Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1273 alerts match the current filters.

Show ATT&CK heatmap
  • Modification of the AD FS IdentityServer configuration file Informational Identity Analytics 1 variation

    The AD FS service configuration file was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow (T1574)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: The attacker's goal is to establish a persistent, high-privilege backdoor by forcing the service to load a malicious configuration that enables remote code execution and the bypass of security controls like MFA.
    Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Investigate the process and user that performed the write operation for signs of compromise.

    Variations

    Suspicious Modification of the AD FS IdentityServer configuration file

    Low overridden

    The AD FS service configuration file was modified. overridden

  • Modification or Deletion of an Azure Application Gateway Detected Informational Cloud

    Modification or Deletion of an Azure Application Gateway Detected. A change has been detected in an Azure Application Gateway. This may indicate unauthorized access or malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to the resources behind the Azure Application Gateway.
    Investigative actions: Check the Azure Application Gateway to identify the changes made. Verify whether the identity should be making this action.
  • Moniker link detected in URL(s) Informational Email 2 variations

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user on clicking the link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    A suspicious Moniker link, SMB and suspicious extension detected

    Medium overridden

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden

    A suspicious Moniker link pointing to SMB detected

    Low overridden

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden

  • Mount command was executed from within a Kubernetes pod to list all the attached filesystems Low 1 variation

    The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Access to the host filesystem.
    Investigative actions: Look for additional suspicious activities. Verify if there was an attempt to access the host system.

    Variations

    Unusual mount command was executed from within a Kubernetes pod to list all the attached filesystems

    Medium overridden

    The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access. overridden

  • MpCmdRun.exe was used to download files into the system Low

    Attackers might be using legitimate Windows Defender executables to download malicious code onto the system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Ingress Tool Transfer (T1105)
    Required data: XDR Agent
    Attacker's goals: Download malicious tools onto the host for more activities.
    Investigative actions: Check if the downloaded file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.
  • Mshta.exe launched with suspicious arguments Low

    Microsoft HTML application host process has been launched with suspicious arguments, which may indicate malicious intent.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Mshta.exe spawns from a browser process Low 1 variation

    Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)
    Required data: XDR Agent
    Attacker's goals: Execute malicious code through system binary proxy execution to bypass application controls and security monitoring.
    Investigative actions: Examine the command line arguments passed to mshta for suspicious URLs or file paths. Check the browser process that spawned mshta for signs of compromise. Review network connections around the time of execution. Analyze any HTML applications (.hta files) that may have been executed.

    Variations

    Mshta.exe spawns from a browser process that executes a script from a URL

    Medium overridden

    Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector. overridden

  • Msiexec execution of an executable from an uncommon remote location Informational 2 variations

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)
    Required data: XDR Agent
    Attacker's goals: Evading security controls and executing arbitrary files from the web.
    Investigative actions: Check execution of msiexec and the IP/Domain that used. Is the URL that is encoded in the command line trusted. Is executed DLL or MSI file known as legitimate. Is the initiating process legitimate and the user running it knows of its use.

    Variations

    Msiexec execution of an executable from an uncommon remote location with a specific port

    High overridden

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. overridden

    Msiexec execution of an executable from an uncommon remote location without properties

    Medium overridden

    Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. Execution without properties is more common in malware. overridden

  • Multi region enumeration activity Informational Cloud

    An internal identity performed an operation on multiple regions, considerably more than usual.This may indicate an attacker's attempt to identify all available resources in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Defense Evasion (TA0005)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Unused/Unsupported Cloud Regions (T1535) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Discover cloud resources that are available within the environment and leverage them to perform additional attacks against the organization. Detect unused geographic regions and leverage them to evade detection of malicious operations.
    Investigative actions: Check the identity designation. Verify that the identity did not perform any operation in a region that it shouldn't.
  • Multiple Azure AD admin role removals Low Identity Threat Module

    An Azure AD identity removed multiple administrators from their roles.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may want to lock out an organization and retain sole access.
    Investigative actions: Check if the identity performing the actions was authorized to perform them. Check what roles the users were removed from. Check whether the identity is a newly added admin. Check if the identity is operating in its usual manner (location, time, operations) Check if the identity performed additional operations in the cloud environment that might be malicious.
  • Multiple Okta MFA requests sent to a user Informational Identity Analytics 1 variation

    Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Multi-Factor Authentication Request Generation (T1621)
    Required data: Okta
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Verify the reasoning behind the MFA request rejections. Follow further actions performed by the user.

    Variations

    Multiple Okta MFA requests sent to a user with unusual characteristics

    Low overridden

    Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack. overridden

  • Multiple Rare LOLBIN Process Executions by User Low Identity Analytics 1 variation

    A user executed multiple living-off-the-land binary (LOLBIN) processes that are unusual for this user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the processes that were executed to determine if they were used for legitimate purposes or malicious activity.

    Variations

    Multiple curl process executions by user

    Informational overridden

    A user executed multiple living-off-the-land binary (LOLBIN) processes that are unusual for this user. This may be indicative of a compromised account. overridden

  • Multiple Rare Process Executions in Organization Informational Identity Analytics

    Multiple unusual processes were executed in the organization. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    30 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: XDR Agent
    Attacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the processes that were executed to determine if they were used for legitimate purposes or malicious activity.
  • Multiple Suspicious FTP Login Attempts Low

    Multiple suspicious FTP sessions were detected, which may indicate a brute-force attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this uncommon FTP connection. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.
  • Multiple TGT requests for users without Kerberos pre-authentication Informational Identity Analytics 2 variations

    Multiple TGT requests for users that do not require Kerberos pre-authentication were observed. This is typically a sign of an AS-REP attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    An excessive number of TGT requests were sent for users that do not require Kerberos pre-authentication

    Low overridden

    Multiple TGT requests for users that do not require Kerberos pre-authentication were observed. This is typically a sign of an AS-REP attack. overridden

    A TGT request was sent for a user who does not require Kerberos pre-authentication

    Informational overridden

    A TGT request was sent for a user who does not require Kerberos pre-authentication. This might indicate an AS-REP attack. overridden

  • Multiple Weakly-Encrypted Kerberos Tickets Received Low

    A user accessed a number of services associated with user accounts in the 10 minutes leading to the alert, generating a number of weakly encrypted Kerberos TGS (ticket granting service) tickets that is significantly larger than the number of weakly encrypted TGS tickets received by that user in the 30 days leading to the alert.Services associated with user accounts are a common target for Kerberoasting due to default weak encryption.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Crack account credentials by obtaining easy-to-crack Kerberos tickets.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool accessing those services.
  • Multiple alerts associated with a single RDP connection Informational

    Multiple alerts associated with a single RDP connection were triggered.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: Enhanced RDP Analytics
    Attacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.
    Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.
  • Multiple alerts of different MITRE tactics were seen Low

    Multiple alerts of different MITRE tactics were seen on the same host under the same causality.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the causality of all the linked alerts. It is visible in the bottom of the causality page. Assess whether it looks like a threat actor executing multiple tactics.
  • Multiple cloud snapshots export Informational Cloud 4 variations

    A cloud identity has downloaded multiple virtual machines or DB snapshots locally.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the disk.
    Investigative actions: Check if the identity intended to export the virtual machines or DB snapshots. Check if the identity performed additional operations in the cloud environment that might be malicious.

    Variations

    Multiple cloud snapshots export

    High overridden

    A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address. This action was unusual based on the cloud project history. overridden

    Multiple cloud snapshots export

    Medium overridden

    A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address. This action was unusual based on The cloud identity history. overridden

    Multiple cloud snapshots export

    Low overridden

    A cloud identity has downloaded multiple virtual machines or DB snapshots locally.This action was unusual based on the unsuccessful attempts rate. overridden

    Multiple cloud snapshots export

    Low overridden

    A cloud identity has downloaded multiple virtual machines or DB snapshots locally.This action was unusual based on the cloud project or identity history. overridden

  • Multiple discovery commands Low 4 variations

    The alerted causality performed multiple discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery commands from a web server CGO

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from an SQL server CGO

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from an unsigned causality

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from a standard IT tool

    Informational overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

  • Multiple discovery commands on a Linux host by the same process Informational 2 variations

    The alerted process performed multiple consecutive discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery commands on a Linux host by the same process

    Medium overridden

    The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Linux host by the same process

    Low overridden

    The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden

  • Multiple discovery commands on a Windows host by the same process Low 5 variations

    The alerted process performed multiple discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Remote Multiple discovery commands on a Windows host by the same IP

    High overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from a web server CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from an SQL server CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from a remote CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Rare Multiple discovery commands on a Windows host by the same process

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

  • Multiple discovery-like commands Informational 3 variations

    The alerted process performed multiple consecutive discovery commands in a short time frame.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery-like commands by web server process

    Low overridden

    The web server process performed multiple consecutive discovery commands in a short time frame. overridden

    Multiple discovery-like commands on a Linux host

    Informational overridden

    The alerted process performed multiple consecutive discovery commands in a short time frame. overridden

    Multiple discovery-like commands

    Informational overridden

    The alerted process performed multiple consecutive discovery commands in a short time frame. overridden

  • Multiple failed AWS assume role attempts Informational Cloud 1 variation

    An AWS identity performed an unusual high number of failed assume role attempts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Identify accessible roles and move laterally or escalate privileges within a cloud environment.
    Investigative actions: Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious. Evaluate if the source IP address or user agent associated with these attempts is known or suspicious. Verify if any successful assume role operations occurred from the same identity around the same time. Review any additional activity from the specific roles the identity assumed.

    Variations

    Suspicious multiple failed AWS assume role attempts

    Medium overridden

    An AWS identity performed an unusual high number of failed assume role attempts. overridden

  • Multiple failed logins from a single IP Informational Cloud 2 variations

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Gain initial access to the cloud console.
    Investigative actions: Check if the IP is a known IP. Check if a successful login from the same IP occurred after the failed login attempts.

    Variations

    Multiple failed logins from an unknown IP

    Medium overridden

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.The IP is not a known IP in the organization.This could indicate on an active brute force attempt. overridden

    Multiple failed logins from a single IP by a compromised AWS access key

    High overridden

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider. overridden

  • Multiple network-related alerts of different MITRE tactics on the same host Low

    Multiple alerts of different MITRE tactics were seen on the same host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: NDR Insights Analytics
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the source of all the linked alerts. Asses whether it looks like a threat actor executing multiple tactics.
  • Multiple network-related alerts produced by different detectors on the same host Low

    Multiple alerts produced by different detectors were seen on the same host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: NDR Insights Analytics
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the source of all the linked alerts.
  • Multiple risk indicators for a cloud identity High Cloud

    Multiple risk indicators detected for a cloud identity, combining unusual activity with activity from unusual geolocation or high-risk IP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Compromise a cloud user account to gain access and perform malicious activities.
    Investigative actions: Review the user's recent activity for any unauthorized actions.Rotate the user's credentials immediately if confirmed compromised.
  • Multiple suspicious user accounts were created Low Identity Analytics

    A user was observed creating multiple rare user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account (T1136)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who created the accounts and verify the activity.
  • Multiple uncommon SSH Servers with the same Server host key Low

    Multiple uncommon SSH servers were observed using the same host key.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Adversary-in-the-Middle (T1557)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Attackers may attempt to move laterally within the network by exploiting and relaying stolen client credentials to another SSH server.
    Investigative actions: Audit the authentication attempts to the SSH server using the same key. Look for unusual or repeated connections from the same or unexpected hosts. Audit Client Credentials, check for any signs of compromised client credentials being used on different SSH servers.
  • Multiple user accounts failed login due to account lockouts Low Identity Analytics 1 variation

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if any programs were cached with old credentials, resulting in account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.

    Variations

    Excessive user account login failure due to lockout from a suspicious source

    Medium overridden

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden

  • Multiple user accounts were deleted Informational Identity Analytics 1 variation

    A user deleted multiple user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Impact (TA0040)
    ATT&CK techniques: Valid Accounts (T1078) Account Access Removal (T1531)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who deleted the accounts and verify the activity. Look into the recent activity of the deleted accounts and whether they were temporary or dormant.

    Variations

    A user deleted multiple users for the first time

    Low overridden

    A user deleted multiple user accounts. overridden

  • Multiple users authenticated with weak NTLM to a host Informational Identity Analytics

    Multiple user accounts authenticated to a host via NTLMv1 or LM authentication for the first time in the past 30 days. This may be a result of an NTLM downgrade attackA downgrade attack may force the client to authenticate with a weaker hash/protocol (such as NTLMv1 or even LM) instead of NTLMv2.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Use Alternate Authentication Material (T1550)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage. Investigate the mentioned host for additional suspicious activity.
  • NTDS.dit file written by an uncommon executable Low 3 variations

    The Active Directory database file was written by an uncommon process to a non-default location.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: NTDS (T1003.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Dump the sensitive contents of the database to masquerade as legitimate domain users.
    Investigative actions: Investigate the nature of the process writing the sensitive file. Is it a standard backup procedure? Check the path the file was written to. Is it local? Are there other relevant artifacts in this location?

    Variations

    NTDS.dit file written by a remote actor

    High overridden

    The Active Directory database file was written to the disk by a remote actor. overridden

    NTDS.dit file written by a rare executable to a suspicious path

    High overridden

    The Active Directory database file was written by a rare process to a suspicious path. overridden

    NTDS.dit file written by a rare executable

    Medium overridden

    The Active Directory database file was written by a rare process to a non-default location. overridden

  • NTLM Brute Force Informational Identity Analytics 2 variations

    This may indicate an NTLM brute force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    NTLM brute force on a sensitive user

    Medium overridden

    This may indicate an NTLM brute force attack. overridden

    High-frequency NTLM brute force attempts detected

    Low overridden

    This may indicate an NTLM brute force attack. overridden

  • NTLM Brute Force on a Service Account Low Identity Analytics

    This may indicate a NTLM brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the service accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • NTLM Brute Force on an Administrator Account Low Identity Analytics

    This may indicate an NTLM brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the administrator accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • NTLM Hash Harvesting Medium Identity Analytics

    An unusual number of users has sent NTLM to a target in the last hour. This may be indicative of poisoning and NTLM hash harvesting.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: OS Credential Dumping (T1003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker may attempt to extract NTLM hashes for credential access.
    Investigative actions: Check that the destination is not a server. Verify that the destination is not external to the organization.
  • NTLM Password Spray Informational Identity Analytics 1 variation

    A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time. This may be indicative of a NTLM password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker may attempt to guess user credential by password spray attack over multiple machines.
    Investigative actions: Verify any successful authentication made by one of the user accounts referenced by the alert, as these may indicate the attacker managed to guess the credentials.

    Variations

    NTLM password spray on a sensitive entity

    Low overridden

    A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time on a sensitive entity. This may be indicative of a NTLM password spray attack. overridden

  • NTLM Relay Informational

    An NTLM NTProofStr was seen from more than one source. This indicates that NTLM authentication data has been relayed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.
    Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.
  • Near-empty email from an external sender Informational Email 3 variations

    The email was sent from an external sender and contains minimal content.Near-empty emails from external sources are uncommon and may be used to bypass content-based detection or prompt user interaction without clear context.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Gather Victim Identity Information (T1589)
    Required data: Microsoft 365 Emails
    Detector tags: Reconnaissance
    Attacker's goals: Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).
    Investigative actions: Check the content of the body and whether it has any relevance to the recipients. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address. Verify whether the sender's IP address has appeared in different log sources before.

    Variations

    Blank email with an inline attachment from an external sender

    Informational overridden

    This email was sent from an external sender and contains no readable message content, but includes an inline attachment.Empty emails with embedded content are often used to obscure the intent of the message and may be associated with phishing or malware delivery attempts. overridden

    Blank email with an attachment from an external sender

    Informational overridden

    The email was sent from an external sender and contains no message content while including an attachment.Attachment-only emails from external sources can be used to entice recipients into opening potentially malicious files without contextual information. overridden

    Empty email from an external sender

    Informational overridden

    The email was sent from an external sender and contains no subject or message content.While not always malicious, completely empty emails are unusual and may be part of reconnaissance, delivery testing, or social engineering activity. overridden

  • Netcat makes or gets connections High

    Malicious actors can use Netcat for privilege escalation, remote code execution, data exfiltration and protocol tunneling to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)
    Required data: XDR Agent
    Attacker's goals: Establish command and control channel. Propagate in the victim network.
    Investigative actions: Verify that the usage of Netcat/Netcat64 is from an authorized personnel and that user has the right to access the remote host.
  • Network sniffing detected in Cloud environment Informational Cloud 2 variations

    A network sniffing tool was used in a cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.
    Investigative actions: Check the targeted resources and the sniffing policy. Check The cloud identity activity prior/after the network sniffing.

    Variations

    Unusual Network sniffing detected in Cloud environment

    Low overridden

    A network sniffing tool was used in a cloud environment. overridden

    Successful Network sniffing detected in Cloud environment

    Informational overridden

    A network sniffing tool was used in a cloud environment. overridden

  • New Administrative Behavior Medium 1 variation

    The endpoint performed new administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Remote Services (T1021)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: An attacker is using administrative functions to move from one endpoint to another, or to scan the network for new endpoints to attack.
    Investigative actions: Investigate the endpoint to determine if it is legitimately being used for administrative functions.

    Variations

    New SSH Administrative Behavior

    Informational overridden

    The endpoint performed new SSH administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement. overridden

  • New FTP Server Low 2 variations

    A new FTP server has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.
    Investigative actions: Verify that the new service is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application.

    Variations

    New FTP Server Accessed Via a Port Scan

    Informational overridden

    A new FTP server has been detected. overridden

    New FTP Server from an external source

    Low overridden

    A new FTP server has been detected. overridden

  • New Shared User Account Low Identity Analytics

    A user account has been seen active on multiple hosts.Shared accounts are often considered 'bad practice' and may present multiple security risks to the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Hours
    Deduplication:
    30 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Gaining access to a shared account and multiple hosts and systems throughout the organization.
    Investigative actions: Ensure that the shared account is legitimate and has a justified role in the organization.
  • New Teams application published to the organization catalog Informational Identity Threat Module 1 variation

    A new Teams application was published to the organization catalog.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.
    Investigative actions: Confirm that the application was created by a certified and trusted entity. Evaluate the permissions requested by the application to determine if they are excessive or unusual. Determine if it is within the user's role to publish this type of application. Correlate the alert with the sign-in event to get additional information on the identity performing the action. Follow further actions done by the account.

    Variations

    A Microsoft Teams application was published to the organization catalog by an unusual user

    Low overridden

    A new Teams application was published to the organization catalog. overridden

  • New addition to Windows Defender exclusion list Low 1 variation

    Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: File/Path Exclusions (T1564.012) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the excluded object type (process, path or extension) and nature. Check if the excluded object is malicious.

    Variations

    New addition to Windows Defender exclusion list from an unsigned process

    Medium overridden

    Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension. overridden

  • New cloud identity created with administrative policy Low Cloud 1 variation

    New cloud identity was created and assigned administrative policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account: Cloud Account (T1136.003) Create Account (T1136) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges in cloud environments.
    Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user/role to whom the administrative policy was attached.

    Variations

    Administrative IAM User Created with Credentials

    Low overridden

    New cloud identity was created and assigned administrative policy. overridden

  • Non-browser access to a pastebin-like site Low 4 variations

    Non-browser access to a pastebin-like site.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Web Service (T1102)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Data exfiltration or attack tool staging.
    Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.

    Variations

    Non-browser or an uncommon browser access to a pastebin-like site

    Informational overridden

    Non-browser or an uncommon browser access to a pastebin-like site. overridden

    Non-browser access to google sheets API

    Low overridden

    Non-browser access to google sheets API. overridden

    Non-browser failed access to a pastebin-like site

    Low overridden

    Non-browser failed access to a pastebin-like site. overridden

    Rare non-browser access to a pastebin-like site

    Medium overridden

    Rare non-browser access to a pastebin-like site. overridden

  • Numerous emails sent by a single sender to multiple internal recipients Informational Email

    Numerous emails were sent to multiple internal recipients. This may indicate spam or any other malicious attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Phishing, Spam
    Attacker's goals: Trick the user into clicking a link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Object versioning was disabled Informational Cloud 1 variation

    Object versioning of a cloud storage resource was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log Azure Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Impair the ability of the cloud environment to recover in disaster scenarios.
    Investigative actions: Confirm that the identity intended to disable the resource versioning. Follow further actions done by the identity. Monitor this resource for other suspicious activities.

    Variations

    Object versioning was disabled by an unusual identity

    Informational overridden

    Cloud storage versioning was disabled/suspended by an unusual identity. overridden

  • Office process accessed an unusual .LNK file Low

    An attacker may embed a .LNK file in an Office document to execute malicious code.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: User Execution (T1204) Boot or Logon Autostart Execution: Shortcut Modification (T1547.009)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Modify or create a shortcut to gain code or program execution.
    Investigative actions: Check if the Office document contains a shortcut object. Check the content (strings) of the document object for a .LNK shortcut. Check the content of the shortcut.
  • Office process spawned with suspicious command-line arguments Low 2 variations

    An Office process was executed with LOLBIN-like command-line arguments. This behavior is exhibited in the VBA-RunPE tool that executes executables from the memory of Word/Excel/PowerPoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Process Injection: Process Hollowing (T1055.012)
    Required data: XDR Agent
    Attacker's goals: Execute arbitrary code or run malicious applications undetected.
    Investigative actions: Check the file that spawns the office application and search for macros, formulas, or scripts.

    Variations

    Masqueraded office process spawned with suspicious command-line arguments

    Medium overridden

    An executable masquerading an office process was executed with LOLBIN-like command-line arguments. overridden

    PowerPoint process accesses a suspicious PPAM file

    Low overridden

    A PowerPoint process opened a PPAM file which might be used to execute malicious code. overridden

  • Okta API Token Created Informational Identity Threat Module 1 variation

    A user created a new API token in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.
    Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.

    Variations

    An Okta API token was generated with suspicious characteristics

    Low overridden

    A user created a new API token in Okta with suspicious conditions. overridden

  • Okta FastPass reported phishing attack suspected Low Identity Analytics

    Okta FastPass authentication reported a phishing attack suspected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: An attacker might attempt to compromise Okta accounts to gain initial access to the organization, sensitive assets or data.
    Investigative actions: Examine Okta alerts and search for signs of compromise to evaluate the potential risk. Examine email logs and headers to understand how the phishing email bypassed email security filters. Review the details of the phishing attempt, including the source email address, sender domain, and the content of the phishing message if available. Review recent login attempts, session details, and activity logs in OKTA for anomalies. Use threat intelligence feeds to identify if similar phishing tactics are part of a larger campaign. Examine historical access logs to see if there have been other attempts from the same IP or country and evaluate the potential threat level.
  • Okta Reported Attack Suspected Low Identity Threat Module

    Okta Threat Insight Reported Attack Suspected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker might attempt to compromise Okta accounts to gain access to sensitive assets or data.
    Investigative actions: Examine Okta alerts and search for signs of compromise to evaluate the potential risk.
  • Okta Reported Threat Detected Informational Identity Threat Module 1 variation

    Okta Threat Insight Reported Threat Detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.
    Investigative actions: Investigate the original events that were reported as suspicious. Investigate additional alerts that are activated based on the IP address. Follow further actions done by the ip.

    Variations

    Okta detected multiple threats from the same IP along with other suspicious characteristics

    Low overridden

    Okta Threat Insight Reported Threat Detected. overridden

  • Okta User Session Impersonation Informational Identity Threat Module 1 variation

    A user has initiated a session impersonation in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker's goal is to gain unauthorized access to sensitive information or perform malicious actions on behalf of the impersonated user.
    Investigative actions: Ensure the user is authorized to impersonate a user session. Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.

    Variations

    Okta User Session Impersonation with suspicious characteristics

    Low overridden

    A user has initiated a session impersonation with suspicious characteristics in Okta. overridden

  • Okta account reset password attempt Informational Identity Threat Module 1 variation

    A user used a weak factor to reset their Okta password.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: The attacker might deceive the victim into resetting their password, a common tactic in account takeover schemes.
    Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Examine the IP address and assess its reputation. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

    Variations

    Suspicious Okta account reset password attempt

    Low overridden

    A user used a weak factor to reset their Okta password. overridden

  • Okta account unlock Informational Identity Threat Module 1 variation

    Okta user account was unlocked.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    3 Hours
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.
    Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Examine the user's actions preceding and following the activation of the alert. Initiate contact with the user to verify the authenticity of the account unlock action. Check account the user successfully authenticated after the event. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

    Variations

    Okta account unlock with suspicious characteristics

    Low overridden

    Okta user account was unlocked. overridden

  • Okta account unlock by admin Informational Identity Threat Module 1 variation

    An administrative user unlocked an Okta account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.
    Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Examine the user's actions preceding and following the activation of the alert. Initiate contact with the user to verify the authenticity of the account unlock action. Check account the user successfully authenticated after the event. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

    Variations

    Suspicious Okta account unlock by admin

    Low overridden

    An administrative user unlocked an Okta account. overridden

  • Okta admin privilege assignment Informational Identity Threat Module 1 variation

    A user assigned admin privileges to a new user or group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker is attempting to gain access to sensitive information or systems, while privilege escalation involves their attempt to increase control and access within the system or network.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Analyze the actions carried out by the user responsible for granting permission.

    Variations

    Abnormal Okta admin privilege assignment with suspicious characteristics

    Low overridden

    A suspicious user assignment of admin privileges to a new user or group. overridden

  • Okta device assignment Informational Identity Threat Module 1 variation

    A device was assigned as an Okta MFA device to a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    6 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: For purposes of maintaining persistence, an attacker could potentially register his device with various accounts that have been compromised.
    Investigative actions: Confirm that the device assignments were intentionally made by the users and are legitimate. Examine the IP address and assess its reputation. Continue monitoring the accounts for any subsequent actions that may indicate suspicious behavior.

    Variations

    A suspicious assignment of a mobile device to multiple users

    Low overridden

    A single device is being used as an Okta MFA device by multiple users. overridden

  • OneDrive file download Informational Cloud

    A file was downloaded from OneDrive using the Microsoft Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Exfiltrate sensitive data by downloading files from OneDrive.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • OneDrive file upload Informational Cloud

    A file was uploaded to OneDrive using Microsoft Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Resource Development (TA0042)
    ATT&CK techniques: Stage Capabilities (T1608) Stage Capabilities: Upload Malware (T1608.001)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Establish persistence by uploading files to OneDrive, potentially using it as a staging area for further malicious activities.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • OneDrive folder creation Informational Cloud

    A folder was created in OneDrive using Microsoft Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged: Remote Data Staging (T1074.002)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Establish persistence or prepare for data exfiltration by creating a storage location in OneDrive via the Microsoft Graph API, enabling them to later upload or manipulate files undetected.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Outbound email contains file-sharing service link sent to external recipient Informational Email 2 variations

    Identifies outbound emails that include links to file-sharing services sent externally.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Exfiltrate data by sharing a link to a file-sharing service with external recipients, bypassing attachment inspection and potentially evading visibility controls.
    Investigative actions: Review the shared URL to determine if the file is publicly accessible or shared outside the organization. Check if the file-sharing domain has been previously used by this sender or others in the organization. Investigate recent outbound emails for similar use of file-sharing services or unusual external recipients.

    Variations

    Outbound email to external recipient(s) uses first-seen for organization file-sharing service

    Informational overridden

    Identifies outbound emails that include links to file-sharing services sent externally. overridden

    Outbound email to external recipient(s) uses first-seen for sender file-sharing service

    Informational overridden

    Identifies outbound emails that include links to file-sharing services sent externally. overridden

  • Outbound email includes an external BCC recipient observed for the first time Informational Email 1 variation

    Internal sender BCC'd an external recipient whose address has not been observed in prior communications.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Use BCC to covertly exfiltrate data to an unusual external recipient without visibility to other recipients or monitoring systems.
    Investigative actions: Review headers and content for anomalies or potential exposure of sensitive data. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.

    Variations

    Outbound email sent to an unknown external BCC recipient with no To or CC addresses

    Low overridden

    Internal sender BCC'd an external recipient whose address has not been observed in prior communications. overridden

  • Outbound email to an address hosted by a public email service provider Informational Email 1 variation

    Internal sender emailed to an address hosted by a public email service provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration, Account Takeover
    Attacker's goals: Extracting valuable information outside the company.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Outbound email to a single address hosted by a public email service provider

    Informational overridden

    Internal sender emailed to a single recipient with public email service provider. overridden

  • Outlook files accessed by an unsigned process Low

    An attacker may use an uncommon and unsigned process to access Outlook data files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged: Local Data Staging (T1074.001) Email Collection: Local Email Collection (T1114.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain access to the data in the compromised mailbox.
    Investigative actions: Examine the process command and file activity to identify the mailbox. Check if the process performed any other suspicious file activity. Check if the process generated network connections.
  • Owner added to Azure application Informational Identity Threat Module

    An identity was added as an owner to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Application Access Token (T1528)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add owners to an application to authenticate as the application later on and access resources.
    Investigative actions: Check if the added account is new to the organization. Check whether the account that added the new owner is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.
  • Owner was added to Azure application Informational Cloud

    An Owner was added to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain administrative control and manipulate the application's permissions and settings.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • PIM privilege member removal Informational Cloud

    A cloud identity has removed a user's privileged role within PIM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Azure Audit Log
    Attacker's goals: Disrupt system and network access by blocking legitimate user accounts.
    Investigative actions: Investigate the suspected identity who initiated the removal. Identify the privileged accounts that were affected. Review the current access rights of the privileged accounts.
  • PKINIT TGT authentication request Informational Identity Analytics 2 variations

    A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)
    ATT&CK techniques: Use Alternate Authentication Material (T1550) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Gain unauthorized access to high-privilege accounts by abusing certificate-based authentication mechanisms.
    Investigative actions: Verify if Windows Hello for Business (WHfB) is deployed and actively used in the environment, as it may explain the PKINIT activity. Inspect the Key Credentials attribute of the target account for recent modifications. Review associated service tickets or lateral movement activities tied to the target account. Investigate unusual certificate issuance or PKI activities.

    Variations

    Suspicious PKINIT TGT authentication request

    Medium overridden

    A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden

    Abnormal PKINIT TGT authentication request

    Low overridden

    A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden

  • Parsing Rule Error Medium

    A Parsing Rule error was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Penetration testing tool activity attempt Informational Identity Analytics 1 variation

    A SaaS API was invoked by a penetration testing tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Serverless Execution (T1648)
    Required data: Office 365 Audit
    Attacker's goals: Usage of known tools and frameworks.
    Investigative actions: Check if there is an active PT test ongoing.

    Variations

    Penetration testing tool activity attempt

    Medium overridden

    A SaaS API was successfully invoked by a penetration testing tool. overridden

  • Permission Groups discovery commands Informational 1 variation

    Permission group discovery command execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Collect information about the host.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Permission Groups discovery commands in a Kubernetes pod

    Informational overridden

    Permission group discovery command execution. overridden

  • Phantom DLL Loading Medium 2 variations

    An attacker might leverage existing processes missing module loads to load malicious code into trusted processes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection, persist or escalate privileges.
    Investigative actions: Investigate the loaded module and verify if it is malicious.

    Variations

    Phantom DLL Loading was used to load a DLL into a process after it was extracted from an internet-downloaded archive

    High overridden

    An attacker might leverage existing processes missing module loads to load malicious code into trusted processes. overridden

    Phantom DLL Loading was used to load a DLL into a process after it was downloaded from an uncommon source

    High overridden

    An attacker might leverage existing processes missing module loads to load malicious code into trusted processes. overridden

  • Ping to localhost from an uncommon, unsigned parent process Informational

    Ping is often used by malware and attackers to delay the execution of suspicious commands in sandbox environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Virtualization/Sandbox Evasion (T1497)
    Required data: XDR Agent
    Attacker's goals: Use ping as an easy way to wait to try and evade detection between executions.
    Investigative actions: Validate if the executing process is malicious.
  • Port Scan Informational 3 variations

    The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Service Discovery (T1046)
    Required data: Palo Alto Networks Firewall traffic Logs Third-Party Firewalls
    Attacker's goals: An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.
    Investigative actions: New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time. Check if the activity is a SYN-ACK scan. These might result in Cortex XDR Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR Analytics used the wrong baseline in triggering the alert. Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR Analytics could raise a false alert.

    Variations

    Port scan by suspicious process

    Low overridden

    The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden

    Highly suspicious port scan

    Medium overridden

    The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden

    Suspicious port scan

    Low overridden

    The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden

  • Port Sweep Informational 1 variation

    The endpoint connected, or attempted to connect, to multiple hosts using privileged ports that serve a well-defined function.Attackers perform port sweep for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port sweeps using data arriving solely from Cortex agents is incomplete.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Network Service Discovery (T1046)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.
    Investigative actions: Ensure that the source of the port sweep is not a new server in the network. New domain controllers or servers hosting services such as SNMP can cause false positives. Check for new known vulnerabilities in the ports scanned, this method is often used to target known vulnerabilities.

    Variations

    Port Sweep to multiple subnets

    Low overridden

    The endpoint connected, or attempted to connect, to multiple hosts using privileged ports that serve a well-defined function.Attackers perform port sweep for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port sweeps using data arriving solely from Cortex agents is incomplete. overridden

  • Possible AS-REP Roasting Attack Medium Identity Analytics 1 variation

    A user enumerated all accounts that don't require pre-authentication in the organization and specifically requested tickets for those accounts. This is typically a sign of an AS-REP Roasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    AS-REP Roasting Attack

    High overridden

    A user enumerated all accounts that don't require pre-authentication in the organization and specifically requested tickets for those accounts. This is typically a sign of an AS-REP Roasting attack. overridden

  • Possible Brute-Force attempt Informational Identity Analytics 2 variations

    This may indicate a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Brute Force (T1110) Remote Services (T1021)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    Possible Brute-Force attempt on a Honey User Account

    Medium overridden

    This may indicate a brute-force attack. overridden

    Possible Brute-Force attempt with a successful login and suspicious characteristics

    Low overridden

    This may indicate a brute-force attack. overridden

  • Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)
    Required data: AzureAD
    Attacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.
    Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.

    Variations

    OAuth Token Theft - Potential Session Hijacking Detected from new ASN

    Low overridden

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden

  • Possible DCSync from a non domain controller Low 5 variations

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)
    ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Impacket Analytics
    Attacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.
    Investigative actions: Check whether one of the machines is a new domain controller.

    Variations

    DCSync from a non domain controller from a non-standard process

    High overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Large DCSync from a non domain controller by AppID

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Large DCSync from a non domain controller

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    Possible DCSync from an internet-facing server

    Medium overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

    DCSync from a non domain controller

    Low overridden

    Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden

  • Possible DLL Hijack into a Microsoft process Informational 6 variations

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Possible DLL Hijack of a low entropy DLL into a Microsoft process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Side-Loading into a Microsoft process from a suspicious folder

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    DLL Hijack into a Microsoft process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft development or framework related process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft process - the DLL was extracted from an internet-downloaded archive

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

  • Possible DLL Search Order Hijacking Low 3 variations

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) Hijack Execution Flow: Path Interception by PATH Environment Variable (T1574.007) Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009) Hijack Execution Flow: Path Interception by Search Order Hijacking (T1574.008)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Possible DLL Search Order Hijacking by DLL Substitution

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

    Possible DLL Search Order Hijacking - DLL extracted from an internet-downloaded archive

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

    Possible DLL Search Order Hijacking - DLL downloaded from an uncommon source

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

  • Possible Distributed File System Namespace Management (DFSNM) abuse High

    A possible abuse of Distributed File System Namespace Management (DFSNM).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker can abuse the Distributed File System Namespace Management protocol to coerce an authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.
    Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Look for unusual AD CS certificate requests. Check for possible DCSync alerts.
  • Possible Email collection using Outlook RPC Informational

    Outlook was executed using RPC by an uncommon parent process, this may be an indication of email collection activities.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Email Collection: Local Email Collection (T1114.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is trying to perform email collection or manipulation using Outlook.
    Investigative actions: Investigate the endpoint to determine if it's a legitimate process that is supposed to use Outlook in its operation to send or extract emails.
  • Possible GPO Enumeration Informational Identity Analytics 2 variations

    A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Group Policy Discovery (T1615)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Investigate the LDAP search query for any suspicious indicators. Look for additional LDAP queries the user executed that might be suspicious. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries. Check if the process executes LDAP search queries as part of its normal behavior.

    Variations

    Suspicious GPO Enumeration by an LDAP tool

    Medium overridden

    A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

    Possible GPO Enumeration by a Suspicious Process

    Low overridden

    A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

  • Possible IPFS traffic was detected Informational

    The host attempted to access other nodes in an IPFS manner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.
    Investigative actions: Check the host for IPFS client software. Examine the client's network traffic for uploaded or downloaded file hashes.
  • Possible Impossible Travel Pattern - SSO Informational Identity Analytics 2 variations

    A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker who compromises user credentials will leverage those credentials to gain initial access to the corporate network.To obfuscate their true origin, adversaries commonly route traffic through proxies or VPNs across multiple geographic locations.
    Investigative actions: Review the source IPs and AS organizations. Check if they are associated with known corporate VPNs, cloud hosting providers, or personal VPN services. Examine recent activity associated with the user in the relevant SSO provider, focusing on suspicious actions such as MFA changes or unusual data access.

    Variations

    Azure First-Seen Device - Impossible Traveler

    Low overridden

    A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden

    Rare Country Login - Impossible Traveler (SSO)

    Low overridden

    A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden

  • Possible Insider Threat Activity Low Identity Threat Module 1 variation

    A user was observed performing suspicious activity that might indicate an attempt to use their access to organizational resources for personal gain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Financial Theft (T1657)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An insider threat might use their access to organizational resources for personal gain.
    Investigative actions: Check how long the user has been part of the organization. Check if the user is about to leave the company. Verify that the user is not part of a department that performs such activity as part of daily operations.

    Variations

    Indicate Insider Threat Activity

    Medium overridden

    A user was observed performing suspicious activity that might indicate an attempt to use their access to organizational resources for personal gain. overridden

  • Possible Kerberoasting attack Medium Identity Analytics 1 variation

    A user enumerated all service principals in the organization and specifically requested weak and deprecated encryption in a ticket request. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Kerberoasting attack

    High overridden

    A user enumerated all service principals in the organization and specifically requested weak and deprecated encryption in a ticket request. This is typically a sign of a Kerberoasting attack. overridden

  • Possible Kerberoasting without SPNs Low 1 variation

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes, and is typically a sign of a Kerberoasting attack. The requested service was specified by using a suspicious SPN type, which is often used by Kerberoasting tools to request by SAN instead of SPN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Crack service account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Possible Kerberoasting without SPNs on a sensitive server

    Medium overridden

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes, and is typically a sign of a Kerberoasting attack. The requested service was specified by using a suspicious SPN type, which is often used by Kerberoasting tools to request by SAN instead of SPN. overridden

  • Possible Kerberos User Enumeration Informational Identity Analytics 1 variation

    Multiple Kerberos TGT requests with KDC_ERR_C_PRINCIPAL_UNKNOWN errors were generated on different users in the last 10 minutes which may indicate Kerberos user enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery: Domain Account (T1087.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may attempt to gain an initial foothold in the domain by enumerating users.
    Investigative actions: Identify the source host from which the failed logons originated, by making sure the IP is not a shared address. Check the host from which the errors originated, and verify the legitimacy of the TGT requests. Correlate successful logons from the source host to identify potential account compromises following the failed attempts. Review source host activity to detect any additional suspicious or lateral movement behavior.

    Variations

    Possible Kerberos User Enumeration Involving Exposed Users

    Low overridden

    Multiple Kerberos TGT requests with KDC_ERR_C_PRINCIPAL_UNKNOWN errors were generated on different users in the last 10 minutes which may indicate Kerberos user enumeration. overridden

  • Possible Kerberos relay attack Low

    A suspicious local network login was observed, which might indicate on Kerberos relay attack. This attack can lead to privilege escalation by obtaining system privileges on the target.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)
    Required data: Windows Event Collector XDR Agent
    Attacker's goals: An attacker is attempting to elevate its privileges on the machine.
    Investigative actions: Check for any other suspicious activity related to the host involved in the alert. Look for a new machine that was added to the domain.
  • Possible LDAP Enumeration Tool Usage Informational Identity Analytics 3 variations

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Possible admin enumeration via LDAP

    Informational overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

    A user executed an LDAP enumeration query with suspicious characteristics

    Medium overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

    Rare LDAP enumeration query executed by a user

    Low overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

  • Possible LDAP Enumeration of Microsoft Configuration Manager Informational Identity Analytics 1 variation

    A possible enumeration on Microsoft Configuration Manager via LDAP was performed. Such enumeration may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Microsoft SCCM Analytics
    Attacker's goals: An attacker is attempting to enumerate Microsoft Configuration Manager.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries. Looking for suspicious activity or logins to the Microsoft Configuration Manager site server.

    Variations

    Suspicious enumeration on Microsoft Configuration Manager via LDAP

    Low overridden

    A possible enumeration on Microsoft Configuration Manager via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden