Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show ATT&CK heatmapModification of the AD FS IdentityServer configuration file Informational Identity Analytics 1 variation
The AD FS service configuration file was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow (T1574)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Federation Services AnalyticsAttacker's goals: The attacker's goal is to establish a persistent, high-privilege backdoor by forcing the service to load a malicious configuration that enables remote code execution and the bypass of security controls like MFA.Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Investigate the process and user that performed the write operation for signs of compromise.Variations
Suspicious Modification of the AD FS IdentityServer configuration file
Low overridden
The AD FS service configuration file was modified. overridden
Modification or Deletion of an Azure Application Gateway Detected Informational Cloud
Modification or Deletion of an Azure Application Gateway Detected. A change has been detected in an Azure Application Gateway. This may indicate unauthorized access or malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133)Required data: Azure Audit LogAttacker's goals: Gain access to the resources behind the Azure Application Gateway.Investigative actions: Check the Azure Application Gateway to identify the changes made. Verify whether the identity should be making this action.Moniker link detected in URL(s) Informational Email 2 variations
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user on clicking the link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
A suspicious Moniker link, SMB and suspicious extension detected
Medium overridden
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden
A suspicious Moniker link pointing to SMB detected
Low overridden
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden
Mount command was executed from within a Kubernetes pod to list all the attached filesystems Low 1 variation
The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Access to the host filesystem.Investigative actions: Look for additional suspicious activities. Verify if there was an attempt to access the host system.Variations
Unusual mount command was executed from within a Kubernetes pod to list all the attached filesystems
Medium overridden
The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access. overridden
MpCmdRun.exe was used to download files into the system Low
Attackers might be using legitimate Windows Defender executables to download malicious code onto the system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Ingress Tool Transfer (T1105)Required data: XDR AgentAttacker's goals: Download malicious tools onto the host for more activities.Investigative actions: Check if the downloaded file is malicious. Verify if the process executing the command is malicious. Check for more suspicious actions done by the user and process.Mshta.exe launched with suspicious arguments Low
Microsoft HTML application host process has been launched with suspicious arguments, which may indicate malicious intent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Mshta.exe spawns from a browser process Low 1 variation
Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Mshta (T1218.005)Required data: XDR AgentAttacker's goals: Execute malicious code through system binary proxy execution to bypass application controls and security monitoring.Investigative actions: Examine the command line arguments passed to mshta for suspicious URLs or file paths. Check the browser process that spawned mshta for signs of compromise. Review network connections around the time of execution. Analyze any HTML applications (.hta files) that may have been executed.Variations
Mshta.exe spawns from a browser process that executes a script from a URL
Medium overridden
Mshta is the Microsoft HTML Application Host. It executes HTML applications on Windows. Detected when a browser process has spawned mshta, which can be a potential attack vector. overridden
Msiexec execution of an executable from an uncommon remote location Informational 2 variations
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Msiexec (T1218.007)Required data: XDR AgentAttacker's goals: Evading security controls and executing arbitrary files from the web.Investigative actions: Check execution of msiexec and the IP/Domain that used. Is the URL that is encoded in the command line trusted. Is executed DLL or MSI file known as legitimate. Is the initiating process legitimate and the user running it knows of its use.Variations
Msiexec execution of an executable from an uncommon remote location with a specific port
High overridden
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. overridden
Msiexec execution of an executable from an uncommon remote location without properties
Medium overridden
Msiexec is the command-line utility for the Windows Installer. Adversaries may abuse msiexec.exe to proxy execution of malicious payloads from remote locations. Execution without properties is more common in malware. overridden
Multi region enumeration activity Informational Cloud
An internal identity performed an operation on multiple regions, considerably more than usual.This may indicate an attacker's attempt to identify all available resources in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Defense Evasion (TA0005)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Unused/Unsupported Cloud Regions (T1535) Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Discover cloud resources that are available within the environment and leverage them to perform additional attacks against the organization. Detect unused geographic regions and leverage them to evade detection of malicious operations.Investigative actions: Check the identity designation. Verify that the identity did not perform any operation in a region that it shouldn't.Multiple Azure AD admin role removals Low Identity Threat Module
An Azure AD identity removed multiple administrators from their roles.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: AzureAD Audit LogAttacker's goals: An attacker may want to lock out an organization and retain sole access.Investigative actions: Check if the identity performing the actions was authorized to perform them. Check what roles the users were removed from. Check whether the identity is a newly added admin. Check if the identity is operating in its usual manner (location, time, operations) Check if the identity performed additional operations in the cloud environment that might be malicious.Multiple Okta MFA requests sent to a user Informational Identity Analytics 1 variation
Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Multi-Factor Authentication Request Generation (T1621)Required data: OktaAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Verify the reasoning behind the MFA request rejections. Follow further actions performed by the user.Variations
Multiple Okta MFA requests sent to a user with unusual characteristics
Low overridden
Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack. overridden
Multiple Rare LOLBIN Process Executions by User Low Identity Analytics 1 variation
A user executed multiple living-off-the-land binary (LOLBIN) processes that are unusual for this user. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 30 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentAttacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.Investigative actions: Investigate the processes that were executed to determine if they were used for legitimate purposes or malicious activity.Variations
Multiple curl process executions by user
Informational overridden
A user executed multiple living-off-the-land binary (LOLBIN) processes that are unusual for this user. This may be indicative of a compromised account. overridden
Multiple Rare Process Executions in Organization Informational Identity Analytics
