptables command was executed to perform port forward, This command is uncommon for the host. overridden
Rare iptables delete command was executed
Low overridden
An iptables command was executed to delete rule, This command is unpopular. overridden
A rare iptables delete command was executed on the host
Informational overridden
An iptables command was executed to delete rule, This command is uncommon for the host. overridden
A rare iptables flush all command was executed
Low overridden
An iptables command was executed to flush all rules, This command is unpopular. overridden
A rare iptables flush command was executed
Low overridden
An iptables command was executed to flush all rules, This command is unpopular. overridden
A rare iptables flush command was executed on the host
Informational overridden
An iptables command was executed to flush rules, This command is uncommon for the host. overridden
Kerberos Pre-Auth Failures by Host Low
The endpoint failed an unusual number of Kerberos pre-authentications (TGT requests) from at least three users when compared to its baseline.This can indicate a password-spraying attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.Investigative actions: Verify whether the host that generated the alert is normally used by many users (for example, a terminal server). Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.Kerberos Pre-Auth Failures by User and Host Informational
The user account on this host failed Kerberos pre-authentications (TGT requests) an unusual number of times.This can indicate a Kerberos brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting to guess the credentials for the user account.Investigative actions: Verify that the password for the account has not been changed recently, without updating the user or the program using it. Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.Kerberos Traffic from Non-Standard Process Medium 1 variation
The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: using a custom protocol implementation that offers malicious functionality Using the well-known Kerberos port with a different protocol to evade detection.Either way, the attacker's goal is to gain access to another endpoint on your network.The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware. Check if this process was running on other endpoints as well.Variations
Rare Kerberos Traffic from a Process
Low overridden
The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally. overridden
Kerberos User Enumeration Medium Identity Analytics
A high amount of Kerberos principal unknown errors were generated on users in the last hour.This may be indicative of Kerberos user enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker may attempt to gain an initial foothold in the domain by enumerating users and finding service accounts.Investigative actions: Check whether any service principal names (SPNs) were not set correctly, as they will always return a principal unknown error.Key credential attribute modification Informational Identity Analytics 2 variations
A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process (T1556)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker may be attempting to add shadow credentials to an account, gaining persistent unauthorized access.Investigative actions: Follow further PKINIT authentication activity by the modified identity. Verify if Windows Hello for Business is enabled, as this is a common benign cause for this activity. Check if the modified credential maps to an existing device ID in Entra ID. Examine recent activity from the user account, including logon patterns and privilege changes.Variations
Possible shadow credentials addition
Medium overridden
A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden
Key credential attribute addition
Low overridden
A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden
Keylogging using system commands Low 1 variation
Usage of a Linux system utility to capture input.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Input Capture: Keylogging (T1056.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may capture keystrokes to intercept user credentials.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Keylogging using system commands in a Kubernetes pod
Low overridden
Usage of a Linux system utility to capture input. overridden
Known service display name with uncommon image-path Low 3 variations
Service created with a known display name but has an uncommon image-path.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Execution (TA0002)ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Run malicious code with seemingly trustworthy services.Investigative actions: Investigate the image path of the newly created service. Investigate the causality actor process that initiated the activity.Variations
Known service display name with uncommon image-path created by an untrusted CGO
Medium overridden
Service created with a known display name but has an uncommon image-path. overridden
Known Palo Alto service display name with uncommon image-path
Medium overridden
Service created with a known display name but has an uncommon image-path. overridden
Known service display name with uncommon image-path in a suspicious folder
Medium overridden
Service created with a known display name but has an uncommon image-path. overridden
Known service name with an uncommon image-path Low 2 variations
A Service with a known service name has an uncommon image-path.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Execution (TA0002)ATT&CK techniques: Create or Modify System Process: Windows Service (T1543.003) System Services: Service Execution (T1569.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Malicious Service AnalyticsAttacker's goals: Run malicious code within seemingly trustworthy services.Investigative actions: Investigate the image-path of the newly created service. Investigate the causality actor process that initiated the activity.Variations
Known Palo Alto service name with an uncommon image-path
Medium overridden
A Service with a known service name has an uncommon image-path. overridden
Known service name with an uncommon image-path in a suspicious folder
Medium overridden
A Service with a known service name has an uncommon image-path. overridden
Kubelet server communication from a pod Informational 1 variation
The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Discovery (TA0007)ATT&CK techniques: Escape to Host (T1611) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubelet server to attempt a container breakout or escalate privileges.Investigative actions: Examine the process on the pod to understand its purpose.Variations
Kubelet server communication from a pod by a first seen process
Low overridden
The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges. overridden
Kubernetes API server communication from within a pod Informational 2 variations
The Kubernetes API server was accessed from within a pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Unusual Kubernetes API server communication from within a pod performed by curl process
Medium overridden
The Kubernetes API server was accessed from within a pod. overridden
Unusual Kubernetes API server communication from within a pod
Low overridden
The Kubernetes API server was accessed from within a pod. overridden
Kubernetes Pod Created With Sensitive Volume Informational Cloud 3 variations
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the host's filesystem. Gain root access to the host.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Pod Created With Sensitive Volume for the first time in the cluster
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created With Sensitive Volume for the first time in the namespace
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created With Sensitive Volume for the first time by the identity
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace Informational Cloud 3 variations
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Access data used by other pods that use the host's IPC namespace.Investigative actions: Check the identity's role designation in the organization. Inspect for any files in the /dev/shm shared memory location. Inspect for any IPC facilities being used with /usr/bin/ipcs.Variations
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time by the identity
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod created with host process ID (PID) namespace Informational Cloud 3 variations
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: View processes on the host. View the environment variables for each pod on the host. View the file descriptors for each pod on the host. Kill processes on the node.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Pod created with host process ID (PID) namespace for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Pod created with host process ID (PID) namespace for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Pod created with host process ID (PID) namespace for the first time by the identity
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Privileged Pod Creation Informational Cloud 3 variations
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the host's filesystem. Gain root access to the host.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Privileged Pod Creation for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes Privileged Pod Creation for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes Privileged Pod Creation for the first time by the identity
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes admission controller activity Informational Cloud 4 variations
A Kubernetes admission controller has been created or modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials: Container API (T1552.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Intercept the requests to the Kubernetes API sever, records secrets, and other sensitive information. Modify requests to the Kubernetes API sever.Investigative actions: Verify whether the identity should use Kubernetes admission controllers. Examine the role of the Kubernetes admission controller and its intended function. Investigate other operations that were performed by the identity within the cluster.Variations
Kubernetes validating admission controller was used in the organization for the first time
Low overridden
A validating Kubernetes admission controller has been created or modified. overridden
Kubernetes mutating admission controller was used in the organization for the first time
Medium overridden
A mutating Kubernetes admission controller has been created or modified. overridden
Kubernetes validating admission controller was used in the cluster for the first time
Low overridden
A validating Kubernetes admission controller has been created or modified. overridden
Kubernetes mutating admission controller was used in the cluster for the first time
Medium overridden
A mutating Kubernetes admission controller has been created or modified. overridden
Kubernetes cluster events deletion Informational Cloud
Kubernetes cluster events deletion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Adversaries may delete Kubernetes events to avoid possible detection.Investigative actions: Check whether these changes are expected.Kubernetes enumeration activity Informational Cloud 1 variation
An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613) Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Map the cluster environment and detect potential resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.Variations
Suspicious Kubernetes enumeration activity
Informational overridden
An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden
Kubernetes environment enumeration activity Informational 2 variations
Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Map the Kubernetes cluster environment and detect potential resources to abuse.Investigative actions: Identify which Kubernetes resources were discovered. Investigate whether affected resources were used to extract sensitive information.Variations
Kubernetes environment enumeration activity from a pod
Medium overridden
Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden
Suspicious Kubernetes environment enumeration activity
Low overridden
Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden
Kubernetes network policy modification Informational Cloud
A change has been made to the network policies of a Kubernetes cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the network infrastructure. Gain access to sensitive data. Gain access to Kubernetes resources.Investigative actions: Investigate the Kubernetes Network Policy to identify the changes made. Verify whether the identity should be making this action.Kubernetes nsenter container escape Informational 2 variations
The nsenter command was used to execute a process in the context of the initialization process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may break out of a container to run commands on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Kubernetes nsenter container escape from a new Pod
Medium overridden
The nsenter command was used to execute a process in the context of the initialization process. overridden
Kubernetes nsenter container escape from a Pod
Low overridden
The nsenter command was used to execute a process in the context of the initialization process. overridden
Kubernetes pod creation from unknown container image registry Low Cloud 1 variation
A Kubernetes pod was created with a container image from an unknown registry.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy container with a malicious image to facilitate execution.Investigative actions: Check the image registry designation in the organization. Scan the container image for any malicious components.Variations
Kubernetes pod creation from unusual container image registry
Low overridden
A Kubernetes pod was created with a container image from an unknown registry. overridden
Kubernetes pod creation with host network Informational Cloud 3 variations
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Access services bound to localhost. Sniff traffic on any interface on the host. Bypass network policy.Investigative actions: Check the identity's role designation in the organization. Inspect for any unusual access to localhost services. Inspect for any network sniffing tool being used inside the Kubernetes Pod.Variations
Kubernetes pod creation with host network for the first time in the cluster
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
Kubernetes pod creation with host network for the first time in the namespace
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
Kubernetes pod creation with host network for the first time by the identity
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
Kubernetes secret enumeration activity Informational 5 variations
Kubectl secret enumeration command was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Unsecured Credentials: Container API (T1552.007)Required data: XDR AgentDetector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Attackers may gather sensitive information within a container environment.Investigative actions: Check whether the executing process is performed by authorized identity and if this was a desired behavior as part of its normal execution flow.Variations
Kubernetes secret describe activity from a Kubernetes Pod
Medium overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret value extraction activity from a Kubernetes pod
Medium overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret enumeration activity from a Kubernetes Pod
Medium overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret enumeration activity from a host
Low overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes secret value extraction activity
Informational overridden
Kubectl secret enumeration command was executed. overridden
Kubernetes service account activity outside the cluster Informational Cloud 2 variations
A service account user successfully invoked API calls outside the Kubernetes cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the Kubernetes cluster.Investigative actions: Determine which Kubernetes resources were accessed using the service account. Verify whether the service account token was exposed.Variations
Unusual Kubernetes service account activity outside the cluster
Low overridden
A service account user successfully invoked API calls outside the Kubernetes cluster. overridden
Kubernetes service account activity outside the cluster from non-cloud IP
Low overridden
A service account user successfully invoked API calls outside the Kubernetes cluster. overridden
Kubernetes version disclosure Informational
The Kubernetes API server was inquired about the Kubernetes version by a process from within a pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes API server to disclose information about the Kubernetes environment.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Kubernetes vulnerability scanner activity Medium 1 variation
A Kubernetes cluster was scanned by a known vulnerability scanner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Kubernetes vulnerability scanner activity from within a Kubernetes Pod
Medium overridden
A Kubernetes cluster was scanned by a known vulnerability scanner from within a container. overridden
Kubernetes vulnerability scanning tool usage Medium Cloud 2 variations
A known vulnerability scanning tool was used within a Kubernetes cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.Investigative actions: Check if this activity is expected (e.g. penetration testing). Determine which Kubernetes resources were affected. Review additional events for any suspicious activity within the cluster.Variations
Kubernetes vulnerability scanning tool usage within a pod
Medium overridden
A known vulnerability scanning tool was used from a pod within a Kubernetes cluster. overridden
External Kubernetes vulnerability scanning tool usage
Medium overridden
A known vulnerability scanning tool was used within a Kubernetes clusteroutside the cloud environment. overridden
LDAP AD CS Enumeration via Attack Tool Low Identity Analytics 1 variation
A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Steal or Forge Authentication Certificates (T1649)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Abnormal LDAP AD CS Enumeration via Attack Tool
Medium overridden
A user sent a suspicious AD CS enumeration query via LDAP. The query is associated with an AD CS LDAP enumeration tool that may be used during attacks against the organization. overridden
LDAP search query from an unpopular and unsigned process Low
An unpopular and unsigned process performed an LDAP search query. This may be indicative of LDAP enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Generic search queries (often using wildcards) tend to be more suspicious.LDAP traffic from non-standard process Informational 4 variations
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR AgentAttacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating LDAP. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.Variations
LDAP traffic from reverse SSH tunnel
Medium overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
LDAP traffic from non-standard and uncommon process
Low overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
LDAP traffic from non-standard process executed under an unsigned causality actor in a commonly abused directory
Low overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
LDAP traffic from an injected thread within a non-standard process
Low overridden
LDAP traffic is usually performed by a standard set of processes.The endpoint had a non-standard process communicating over ports normally used by LDAP.This may be indicative of Active Directory domain enumeration, which may be used during attacks against the organization. overridden
LOLBAS executable injects into another process Informational 1 variation
A signed binary, which can be abused to run code, injected code to another process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.Variations
LOLBAS executable injects into another process under an uncommon CGO
Low overridden
A signed binary, which can be abused to run code, injected code to another process. overridden
LOLBIN created a PSScriptPolicyTest PowerShell script file Informational 1 variation
A LOLBIN created a PSScriptPolicyTest file. This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: PowerShell (T1059.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Executing PowerShell scripts in a stealthy manner.Investigative actions: Investigate the process and command line that created the file and whether it's benign or normal for this host. Investigate the created PowerShell file for potential malicious commands.Variations
LOLBIN created a larger than usual PSScriptPolicyTest PowerShell script file
Medium overridden
A LOLBIN created a PSScriptPolicyTest file. This may be a sign of malicious PowerShell execution without directly invoking the powershell.exe binary. overridden
LOLBIN process executed with a high integrity level Low 1 variation
A process spawned a suspicious LOLBIN process with a higher/system integrity level.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: XDR AgentAttacker's goals: An attacker may attempt to gain higher privileges.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it.Investigate the endpoint to determine if it's a legitimate process that is supposed to run with privileges.Variations
LOLBIN process executed with a high integrity level by a web server process or CGO
Medium overridden
A process spawned a suspicious LOLBIN process with a higher/system integrity level by a web server process or CGO.The LOLBIN process spawned with an uncommon command line. This may be an indication of malicious code execution to gain privileges. overridden
LSASS dump file written to disk Medium
Dumping Lsass.exe (Local Security Authority Subsystem Service) memory to file allows attackers to later extract credentials from the memory dump.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may try to extract OS credentials from the dumped Lsass.exe file.Investigative actions: Check the dumping process for more suspicious activity.Large Upload (FTP) Low 1 variation
The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Exfiltrate stolen data from the victim network to an attacker's controllable resource.Investigative actions: Verify that the source is not an FTP server. If Cortex XDR Analytics has failed to identify the entity as a valid FTP server, this alert is likely to be a false positive. Identify the entity performing the data transfer to determine if the transfer is sanctioned. Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or loaded modules.Variations
Large Upload (FTP)
Informational overridden
The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol. overridden
Large Upload (Generic) Low 3 variations
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Transfer data he has stolen from your network to a location that is convenient and useful to him.Investigative actions: Check if the traffic is related to SSH activity, it can trigger this alert. It is possible that someone on your network is legitimately engaged in SSH activity. Check if the traffic is to/from a misconfigured network. Check if the traffic is to a new external service or server that has recently been adopted for use by an organization in your enterprise. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.Variations
Large Upload (Generic)
Informational overridden
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (Generic) Lower than 100 MB
Informational overridden
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (Generic) to a Frequently Used Upload Target
Informational overridden
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (HTTPS) Low 2 variations
The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Transfer data she has stolen from your network to a location that is convenient and useful to her.Investigative actions: Check if this alert has been falsely triggered by DNS load balancers. If an endpoint routinely uploads data to a site that uses load balancers, the transfer might ordinarily be split into multiple sessions and across multiple subdomains, which can cause the baseline measurement to be incorrect. In that situation, a routine upload that randomly places the bulk of the data in a single session to a single subdomain can look excessive to the Cortex XDR Analytics detector. Check if the device performing the data transfer is a mobile phone performing a backup. Cortex XDR Analytics will not always measure the baseline properly for mobile devices, especially if the backups are performed infrequently and contain a great deal of data. If the data transfer is a mobile device running a backup, check to ensure that only appropriate data is included in the backup. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.Variations
Large Upload (HTTPS)
Informational overridden
The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (HTTPS) to non-standard port
Low overridden
The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (SMTP) Low 1 variation
The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Transfer data they have stolen from your network to a location that is convenient and useful to him.Investigative actions: Identify the process/user performing the data transfer to determine if the transfer is sanctioned. Verify that the source is not a mail server. Check if the target address represents a mail service that rarely used in the organization. If so, this might indicate on file exfiltration attempt.Variations
Large Upload (SMTP)
Informational overridden
The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network. overridden
Large volume of files potentially containing credentials accessed in Google Drive Informational Identity Threat Module 1 variation
A user accessed a large volume of files potentially containing credentials in Google Drive.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Credential Access (TA0006)ATT&CK techniques: Data from Cloud Storage (T1530) Unsecured Credentials (T1552)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An attacker may attempt to gain unauthorized access by leveraging valid credentials found in Google Drive.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Verify if the user account that accessed the files is authorized to access them. Review the files accessed and whether it was part of a breach or a legitimate activity. Monitor the account for any further suspicious actions.Variations
Possible credential files harvesting in Google Drive
Low overridden
A user accessed a large volume of files potentially containing credentials in Google Drive. overridden
Linux local user account creation Informational Identity Analytics 1 variation
A user executed a process associated with user account creation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078) Valid Accounts: Local Accounts (T1078.003)Required data: XDR AgentAttacker's goals: Persistence using a valid account.Investigative actions: Check the user who created the account and verify its activity. Investigate whether the same account was created on different hosts as part of an installation process.Variations
Linux local user account creation by non-root user
Low overridden
A non-root user executed a process associated with user account creation. This user does not regularly create accounts. overridden
Linux network share discovery Informational
An adversary might use known tools to discover SMB shares within the compromised network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Share Discovery (T1135)Required data: XDR AgentAttacker's goals: Exfiltrate or hide sensitive data.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Linux process execution with a rare GitHub URL Informational
A process was executed with an uncommon GitHub URL in its command line. This may have legitimate uses, but it might also be used by attackers to download malicious payloads.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter (T1059)Required data: XDR AgentAttacker's goals: Download a second stage payload for execution.Investigative actions: Check if the initiator process is malicious. Check the user activity on the same agent at that time. Check if the host is a development server. Check if this installation was related to more installations at the same time. Check for additional file/network operations by the same process instance.Linux system firewall was modified Low
The system firewall was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Exfiltrate data or move laterally in the organization.Investigative actions: Examine the command to understand which IPs or ports were affected. Check the communication allowed by the modified firewall rule.Local account discovery Informational
One of several local account discovery commands were executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Local Account (T1087.001)Required data: XDR AgentAttacker's goals: Account discovery.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Local group enumeration Informational Identity Analytics 2 variations
A user performed an enumeration on local groups to retrieve their details.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.Variations
Local group enumeration for the first time
Low overridden
A user performed an enumeration on local groups to retrieve their details. overridden
Local group enumeration using a builtin Windows binary
Informational overridden
A user performed an enumeration on local groups to retrieve their details. overridden
Local group enumeration via RPC Informational 1 variation
A user enumerated local groups via RPC.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.Variations
Remote local group enumeration via RPC
Informational overridden
A user enumerated local groups via RPC. overridden
Local user account creation Informational Identity Analytics 1 variation
A user was observed creating a rare local user account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts: Local Accounts (T1078.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence using a valid account.Investigative actions: Check the user who created the account and verify its activity. Investigate whether the same account was created on different hosts as part of an installation process.Variations
Suspicious local user account creation
Low overridden
A user was observed creating a rare local user account. This user has not been seen creating user accounts in the past 30 days. overridden
Local user account creation by a machine account Informational Identity Analytics
A machine account was observed creating a rare local user account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts: Local Accounts (T1078.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence using a valid account.Investigative actions: Check the machine that created the user account and verify its activity. Check if the machine account is supposed to create user accounts. Investigate whether the same account was created on different hosts as part of an installation process.Local user enumeration via SAMR Informational 1 variation
A user enumerated local users via SAMR.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Local Account (T1087.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may leverage local user discovery to identify privileged users and escalate privileges.Investigative actions: Determine the user, hostname, and process that performed the user enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local users is a known or an approved tool. Review the logs for suspicious activity from the same host or user.Variations
Local user enumeration via SAMR on an internet facing server
Low overridden
A user enumerated local users via SAMR. overridden
Log enumeration via cloud native logging service Informational Cloud 1 variation
An activity of log enumeration operations via cloud native logging service was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Log Enumeration (T1654)Required data: AWS Audit LogAttacker's goals: Gaining information about your environment as part of the discovery phase.Investigative actions: Check the identity which invoked the operations.Variations
Log enumeration via cloud native logging service invoked by an identity for the first time
Low overridden
An activity of log enumeration operations via cloud native logging service was detected. overridden
Logging was impaired via external encryption key Medium Cloud
The resource was configured with an external key This might be an attempt to disrupt log inspection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Manipulation (T1565) Impair Defenses (T1562)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Modifying the key used to encrypt the logs to remain undetected.Investigative actions: Check the identity that updated the resource configuration. Check the key used to encrypt the logs.Login attempt by a honey user Low Identity Analytics 1 variation
A login attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentDetector tags: Honey User AnalyticsAttacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.Variations
Successful login by a honey user
Medium overridden
A login attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials. overridden
Login by a dormant user Informational Identity Analytics 1 variation
A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: XDR AgentAttacker's goals: Use a compromised user account that has not been used for a long time and is therefore less likely to be noticed.Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.Variations
Cached interactive login by a dormant user
Informational overridden
A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker. overridden
Logs were not collected from a data source for an abnormally long time Low 4 variations
Logs were not collected from a data source for an abnormally long time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 6 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Variations
Logs were not collected from a Windows Event Collector (WEC) for an abnormally long time
Low overridden
Logs were not collected from a data source for an abnormally long time. overridden
Logs were not collected from a Microsoft Windows XDR Collector (XDRC) for an abnormally long time
Low overridden
Logs were not collected from a data source for an abnormally long time. overridden
Logs were not collected from a data source for an abnormally long time, which indicates a significant stop
Medium overridden
Logs were not collected from a data source for an abnormally long time. overridden
Logs were not collected from a data source for an abnormally long time, despite a stable and consistent data stream until recently
Medium overridden
Logs were not collected from a data source for an abnormally long time. overridden
MFA Disabled for Google Workspace Low Identity Threat Module 1 variation
An administrator has disabled Multi-Factor Authentication for Google Workspace users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Gain access to Google Workspace accounts with disabled MFA. Exploit Google Workspace accounts with weaker security. Steal sensitive data from Google Workspace accounts.Investigative actions: Check the MFA settings for the Google Workspace users. Identify the users who have MFA disabled and investigate the reason for it. Check the security log to see if there have been any suspicious activities in the account.Variations
MFA Disabled for Google Workspace from an unusual caller IP ASN
Low overridden
An administrator has disabled Multi-Factor Authentication for Google Workspace users. overridden
MFA device was removed/deactivated from an IAM user Informational Cloud
Deactivate an MFA device and disassociate it from an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: This may allow an attacker to gain access to the IAM user.Investigative actions: Check if IAM requires MFA to be enabled.MFA was disabled for a Google Workspace user Informational Identity Threat Module 2 variations
Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may impair defenses by disabling Multi-Factor Authentication (MFA) to maintain persistence and evade detection.Investigative actions: Verify if the MFA disablement was authorized. Investigate the source IP and User Agent for previous malicious activity or anomalies. Follow further actions done by the user and IP address.Variations
MFA was disabled for a Google Workspace administrative user
Medium overridden
Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden
MFA was disabled for a Google Workspace user by a different account for the first time
Low overridden
Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden
MFA was disabled for an Azure identity Low Identity Threat Module 2 variations
MFA was disabled for the user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process (T1556)Required data: AzureAD Audit LogAttacker's goals: This allows the attacker to connect using this account without the need for the additional layer of authentication.Investigative actions: Follow further actions by the initiator. Check the login activity from this account. Follow further actions done by this account.Variations
Suspicious MFA was disabled for an Azure identity
Medium overridden
MFA was disabled for the user. overridden
MFA was disabled for an Azure identity regularly by the user
Informational overridden
MFA was disabled for the user. overridden
ML artifacts destruction Low Cloud 1 variation
An identity deleted multiple ML artifacts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Leverage access to the cloud to delete resources and cause damage to an organization's infrastructure.Investigative actions: Confirm the legitimacy of the suspected identity and what cloud resources have been deleted by the identity. Look for any unusual activity associated with the suspected identity and determine whether they are compromised.Variations
Unusual ML artifacts destruction
Medium overridden
An identity deleted multiple ML artifacts.This large volume of deleted ML artifacts had not been seen across all projects for the last 30 days. overridden
MSI accessed a web page running a server-side script Informational 1 variation
The Microsoft installer command line included a URL to a web page running a server-side script, which is suspicious.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: An attacker may use this technique to install a malicious tool from a remote server.Investigative actions: Check whether the URL is benign and if this was a desired behavior as part of its normal execution flow.Variations
MSI accessed a web page running a server-side script
High overridden
MSI on an internet-facing server accessed a web page running a server-side script. overridden
Machine Account NTLM Relay Low
An NTLM NTProofStr was seen from more than one source. This indicates that machine account NTLM authentication data has been relayed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.Machine account was added to a domain admins group Medium Identity Analytics
A machine account was added to a domain admins group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Privilege escalation using a valid account.Investigative actions: Check the user who added the account to the group and verify its activity.Mailbox Client Access Setting (CAS) changed Medium
An attacker may use PowerShell to change the Client Access Settings (CAS) for a mailbox, hence gaining access to the data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Local Data Staging (T1074.001)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain access to the data in the compromised mailbox.Investigative actions: Examine the PowerShell command to identify which mailbox's access setting has been modified. Verify that the change in the client access setting was executed by a trusted source.Mailbox enumeration activity by Azure application Informational Cloud 1 variation
Microsoft Graph API was used to enumerate mailboxes in Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To extract sensitive information stored in mailboxes.Investigative actions: Determine which mailboxes were enumerated and whether they contained any sensitive information. Investigate the identity following actions.Variations
Mailbox enumeration activity by Azure user
Informational overridden
Microsoft Graph API was used by a user to enumerate mailboxes. overridden
Manipulation of netsh helper DLLs Registry keys Medium
Registering netsh helper DLLs is uncommon, and could be used by malware for persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Event Triggered Execution: Netsh Helper DLL (T1546.007)Required data: XDR AgentAttacker's goals: Command execution and persistence on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Masquerading as a default local account Low Identity Analytics 3 variations
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is attempting to evade detection.Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.Variations
Masquerading as a default local account for the first time
Medium overridden
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden
Potential masquerading as a power user account
Low overridden
A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden
Masquerading as a default Administrator account
Informational overridden
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden
Masquerading as the Linux crond process Low 1 variation
Copies a file and renames it as crond.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Masquerade Task or Service (T1036.004)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may masquerade as the crond executable.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Masquerading as the Linux crond process from a Kubernetes pod
Low overridden
Copies a file and renames it as crond. overridden
Massive file activity abnormal to process Informational Identity Threat Module 1 variation
A user generated massive file activity by size or distinct file count.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.Variations
Massive file activity over 500 MB abnormal to process
Low overridden
A user generated massive file activity by size or distinct file count. overridden
Massive file compression by user Informational Identity Threat Module
Multiple archive files were created by a user. This might indicate an attempt to stage data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Stage data on an endpoint in the organization.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Massive file downloads from SaaS service Informational Identity Threat Module Email 3 variations
A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker may download files from a SaaS service to exfiltrate sensitive data.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were downloaded to determine if they contain sensitive data. Verify if the user account that downloaded the files is authorized to access them. Analyze the file types that were downloaded. Monitor the account for any further suspicious actions.Variations
Suspicious SaaS service file downloads
Low overridden
A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. The user connected from an unknown IP and displayed suspicious characteristics. overridden
Massive file downloads from SaaS service by terminated user
Low overridden
A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. overridden
Massive code file downloads from SaaS service
Low overridden
A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. overridden
Massive files deletion in Box Informational Identity Threat Module 1 variation
A user deleted a large amount of data in Box. This behavior may indicate that the data is being wiped.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: Box Audit LogAttacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.Variations
Massive files deletion in Box with suspicious parameters
Low overridden
A suspicious user deleted a large amount of data in Box. This behavior may indicate that the data is being wiped. overridden
Massive files deletion in Dropbox Informational Identity Threat Module 1 variation
A user deleted a large amount of data in Dropbox. This behavior may indicate that the data is being wiped.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: DropBoxAttacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.Variations
Massive files deletion in Dropbox with suspicious parameters
Low overridden
A suspicious user deleted a large amount of data in Dropbox. This behavior may indicate that the data is being wiped. overridden
Massive files deletion in Google Drive Informational Identity Threat Module 1 variation
A user deleted a large amount of data in Google Drive. This behavior may indicate that the data is being wiped.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.Variations
Massive files deletion in Google Drive with suspicious parameters
Low overridden
A suspicious user deleted a large amount of data in Google Drive. This behavior may indicate that the data is being wiped. overridden
Massive files deletion in Microsoft SharePoint or OneDrive Informational Identity Threat Module 1 variation
A user deleted a large amount of data in Microsoft SharePoint or OneDrive. This behavior may indicate that the data is being wiped.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: Office 365 AuditAttacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.Variations
Massive files deletion in Microsoft SharePoint or OneDrive with suspicious parameters
Low overridden
A suspicious user deleted a large amount of data in Microsoft SharePoint or OneDrive. This behavior may indicate that the data is being wiped. overridden
Massive upload to SaaS service Informational Identity Threat Module 1 variation
A user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Data Staged: Remote Data Staging (T1074.002)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker may upload files to a SaaS service to stage and exfiltrate data from the organization.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were uploaded to determine if they contain sensitive data. Verify if the user account that uploaded the files is authorized to access them. Analyze the file types that were uploaded. Monitor the account for any further suspicious actions.Variations
Massive upload to SaaS service by suspicious user
Low overridden
A suspicious user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged. overridden
Massive upload to a rare storage or mail domain Informational Identity Threat Module 1 variation
A large amount of data was transferred to an external site that is used for mail or storage. This behavior may indicate data exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR AgentAttacker's goals: A user uploaded an abnormal amount of data to a file sharing service. This activity might indicate an attempt to exfiltrate files and data from the organization.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Identify the user uploading the data to determine if the transfer is sanctioned.Variations
A user uploaded over 500 MB to a rare storage or mail domain
Low overridden
A user uploaded over 500 MB to a file sharing service that is rarely accessed by them or anyone else in the organization. overridden
Member added to a Windows local security group Informational Identity Analytics 2 variations
A member was added to a Windows local security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Privilege escalation using a valid account.Investigative actions: Check the user who added the account to the group and verify its activity.Variations
User added to the Windows local Administrator group
Low overridden
A member was added to a Windows local security group. overridden
Member added to the Windows local Administrator group
Informational overridden
A member was added to a Windows local security group. overridden
Memory dumping with comsvcs.dll High
A process memory dump was performed using comsvcs.dll MiniDump. This method is commonly used by attackers to dump Lsass.exe (Local Security Authority Subsystem Service) process memory to a file, so they could later extract credentials from the memory dump.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: LSASS Memory (T1003.001)Required data: XDR AgentAttacker's goals: Attackers may attempt to dump the memory of sensitive processes.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Microsoft 365 DLP policy disabled or removed Informational Identity Threat Module Email 1 variation
A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to bypass Microsoft 365 Data Loss Prevention (DLP) policies.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Monitor the user's activity for any access to sensitive data or data exfiltration. Investigate if any other security policies have been changed or removed.Variations
Rare Microsoft 365 DLP policy removal
Low overridden
A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion. overridden
Microsoft 365 storage services exfiltration activity Low Cloud
The Microsoft Graph API was used to download Microsoft OneDrive and SharePoint files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To extract sensitive information stored in Microsoft 365 storage services.Investigative actions: Determine which items were downloaded and whether they contained any sensitive information. Investigate the identity following actions.Microsoft Configuration Manager device registration and policy request Informational Identity Analytics 1 variation
A user registered a device and requested a Microsoft Configuration Manager policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)Required data: XDR AgentDetector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker aims to extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment, enabling unauthorized access to resources and lateral movement within the network.Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.Variations
Suspicious Microsoft Configuration Manager device registration and policy request
Low overridden
A suspicious process registered a new device and requested policies from Microsoft Configuration Manager, triggering a suspicious activity alert due to unusual characteristics. overridden
Microsoft Office Process Spawning a Suspicious One-Liner Medium
A Microsoft Office process spawned a commonly abused process with a full command (not a script), this is a typically malicious behavior.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)Required data: XDR AgentAttacker's goals: An attacker is trying to gain code execution on the host.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, employees working in finance may have legitimate use cases for complex Excel commands.Microsoft Office adds a value to autostart Registry key Low
Microsoft Office adds a value to a registry entry (run keys, startup folders) to establish persistence.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain persistence on the host using the Window's autostart Mechanism.Investigative actions: Check the registry key and determine what process it'll run. Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Microsoft Office injects code into a process Low 5 variations
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001) Process Injection (T1055)Required data: XDR AgentDetector tags: Injection AnalyticsAttacker's goals: An attacker attempts to gain code execution via a phishing document. Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.Investigative actions: Check the source of the document (received by mail or loaded locally). Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unsigned Microsoft Office injects code into a process
High overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process to a non-standard PE section
High overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process to an undeclared memory page
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office injects code into a process from an unsigned process
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office macro-enabled spreadsheet (XLSM) injects code into a process
Medium overridden
An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden
Microsoft Office process spawns a commonly abused process Low
Microsoft Office process spawns a commonly abused process with an uncommon command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)Required data: XDR AgentAttacker's goals: An attacker attempts to gain code execution via a phishing document.Investigative actions: Check the source of the document (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.Microsoft Office process spawns conhost.exe Low
This unusual parent-child relationship may indicate that a Microsoft Office application executed a console-based application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: User Execution: Malicious File (T1204.002) Phishing (T1566)Required data: XDR AgentAttacker's goals: An attacker attempts to gain code execution via an Office application or via an Office document.Investigative actions: Check the source of the file or email (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.Microsoft OneDrive enumeration activity Informational Cloud
The Microsoft Graph API was used to enumerate Microsoft OneDrive items.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To extract sensitive information stored in Microsoft OneDrive.Investigative actions: Determine which OneDrive files were enumerated and whether they contained any sensitive information. Investigate the identity following actions.Microsoft OneNote enumeration activity Informational Cloud
The Microsoft Graph API was used to enumerate Microsoft OneNote items.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To extract sensitive information stored in Microsoft OneNote.Investigative actions: Determine which OneNote items were enumerated and whether they contained any sensitive information. Investigate the identity following actions.Microsoft SharePoint enumeration activity Informational Cloud
The Microsoft Graph API was used to enumerate Microsoft SharePoint sites in an Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To extract sensitive information stored in Microsoft SharePoint.Investigative actions: Determine which SharePoint sites were enumerated and whether they contained any sensitive information. Investigate the identity following actions.Microsoft Teams application setup policy was modified Informational Identity Threat Module 1 variation
Microsoft Teams the application setup policy, which is responsible for application management, was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Impair Defenses (T1562) Cloud Application Integration (T1671)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may modify the application setup policy to maintain persistent access to compromised Teams accounts and conversations.Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. If the policy change causes an application installed for the whole organization, confirm that the application was created by a certified and trusted entity. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID or the unique token identifier.Variations
A user changed the Microsoft Teams application setup policy for the first time
Low overridden
Microsoft Teams the application setup policy, which is responsible for application management, was modified. overridden
Microsoft Teams enumeration activity Informational Cloud
The Microsoft Graph API was used to enumerate Microsoft Teams channels in an Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Service Discovery (T1526)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity Logs, Microsoft TeamsAttacker's goals: To extract sensitive information stored in Microsoft Teams.Investigative actions: Determine which Teams channels were enumerated and whether they contained any sensitive information. Investigate the identity following actions.Microsoft Teams external communication policy was modified Informational Identity Threat Module 1 variation
Microsoft Teams external communication policy was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.Variations
Microsoft Teams external communication policy was modified by an unusual user
Low overridden
Microsoft Teams external communication policy was modified. overridden
Microsoft Teams messages were exported from conversation Informational Identity Threat Module 1 variation
Microsoft Teams messages were exported from conversation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage message extraction from Microsoft Teams to obtain valuable information.Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.Variations
Microsoft Teams messages were exported from conversation by a privileged user for the first time
Low overridden
Microsoft Teams messages were exported from conversation. overridden
Mimikatz command-line arguments High
These command-line arguments are often used by Mimikatz to dump and harvest credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR AgentAttacker's goals: An attacker is attempting to use Mimikatz, a known credential theft tool, to dump and harvest credentials.Investigative actions: Investigate the executed process to verify if it is malicious. Investigate the command line purpose.Modification of NTLM restrictions in the Registry Low
Allowing the transmission of NTLM could be part of an NTLM downgrade or an Internal Monologue attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Downgrading to a lower NTLM version gives the attacker an easy way to retrieve NTLM hashes from a Windows machine.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Modification of PAM Informational 1 variation
Modification of PAM configuration files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process: Pluggable Authentication Modules (T1556.003)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Credential access, defense evasion or persistence.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Modification of PAM from a Kubernetes pod
Informational overridden
Modification of PAM configuration files. overridden