Multiple unusual processes were executed in the organization. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 30 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: XDR AgentAttacker's goals: Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.Investigative actions: Investigate the processes that were executed to determine if they were used for legitimate purposes or malicious activity.Multiple Suspicious FTP Login Attempts Low
Multiple suspicious FTP sessions were detected, which may indicate a brute-force attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.Investigative actions: Examine the legitimacy of the application that produced this uncommon FTP connection. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.Multiple TGT requests for users without Kerberos pre-authentication Informational Identity Analytics 2 variations
Multiple TGT requests for users that do not require Kerberos pre-authentication were observed. This is typically a sign of an AS-REP attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.Variations
An excessive number of TGT requests were sent for users that do not require Kerberos pre-authentication
Low overridden
Multiple TGT requests for users that do not require Kerberos pre-authentication were observed. This is typically a sign of an AS-REP attack. overridden
A TGT request was sent for a user who does not require Kerberos pre-authentication
Informational overridden
A TGT request was sent for a user who does not require Kerberos pre-authentication. This might indicate an AS-REP attack. overridden
Multiple Weakly-Encrypted Kerberos Tickets Received Low
A user accessed a number of services associated with user accounts in the 10 minutes leading to the alert, generating a number of weakly encrypted Kerberos TGS (ticket granting service) tickets that is significantly larger than the number of weakly encrypted TGS tickets received by that user in the 30 days leading to the alert.Services associated with user accounts are a common target for Kerberoasting due to default weak encryption.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Crack account credentials by obtaining easy-to-crack Kerberos tickets.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool accessing those services.Multiple alerts associated with a single RDP connection Informational
Multiple alerts associated with a single RDP connection were triggered.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services: Remote Desktop Protocol (T1021.001)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsDetector tags: Enhanced RDP AnalyticsAttacker's goals: Adversaries may use RDP for initial access or lateral movement within a network.Investigative actions: Investigate the source and destination of the RDP communication. Check if this communication is legitimate and expected. Analyze the user and process that initiated the RDP connection.Multiple alerts of different MITRE tactics were seen Low
Multiple alerts of different MITRE tactics were seen on the same host under the same causality.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204) Native API (T1106)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsAttacker's goals: Execute multiple covert actions to circumvent detection.Investigative actions: Investigate the causality of all the linked alerts. It is visible in the bottom of the causality page. Assess whether it looks like a threat actor executing multiple tactics.Multiple cloud snapshots export Informational Cloud 4 variations
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the disk.Investigative actions: Check if the identity intended to export the virtual machines or DB snapshots. Check if the identity performed additional operations in the cloud environment that might be malicious.Variations
Multiple cloud snapshots export
High overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address. This action was unusual based on the cloud project history. overridden
Multiple cloud snapshots export
Medium overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address. This action was unusual based on The cloud identity history. overridden
Multiple cloud snapshots export
Low overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.This action was unusual based on the unsuccessful attempts rate. overridden
Multiple cloud snapshots export
Low overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.This action was unusual based on the cloud project or identity history. overridden
Multiple discovery commands Low 4 variations
The alerted causality performed multiple discovery commands in a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Multiple discovery commands from a web server CGO
Medium overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands from an SQL server CGO
Medium overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands from an unsigned causality
Medium overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands from a standard IT tool
Informational overridden
The alerted causality performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Linux host by the same process Informational 2 variations
The alerted process performed multiple consecutive discovery commands in a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Multiple discovery commands on a Linux host by the same process
Medium overridden
The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden
Multiple discovery commands on a Linux host by the same process
Low overridden
The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process Low 5 variations
The alerted process performed multiple discovery commands in a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Remote Multiple discovery commands on a Windows host by the same IP
High overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process from a web server CGO
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process from an SQL server CGO
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery commands on a Windows host by the same process from a remote CGO
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Rare Multiple discovery commands on a Windows host by the same process
Medium overridden
The alerted process performed multiple discovery commands in a short timeframe. overridden
Multiple discovery-like commands Informational 3 variations
The alerted process performed multiple consecutive discovery commands in a short time frame.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)Required data: XDR AgentAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Multiple discovery-like commands by web server process
Low overridden
The web server process performed multiple consecutive discovery commands in a short time frame. overridden
Multiple discovery-like commands on a Linux host
Informational overridden
The alerted process performed multiple consecutive discovery commands in a short time frame. overridden
Multiple discovery-like commands
Informational overridden
The alerted process performed multiple consecutive discovery commands in a short time frame. overridden
Multiple failed AWS assume role attempts Informational Cloud 1 variation
An AWS identity performed an unusual high number of failed assume role attempts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify accessible roles and move laterally or escalate privileges within a cloud environment.Investigative actions: Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious. Evaluate if the source IP address or user agent associated with these attempts is known or suspicious. Verify if any successful assume role operations occurred from the same identity around the same time. Review any additional activity from the specific roles the identity assumed.Variations
Suspicious multiple failed AWS assume role attempts
Medium overridden
An AWS identity performed an unusual high number of failed assume role attempts. overridden
Multiple failed logins from a single IP Informational Cloud 2 variations
Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Trusted Relationship (T1199) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Gain initial access to the cloud console.Investigative actions: Check if the IP is a known IP. Check if a successful login from the same IP occurred after the failed login attempts.Variations
Multiple failed logins from an unknown IP
Medium overridden
Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.The IP is not a known IP in the organization.This could indicate on an active brute force attempt. overridden
Multiple failed logins from a single IP by a compromised AWS access key
High overridden
Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider. overridden
Multiple network-related alerts of different MITRE tactics on the same host Low
Multiple alerts of different MITRE tactics were seen on the same host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsDetector tags: NDR Insights AnalyticsAttacker's goals: Execute multiple covert actions to circumvent detection.Investigative actions: Investigate the source of all the linked alerts. Asses whether it looks like a threat actor executing multiple tactics.Multiple network-related alerts produced by different detectors on the same host Low
Multiple alerts produced by different detectors were seen on the same host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsDetector tags: NDR Insights AnalyticsAttacker's goals: Execute multiple covert actions to circumvent detection.Investigative actions: Investigate the source of all the linked alerts.Multiple risk indicators for a cloud identity High Cloud
Multiple risk indicators detected for a cloud identity, combining unusual activity with activity from unusual geolocation or high-risk IP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Compromise a cloud user account to gain access and perform malicious activities.Investigative actions: Review the user's recent activity for any unauthorized actions.Rotate the user's credentials immediately if confirmed compromised.Multiple suspicious user accounts were created Low Identity Analytics
A user was observed creating multiple rare user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account (T1136)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence using a valid account.Investigative actions: Check the user who created the accounts and verify the activity.Multiple uncommon SSH Servers with the same Server host key Low
Multiple uncommon SSH servers were observed using the same host key.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Adversary-in-the-Middle (T1557)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Attackers may attempt to move laterally within the network by exploiting and relaying stolen client credentials to another SSH server.Investigative actions: Audit the authentication attempts to the SSH server using the same key. Look for unusual or repeated connections from the same or unexpected hosts. Audit Client Credentials, check for any signs of compromised client credentials being used on different SSH servers.Multiple user accounts failed login due to account lockouts Low Identity Analytics 1 variation
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)Required data: XDR AgentAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if any programs were cached with old credentials, resulting in account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.Variations
Excessive user account login failure due to lockout from a suspicious source
Medium overridden
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden
Multiple user accounts were deleted Informational Identity Analytics 1 variation
A user deleted multiple user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Impact (TA0040)ATT&CK techniques: Valid Accounts (T1078) Account Access Removal (T1531)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence using a valid account.Investigative actions: Check the user who deleted the accounts and verify the activity. Look into the recent activity of the deleted accounts and whether they were temporary or dormant.Variations
A user deleted multiple users for the first time
Low overridden
A user deleted multiple user accounts. overridden
Multiple users authenticated with weak NTLM to a host Informational Identity Analytics
Multiple user accounts authenticated to a host via NTLMv1 or LM authentication for the first time in the past 30 days. This may be a result of an NTLM downgrade attackA downgrade attack may force the client to authenticate with a weaker hash/protocol (such as NTLMv1 or even LM) instead of NTLMv2.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Use Alternate Authentication Material (T1550)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Audit all login events with a weaker protocol and review any anomalous usage. Investigate the mentioned host for additional suspicious activity.NTDS.dit file written by an uncommon executable Low 3 variations
The Active Directory database file was written by an uncommon process to a non-default location.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003) OS Credential Dumping: NTDS (T1003.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Dump the sensitive contents of the database to masquerade as legitimate domain users.Investigative actions: Investigate the nature of the process writing the sensitive file. Is it a standard backup procedure? Check the path the file was written to. Is it local? Are there other relevant artifacts in this location?Variations
NTDS.dit file written by a remote actor
High overridden
The Active Directory database file was written to the disk by a remote actor. overridden
NTDS.dit file written by a rare executable to a suspicious path
High overridden
The Active Directory database file was written by a rare process to a suspicious path. overridden
NTDS.dit file written by a rare executable
Medium overridden
The Active Directory database file was written by a rare process to a non-default location. overridden
NTLM Brute Force Informational Identity Analytics 2 variations
This may indicate an NTLM brute force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
NTLM brute force on a sensitive user
Medium overridden
This may indicate an NTLM brute force attack. overridden
High-frequency NTLM brute force attempts detected
Low overridden
This may indicate an NTLM brute force attack. overridden
NTLM Brute Force on a Service Account Low Identity Analytics
This may indicate a NTLM brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the service accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.NTLM Brute Force on an Administrator Account Low Identity Analytics
This may indicate an NTLM brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the administrator accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.NTLM Hash Harvesting Medium Identity Analytics
An unusual number of users has sent NTLM to a target in the last hour. This may be indicative of poisoning and NTLM hash harvesting.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: OS Credential Dumping (T1003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker may attempt to extract NTLM hashes for credential access.Investigative actions: Check that the destination is not a server. Verify that the destination is not external to the organization.NTLM Password Spray Informational Identity Analytics 1 variation
A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time. This may be indicative of a NTLM password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker may attempt to guess user credential by password spray attack over multiple machines.Investigative actions: Verify any successful authentication made by one of the user accounts referenced by the alert, as these may indicate the attacker managed to guess the credentials.Variations
NTLM password spray on a sensitive entity
Low overridden
A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time on a sensitive entity. This may be indicative of a NTLM password spray attack. overridden
NTLM Relay Informational
An NTLM NTProofStr was seen from more than one source. This indicates that NTLM authentication data has been relayed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001) Use Alternate Authentication Material: Pass the Hash (T1550.002)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting a man-in-the-middle NTLM relay attack to intercept authentication attempts and move laterally within an environment.Investigative actions: Check that the alerted host is not a NAT or a proxy that duplicates traffic as part of its normal behavior. Check if the protocols used are vulnerable to an NTLM relay attack (e.g. LDAP, SMB). Ensure that SMB signing is enabled in the case of a possible SMB relay attack.Near-empty email from an external sender Informational Email 3 variations
The email was sent from an external sender and contains minimal content.Near-empty emails from external sources are uncommon and may be used to bypass content-based detection or prompt user interaction without clear context.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Gather Victim Identity Information (T1589)Required data: Microsoft 365 EmailsDetector tags: ReconnaissanceAttacker's goals: Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).Investigative actions: Check the content of the body and whether it has any relevance to the recipients. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address. Verify whether the sender's IP address has appeared in different log sources before.Variations
Blank email with an inline attachment from an external sender
Informational overridden
This email was sent from an external sender and contains no readable message content, but includes an inline attachment.Empty emails with embedded content are often used to obscure the intent of the message and may be associated with phishing or malware delivery attempts. overridden
Blank email with an attachment from an external sender
Informational overridden
The email was sent from an external sender and contains no message content while including an attachment.Attachment-only emails from external sources can be used to entice recipients into opening potentially malicious files without contextual information. overridden
Empty email from an external sender
Informational overridden
The email was sent from an external sender and contains no subject or message content.While not always malicious, completely empty emails are unusual and may be part of reconnaissance, delivery testing, or social engineering activity. overridden
Netcat makes or gets connections High
Malicious actors can use Netcat for privilege escalation, remote code execution, data exfiltration and protocol tunneling to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)Required data: XDR AgentAttacker's goals: Establish command and control channel. Propagate in the victim network.Investigative actions: Verify that the usage of Netcat/Netcat64 is from an authorized personnel and that user has the right to access the remote host.Network sniffing detected in Cloud environment Informational Cloud 2 variations
A network sniffing tool was used in a cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.Investigative actions: Check the targeted resources and the sniffing policy. Check The cloud identity activity prior/after the network sniffing.Variations
Unusual Network sniffing detected in Cloud environment
Low overridden
A network sniffing tool was used in a cloud environment. overridden
Successful Network sniffing detected in Cloud environment
Informational overridden
A network sniffing tool was used in a cloud environment. overridden
New Administrative Behavior Medium 1 variation
The endpoint performed new administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Remote Services (T1021)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: An attacker is using administrative functions to move from one endpoint to another, or to scan the network for new endpoints to attack.Investigative actions: Investigate the endpoint to determine if it is legitimately being used for administrative functions.Variations
New SSH Administrative Behavior
Informational overridden
The endpoint performed new SSH administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement. overridden
New FTP Server Low 2 variations
A new FTP server has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.Investigative actions: Verify that the new service is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application.Variations
New FTP Server Accessed Via a Port Scan
Informational overridden
A new FTP server has been detected. overridden
New FTP Server from an external source
Low overridden
A new FTP server has been detected. overridden
New Shared User Account Low Identity Analytics
A user account has been seen active on multiple hosts.Shared accounts are often considered 'bad practice' and may present multiple security risks to the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Hours
- Deduplication:
- 30 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Gaining access to a shared account and multiple hosts and systems throughout the organization.Investigative actions: Ensure that the shared account is legitimate and has a justified role in the organization.New Teams application published to the organization catalog Informational Identity Threat Module 1 variation
A new Teams application was published to the organization catalog.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.Investigative actions: Confirm that the application was created by a certified and trusted entity. Evaluate the permissions requested by the application to determine if they are excessive or unusual. Determine if it is within the user's role to publish this type of application. Correlate the alert with the sign-in event to get additional information on the identity performing the action. Follow further actions done by the account.Variations
A Microsoft Teams application was published to the organization catalog by an unusual user
Low overridden
A new Teams application was published to the organization catalog. overridden
New addition to Windows Defender exclusion list Low 1 variation
Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: File/Path Exclusions (T1564.012) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the excluded object type (process, path or extension) and nature. Check if the excluded object is malicious.Variations
New addition to Windows Defender exclusion list from an unsigned process
Medium overridden
Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension. overridden
New cloud identity created with administrative policy Low Cloud 1 variation
New cloud identity was created and assigned administrative policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account: Cloud Account (T1136.003) Create Account (T1136) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges in cloud environments.Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user/role to whom the administrative policy was attached.Variations
Administrative IAM User Created with Credentials
Low overridden
New cloud identity was created and assigned administrative policy. overridden
Non-browser access to a pastebin-like site Low 4 variations
Non-browser access to a pastebin-like site.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Web Service (T1102)Required data: Palo Alto Networks Url LogsAttacker's goals: Data exfiltration or attack tool staging.Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.Variations
Non-browser or an uncommon browser access to a pastebin-like site
Informational overridden
Non-browser or an uncommon browser access to a pastebin-like site. overridden
Non-browser access to google sheets API
Low overridden
Non-browser access to google sheets API. overridden
Non-browser failed access to a pastebin-like site
Low overridden
Non-browser failed access to a pastebin-like site. overridden
Rare non-browser access to a pastebin-like site
Medium overridden
Rare non-browser access to a pastebin-like site. overridden
Numerous emails sent by a single sender to multiple internal recipients Informational Email
Numerous emails were sent to multiple internal recipients. This may indicate spam or any other malicious attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: Phishing, SpamAttacker's goals: Trick the user into clicking a link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Object versioning was disabled Informational Cloud 1 variation
Object versioning of a cloud storage resource was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit Log Azure Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Impair the ability of the cloud environment to recover in disaster scenarios.Investigative actions: Confirm that the identity intended to disable the resource versioning. Follow further actions done by the identity. Monitor this resource for other suspicious activities.Variations
Object versioning was disabled by an unusual identity
Informational overridden
Cloud storage versioning was disabled/suspended by an unusual identity. overridden
Office process accessed an unusual .LNK file Low
An attacker may embed a .LNK file in an Office document to execute malicious code.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: User Execution (T1204) Boot or Logon Autostart Execution: Shortcut Modification (T1547.009)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Modify or create a shortcut to gain code or program execution.Investigative actions: Check if the Office document contains a shortcut object. Check the content (strings) of the document object for a .LNK shortcut. Check the content of the shortcut.Office process spawned with suspicious command-line arguments Low 2 variations
An Office process was executed with LOLBIN-like command-line arguments. This behavior is exhibited in the VBA-RunPE tool that executes executables from the memory of Word/Excel/PowerPoint.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Process Injection: Process Hollowing (T1055.012)Required data: XDR AgentAttacker's goals: Execute arbitrary code or run malicious applications undetected.Investigative actions: Check the file that spawns the office application and search for macros, formulas, or scripts.Variations
Masqueraded office process spawned with suspicious command-line arguments
Medium overridden
An executable masquerading an office process was executed with LOLBIN-like command-line arguments. overridden
PowerPoint process accesses a suspicious PPAM file
Low overridden
A PowerPoint process opened a PPAM file which might be used to execute malicious code. overridden
Okta API Token Created Informational Identity Threat Module 1 variation
A user created a new API token in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.Variations
An Okta API token was generated with suspicious characteristics
Low overridden
A user created a new API token in Okta with suspicious conditions. overridden
Okta FastPass reported phishing attack suspected Low Identity Analytics
Okta FastPass authentication reported a phishing attack suspected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: An attacker might attempt to compromise Okta accounts to gain initial access to the organization, sensitive assets or data.Investigative actions: Examine Okta alerts and search for signs of compromise to evaluate the potential risk. Examine email logs and headers to understand how the phishing email bypassed email security filters. Review the details of the phishing attempt, including the source email address, sender domain, and the content of the phishing message if available. Review recent login attempts, session details, and activity logs in OKTA for anomalies. Use threat intelligence feeds to identify if similar phishing tactics are part of a larger campaign. Examine historical access logs to see if there have been other attempts from the same IP or country and evaluate the potential threat level.Okta Reported Attack Suspected Low Identity Threat Module
Okta Threat Insight Reported Attack Suspected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker might attempt to compromise Okta accounts to gain access to sensitive assets or data.Investigative actions: Examine Okta alerts and search for signs of compromise to evaluate the potential risk.Okta Reported Threat Detected Informational Identity Threat Module 1 variation
Okta Threat Insight Reported Threat Detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.Investigative actions: Investigate the original events that were reported as suspicious. Investigate additional alerts that are activated based on the IP address. Follow further actions done by the ip.Variations
Okta detected multiple threats from the same IP along with other suspicious characteristics
Low overridden
Okta Threat Insight Reported Threat Detected. overridden
Okta User Session Impersonation Informational Identity Threat Module 1 variation
A user has initiated a session impersonation in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Trusted Relationship (T1199)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker's goal is to gain unauthorized access to sensitive information or perform malicious actions on behalf of the impersonated user.Investigative actions: Ensure the user is authorized to impersonate a user session. Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.Variations
Okta User Session Impersonation with suspicious characteristics
Low overridden
A user has initiated a session impersonation with suspicious characteristics in Okta. overridden
Okta account reset password attempt Informational Identity Threat Module 1 variation
A user used a weak factor to reset their Okta password.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: The attacker might deceive the victim into resetting their password, a common tactic in account takeover schemes.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Examine the IP address and assess its reputation. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Suspicious Okta account reset password attempt
Low overridden
A user used a weak factor to reset their Okta password. overridden
Okta account unlock Informational Identity Threat Module 1 variation
Okta user account was unlocked.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 3 Hours
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Examine the user's actions preceding and following the activation of the alert. Initiate contact with the user to verify the authenticity of the account unlock action. Check account the user successfully authenticated after the event. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Okta account unlock with suspicious characteristics
Low overridden
Okta user account was unlocked. overridden
Okta account unlock by admin Informational Identity Threat Module 1 variation
An administrative user unlocked an Okta account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Examine the user's actions preceding and following the activation of the alert. Initiate contact with the user to verify the authenticity of the account unlock action. Check account the user successfully authenticated after the event. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Suspicious Okta account unlock by admin
Low overridden
An administrative user unlocked an Okta account. overridden
Okta admin privilege assignment Informational Identity Threat Module 1 variation
A user assigned admin privileges to a new user or group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to sensitive information or systems, while privilege escalation involves their attempt to increase control and access within the system or network.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Analyze the actions carried out by the user responsible for granting permission.Variations
Abnormal Okta admin privilege assignment with suspicious characteristics
Low overridden
A suspicious user assignment of admin privileges to a new user or group. overridden
Okta device assignment Informational Identity Threat Module 1 variation
A device was assigned as an Okta MFA device to a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 6 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: For purposes of maintaining persistence, an attacker could potentially register his device with various accounts that have been compromised.Investigative actions: Confirm that the device assignments were intentionally made by the users and are legitimate. Examine the IP address and assess its reputation. Continue monitoring the accounts for any subsequent actions that may indicate suspicious behavior.Variations
A suspicious assignment of a mobile device to multiple users
Low overridden
A single device is being used as an Okta MFA device by multiple users. overridden
OneDrive file download Informational Cloud
A file was downloaded from OneDrive using the Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Exfiltrate sensitive data by downloading files from OneDrive.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.OneDrive file upload Informational Cloud
A file was uploaded to OneDrive using Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Resource Development (TA0042)ATT&CK techniques: Stage Capabilities (T1608) Stage Capabilities: Upload Malware (T1608.001)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Establish persistence by uploading files to OneDrive, potentially using it as a staging area for further malicious activities.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.OneDrive folder creation Informational Cloud
A folder was created in OneDrive using Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Remote Data Staging (T1074.002)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Establish persistence or prepare for data exfiltration by creating a storage location in OneDrive via the Microsoft Graph API, enabling them to later upload or manipulate files undetected.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Outbound email contains file-sharing service link sent to external recipient Informational Email 2 variations
Identifies outbound emails that include links to file-sharing services sent externally.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Exfiltrate data by sharing a link to a file-sharing service with external recipients, bypassing attachment inspection and potentially evading visibility controls.Investigative actions: Review the shared URL to determine if the file is publicly accessible or shared outside the organization. Check if the file-sharing domain has been previously used by this sender or others in the organization. Investigate recent outbound emails for similar use of file-sharing services or unusual external recipients.Variations
Outbound email to external recipient(s) uses first-seen for organization file-sharing service
Informational overridden
Identifies outbound emails that include links to file-sharing services sent externally. overridden
Outbound email to external recipient(s) uses first-seen for sender file-sharing service
Informational overridden
Identifies outbound emails that include links to file-sharing services sent externally. overridden
Outbound email includes an external BCC recipient observed for the first time Informational Email 1 variation
Internal sender BCC'd an external recipient whose address has not been observed in prior communications.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Use BCC to covertly exfiltrate data to an unusual external recipient without visibility to other recipients or monitoring systems.Investigative actions: Review headers and content for anomalies or potential exposure of sensitive data. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.Variations
Outbound email sent to an unknown external BCC recipient with no To or CC addresses
Low overridden
Internal sender BCC'd an external recipient whose address has not been observed in prior communications. overridden
Outbound email to an address hosted by a public email service provider Informational Email 1 variation
Internal sender emailed to an address hosted by a public email service provider.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Exfiltration, Account TakeoverAttacker's goals: Extracting valuable information outside the company.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Outbound email to a single address hosted by a public email service provider
Informational overridden
Internal sender emailed to a single recipient with public email service provider. overridden
Outlook files accessed by an unsigned process Low
An attacker may use an uncommon and unsigned process to access Outlook data files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Local Data Staging (T1074.001) Email Collection: Local Email Collection (T1114.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain access to the data in the compromised mailbox.Investigative actions: Examine the process command and file activity to identify the mailbox. Check if the process performed any other suspicious file activity. Check if the process generated network connections.Owner added to Azure application Informational Identity Threat Module
An identity was added as an owner to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Application Access Token (T1528)Required data: AzureAD Audit LogAttacker's goals: An attacker may add owners to an application to authenticate as the application later on and access resources.Investigative actions: Check if the added account is new to the organization. Check whether the account that added the new owner is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.Owner was added to Azure application Informational Cloud
An Owner was added to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain administrative control and manipulate the application's permissions and settings.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.PIM privilege member removal Informational Cloud
A cloud identity has removed a user's privileged role within PIM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Azure Audit LogAttacker's goals: Disrupt system and network access by blocking legitimate user accounts.Investigative actions: Investigate the suspected identity who initiated the removal. Identify the privileged accounts that were affected. Review the current access rights of the privileged accounts.PKINIT TGT authentication request Informational Identity Analytics 2 variations
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)ATT&CK techniques: Use Alternate Authentication Material (T1550) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Gain unauthorized access to high-privilege accounts by abusing certificate-based authentication mechanisms.Investigative actions: Verify if Windows Hello for Business (WHfB) is deployed and actively used in the environment, as it may explain the PKINIT activity. Inspect the Key Credentials attribute of the target account for recent modifications. Review associated service tickets or lateral movement activities tied to the target account. Investigate unusual certificate issuance or PKI activities.Variations
Suspicious PKINIT TGT authentication request
Medium overridden
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden
Abnormal PKINIT TGT authentication request
Low overridden
A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse. overridden
Parsing Rule Error Medium
A Parsing Rule error was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Penetration testing tool activity attempt Informational Identity Analytics 1 variation
A SaaS API was invoked by a penetration testing tool.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Serverless Execution (T1648)Required data: Office 365 AuditAttacker's goals: Usage of known tools and frameworks.Investigative actions: Check if there is an active PT test ongoing.Variations
Penetration testing tool activity attempt
Medium overridden
A SaaS API was successfully invoked by a penetration testing tool. overridden
Permission Groups discovery commands Informational 1 variation
Permission group discovery command execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Collect information about the host.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Permission Groups discovery commands in a Kubernetes pod
Informational overridden
Permission group discovery command execution. overridden
Phantom DLL Loading Medium 2 variations
An attacker might leverage existing processes missing module loads to load malicious code into trusted processes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection, persist or escalate privileges.Investigative actions: Investigate the loaded module and verify if it is malicious.Variations
Phantom DLL Loading was used to load a DLL into a process after it was extracted from an internet-downloaded archive
High overridden
An attacker might leverage existing processes missing module loads to load malicious code into trusted processes. overridden
Phantom DLL Loading was used to load a DLL into a process after it was downloaded from an uncommon source
High overridden
An attacker might leverage existing processes missing module loads to load malicious code into trusted processes. overridden
Ping to localhost from an uncommon, unsigned parent process Informational
Ping is often used by malware and attackers to delay the execution of suspicious commands in sandbox environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Virtualization/Sandbox Evasion (T1497)Required data: XDR AgentAttacker's goals: Use ping as an easy way to wait to try and evade detection between executions.Investigative actions: Validate if the executing process is malicious.Port Scan Informational 3 variations
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: Palo Alto Networks Firewall traffic Logs Third-Party FirewallsAttacker's goals: An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.Investigative actions: New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time. Check if the activity is a SYN-ACK scan. These might result in Cortex XDR Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR Analytics used the wrong baseline in triggering the alert. Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR Analytics could raise a false alert.Variations
Port scan by suspicious process
Low overridden
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden
Highly suspicious port scan
Medium overridden
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden
Suspicious port scan
Low overridden
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden
Port Sweep Informational 1 variation
The endpoint connected, or attempted to connect, to multiple hosts using privileged ports that serve a well-defined function.Attackers perform port sweep for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port sweeps using data arriving solely from Cortex agents is incomplete.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.Investigative actions: Ensure that the source of the port sweep is not a new server in the network. New domain controllers or servers hosting services such as SNMP can cause false positives. Check for new known vulnerabilities in the ports scanned, this method is often used to target known vulnerabilities.Variations
Port Sweep to multiple subnets
Low overridden
The endpoint connected, or attempted to connect, to multiple hosts using privileged ports that serve a well-defined function.Attackers perform port sweep for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port sweeps using data arriving solely from Cortex agents is incomplete. overridden
Possible AS-REP Roasting Attack Medium Identity Analytics 1 variation
A user enumerated all accounts that don't require pre-authentication in the organization and specifically requested tickets for those accounts. This is typically a sign of an AS-REP Roasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.Variations
AS-REP Roasting Attack
High overridden
A user enumerated all accounts that don't require pre-authentication in the organization and specifically requested tickets for those accounts. This is typically a sign of an AS-REP Roasting attack. overridden
Possible Brute-Force attempt Informational Identity Analytics 2 variations
This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Brute Force (T1110) Remote Services (T1021)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
Possible Brute-Force attempt on a Honey User Account
Medium overridden
This may indicate a brute-force attack. overridden
Possible Brute-Force attempt with a successful login and suspicious characteristics
Low overridden
This may indicate a brute-force attack. overridden
Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation
Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)Required data: AzureADAttacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.Variations
OAuth Token Theft - Potential Session Hijacking Detected from new ASN
Low overridden
Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden
Possible DCSync from a non domain controller Low 5 variations
Attackers may pose a compromised host as a DC to replicate data to it (DCSync).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)ATT&CK techniques: OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Impacket AnalyticsAttacker's goals: An attacker is trying to retrieve Active Directory data, including password hashes.Investigative actions: Check whether one of the machines is a new domain controller.Variations
DCSync from a non domain controller from a non-standard process
High overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Large DCSync from a non domain controller by AppID
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Large DCSync from a non domain controller
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Possible DCSync from an internet-facing server
Medium overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
DCSync from a non domain controller
Low overridden
Attackers may pose a compromised host as a DC to replicate data to it (DCSync). overridden
Possible DLL Hijack into a Microsoft process Informational 6 variations
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Possible DLL Hijack of a low entropy DLL into a Microsoft process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Side-Loading into a Microsoft process from a suspicious folder
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
DLL Hijack into a Microsoft process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft development or framework related process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft process - the DLL was extracted from an internet-downloaded archive
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Search Order Hijacking Low 3 variations
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) Hijack Execution Flow: Path Interception by PATH Environment Variable (T1574.007) Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009) Hijack Execution Flow: Path Interception by Search Order Hijacking (T1574.008)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Possible DLL Search Order Hijacking by DLL Substitution
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible DLL Search Order Hijacking - DLL extracted from an internet-downloaded archive
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible DLL Search Order Hijacking - DLL downloaded from an uncommon source
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible Distributed File System Namespace Management (DFSNM) abuse High
A possible abuse of Distributed File System Namespace Management (DFSNM).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Forced Authentication (T1187) Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker can abuse the Distributed File System Namespace Management protocol to coerce an authentication from a DC. This authentication can later be used for obtaining a DC certificate for DCSync.Investigative actions: Check for a suspicious process on the initiator. Check if the source host is a vulnerability scanner. Look for unusual AD CS certificate requests. Check for possible DCSync alerts.Possible Email collection using Outlook RPC Informational
Outlook was executed using RPC by an uncommon parent process, this may be an indication of email collection activities.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Email Collection: Local Email Collection (T1114.001)Required data: XDR AgentAttacker's goals: An attacker is trying to perform email collection or manipulation using Outlook.Investigative actions: Investigate the endpoint to determine if it's a legitimate process that is supposed to use Outlook in its operation to send or extract emails.Possible GPO Enumeration Informational Identity Analytics 2 variations
A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Group Policy Discovery (T1615)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Investigate the LDAP search query for any suspicious indicators. Look for additional LDAP queries the user executed that might be suspicious. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries. Check if the process executes LDAP search queries as part of its normal behavior.Variations
Suspicious GPO Enumeration by an LDAP tool
Medium overridden
A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Possible GPO Enumeration by a Suspicious Process
Low overridden
A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Possible IPFS traffic was detected Informational
The host attempted to access other nodes in an IPFS manner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.Investigative actions: Check the host for IPFS client software. Examine the client's network traffic for uploaded or downloaded file hashes.Possible Impossible Travel Pattern - SSO Informational Identity Analytics 2 variations
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker who compromises user credentials will leverage those credentials to gain initial access to the corporate network.To obfuscate their true origin, adversaries commonly route traffic through proxies or VPNs across multiple geographic locations.Investigative actions: Review the source IPs and AS organizations. Check if they are associated with known corporate VPNs, cloud hosting providers, or personal VPN services. Examine recent activity associated with the user in the relevant SSO provider, focusing on suspicious actions such as MFA changes or unusual data access.Variations
Azure First-Seen Device - Impossible Traveler
Low overridden
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden
Rare Country Login - Impossible Traveler (SSO)
Low overridden
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden
Possible Insider Threat Activity Low Identity Threat Module 1 variation
A user was observed performing suspicious activity that might indicate an attempt to use their access to organizational resources for personal gain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Financial Theft (T1657)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An insider threat might use their access to organizational resources for personal gain.Investigative actions: Check how long the user has been part of the organization. Check if the user is about to leave the company. Verify that the user is not part of a department that performs such activity as part of daily operations.Variations
Indicate Insider Threat Activity
Medium overridden
A user was observed performing suspicious activity that might indicate an attempt to use their access to organizational resources for personal gain. overridden
Possible Kerberoasting attack Medium Identity Analytics 1 variation
A user enumerated all service principals in the organization and specifically requested weak and deprecated encryption in a ticket request. This is typically a sign of a Kerberoasting attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.Variations
Kerberoasting attack
High overridden
A user enumerated all service principals in the organization and specifically requested weak and deprecated encryption in a ticket request. This is typically a sign of a Kerberoasting attack. overridden
Possible Kerberoasting without SPNs Low 1 variation
A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes, and is typically a sign of a Kerberoasting attack. The requested service was specified by using a suspicious SPN type, which is often used by Kerberoasting tools to request by SAN instead of SPN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Crack service account credentials by obtaining an easy-to-crack Kerberos ticket.Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.Variations
Possible Kerberoasting without SPNs on a sensitive server
Medium overridden
A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes, and is typically a sign of a Kerberoasting attack. The requested service was specified by using a suspicious SPN type, which is often used by Kerberoasting tools to request by SAN instead of SPN. overridden
Possible Kerberos User Enumeration Informational Identity Analytics 1 variation
Multiple Kerberos TGT requests with KDC_ERR_C_PRINCIPAL_UNKNOWN errors were generated on different users in the last 10 minutes which may indicate Kerberos user enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery: Domain Account (T1087.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may attempt to gain an initial foothold in the domain by enumerating users.Investigative actions: Identify the source host from which the failed logons originated, by making sure the IP is not a shared address. Check the host from which the errors originated, and verify the legitimacy of the TGT requests. Correlate successful logons from the source host to identify potential account compromises following the failed attempts. Review source host activity to detect any additional suspicious or lateral movement behavior.Variations
Possible Kerberos User Enumeration Involving Exposed Users
Low overridden
Multiple Kerberos TGT requests with KDC_ERR_C_PRINCIPAL_UNKNOWN errors were generated on different users in the last 10 minutes which may indicate Kerberos user enumeration. overridden
Possible Kerberos relay attack Low
A suspicious local network login was observed, which might indicate on Kerberos relay attack. This attack can lead to privilege escalation by obtaining system privileges on the target.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: Windows Event Collector XDR AgentAttacker's goals: An attacker is attempting to elevate its privileges on the machine.Investigative actions: Check for any other suspicious activity related to the host involved in the alert. Look for a new machine that was added to the domain.Possible LDAP Enumeration Tool Usage Informational Identity Analytics 3 variations
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Possible admin enumeration via LDAP
Informational overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
A user executed an LDAP enumeration query with suspicious characteristics
Medium overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
Rare LDAP enumeration query executed by a user
Low overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
Possible LDAP Enumeration of Microsoft Configuration Manager Informational Identity Analytics 1 variation
A possible enumeration on Microsoft Configuration Manager via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server), Microsoft SCCM AnalyticsAttacker's goals: An attacker is attempting to enumerate Microsoft Configuration Manager.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries. Looking for suspicious activity or logins to the Microsoft Configuration Manager site server.Variations
Suspicious enumeration on Microsoft Configuration Manager via LDAP
Low overridden
A possible enumeration on Microsoft Configuration Manager via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden