Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

155 alerts match the current filters. tactic: TA0001 ✕

Show ATT&CK heatmap
  • A Command Line Interface (CLI) command was executed from a GCP serverless compute service Low Cloud 4 variations

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Informational overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    A Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Medium overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

  • A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service

    Informational overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

    Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service

    Low overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

  • A Kubernetes API operation was successfully invoked by an anonymous user Medium Cloud 1 variation

    An unauthenticated user successfully invoked API calls within the Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain initial access to a Kubernetes cluster.
    Investigative actions: Determine which resources were accessed anonymously. Verify whether the affected resource should be accessed by unauthenticated users.

    Variations

    A Kubernetes API operation was successfully invoked by an anonymous user outside the cluster

    High overridden

    An unauthenticated user successfully invoked API calls within the Kubernetes cluster. overridden

  • A Kubernetes dashboard service account was used outside the cluster Medium Cloud 1 variation

    A Kubernetes dashboard service account was successfully used externally of the Kubernetes environment, which may indicate that the dashboard is exposed to the internet and does not require authentication.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain initial access to the Kubernetes cluster.
    Investigative actions: Determine which Kubernetes resources were accessed through the dashboard. Check whether any changes were made to the Kubernetes cluster.

    Variations

    A Kubernetes dashboard service account was unsuccessfully used outside the cluster

    Low overridden

    A Kubernetes dashboard service account was successfully used externally of the Kubernetes environment, which may indicate that the dashboard is exposed to the internet and does not require authentication.The operation was unsuccessful. overridden

  • A Kubernetes node service account activity from external IP Informational Cloud 1 variation

    A Kubernetes node service account was seen operating from an external IP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the Kubernetes cluster.
    Investigative actions: Determine which resources were accessed by the node service account. Investigate other actions made by the node service account.

    Variations

    A Kubernetes node service account was used outside the cluster

    Low overridden

    A Kubernetes node service account was seen operating from an external IP. overridden

  • A Service Principal was created in Azure Informational Cloud

    A Service Principal was created in Azure. This could indicate a malicious actor attempting to gain access to a resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Access user data. Gain control of the Azure environment.
    Investigative actions: Check the Service Principal to ensure it has the correct access rights. Review the Azure Activity Log to determine the source of the Service Principal creation.
  • A Successful VPN connection from TOR High Identity Analytics 1 variation

    A successful VPN connection from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Gain initial access to organization and hiding itself.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.

    Variations

    A Successful VPN connection from TOR via Mobile Device

    Medium overridden

    A successful VPN connection from a TOR exit node. overridden

  • A Successful login from TOR High Identity Analytics

    A successful login from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Gain initial access to the organization while anonymizing the source of the activity.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.
  • A Torrent client was detected on a host Informational 1 variation

    The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Exfiltrate data or as a phishing entry point.
    Investigative actions: Check the host for torrent client software. Look at the download's folder for foreign files or Torrent files. Examine the client's network traffic for uploaded or downloaded file hashes.

    Variations

    A Torrent client was detected on a host

    Informational overridden

    The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data. overridden

  • A cloud identity executed an API call from an unusual country Informational Cloud 7 variations

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access sensitive resources and gain high privileges.
    Investigative actions: Check if the identity routed their traffic via a VPN or shared their credentials with a remote employee.

    Variations

    A suspicious cloud identity executed an API call from an unusual country

    Medium overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A Kubernetes identity executed an API call from a country that was not seen in the organization

    Medium overridden

    A Kubernetes identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud identity executed an API call from a country that was not seen in the organization

    Medium overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud identity executed an API call from an unusual country

    Informational overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A Kubernetes API call was executed from an unusual country

    Low overridden

    A Kubernetes identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud API call was executed from an unusual country

    Low overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud identity executed an API call from an unusual country using a compromised AWS access key

    High overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

  • A compute-attached identity executed API calls outside the instance's region Informational Cloud 6 variations

    A compute-attached identity performed actions outside the compute instance region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Verify whether the compute-attached identity's credentials were intentionally used remotely. Check what API calls were executed using instance's attached role. Check if the suspected instance is compromised.

    Variations

    A compute-attached identity executed API calls outside the Lambda function's region

    Informational overridden

    A compute-attached identity performed actions outside the Lambda function region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN

    High overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation

    Medium overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual ASN

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity failed to execute API calls outside the instance's region

    Informational overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

  • A disabled user attempted to authenticate via SSO Informational Identity Analytics

    A disabled user attempted to authenticate via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.
  • A disabled user attempted to log in Informational Identity Analytics 1 variation

    A disabled user attempted to log in.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user was recently enabled by an authorized entity). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory. Monitor services that may be running with a disabled user's credentials.

    Variations

    Cached interactive login attempt by a disabled user

    Informational overridden

    A disabled user attempted to log in. overridden

  • A disabled user attempted to log in to a VPN Low Identity Analytics 1 variation

    A disabled user attempted to log in suspiciously to a VPN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. a contractor user). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.

    Variations

    Possible VPN login attempt by disabled user

    Informational overridden

    A disabled user attempted to log in suspiciously to a VPN. overridden

  • A possible risky login to Azure Informational Identity Analytics 2 variations

    A risky sign-in attempt was observed in Azure.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)
    Required data: AzureAD
    Attacker's goals: An attacker is attempting to compromise an Azure account by exploiting weak or guessed passwords for initial access.
    Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

    Variations

    Azure Risky Login with Suspicious Characteristics

    Low overridden

    A risky sign-in attempt was observed in Azure. overridden

    Azure-Defined High-Risk Login Attempt

    Low overridden

    A risky sign-in attempt was observed in Azure. overridden

  • A rare FTP user has been detected on an existing FTP server Low 1 variation

    A rare or new FTP user has been detected on an existing FTP server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.
    Investigative actions: Verify that the new username is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application. Check the logs on the FTP server for a new user creation.

    Variations

    Possible FTP User Scanning Detected

    Low overridden

    A rare or new FTP user has been detected on an existing FTP server. overridden

  • A rare local administrator login Informational Identity Analytics 1 variation

    A rare local administrator login was observed. This may indicate an attempt to change sensitive settings on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to change sensitive settings on the host.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.

    Variations

    Suspicious local administrator login

    Low overridden

    A rare local administrator login was observed. This may indicate an attempt to change sensitive settings on the host. overridden

  • A successful SSO sign-in from TOR High Identity Analytics 1 variation

    A successful sign-in from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain initial access to organization and hiding itself.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.

    Variations

    A successful SSO sign-in from TOR via Mobile Device

    Medium overridden

    A successful sign-in from a TOR exit node. overridden

  • A third-party application was authorized to access the Google Workspace APIs Informational Identity Threat Module

    A domain administrator authorized a third-party application to access the Google Workspace APIs. This allows the application to interact with the domain user's data within the authorized scope, as specified in the API call.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to Google Workspace data and services. Collect confidential information from Google Workspace. Compromise user accounts and data.
    Investigative actions: Check which account was granted access to the Domain API. Identify the source IP address of the request. Verify the legitimacy of the request.
  • A user accessed Okta's admin application Informational Identity Threat Module 1 variation

    An attempt to access Okta's admin management application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    Suspicious Okta Admin App Access Attempt

    Low overridden

    A user attempted to access the Okta Admin Application in a suspicious way. overridden

  • A user accessed multiple unusual resources via SSO Informational Identity Threat Module 3 variations

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Cloud Service Dashboard (T1538) Cloud Service Discovery (T1526)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.

    Variations

    A user accessed multiple resources via SSO using an anonymized proxy

    Medium overridden

    A user accessed multiple resources via SSO, using an anonymized proxy, that are unusual for this user. This may be indicative of a compromised account. overridden

    Suspicious user access to multiple resources via SSO

    Low overridden

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden

    Multiple Resource Access from a New IP via SSO

    Low overridden

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden

  • A user account was modified to password never expires Informational Identity Analytics 1 variation

    A user account was modified to password never expires.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain access to the account.
    Investigative actions: Confirm that the account is not a temporary account that could be exploited by an attacker. Verify this action with the user who performed the change. Ensure the organization has a strong password aging policy.

    Variations

    A sensitive account was modified to password never expires

    Low overridden

    A sensitive user account was modified to password never expires. This account is a sensitive account as part of a sensitive built-in Active Directory group. overridden

  • A user enabled a default local account Informational Identity Analytics 2 variations

    A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001) Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain access to the account and escalate privileges.
    Investigative actions: Check what rights and permissions were granted to the user. Verify this action with the user who performed the change. Follow actions and activities of the newly enabled default account.

    Variations

    A user enabled the Windows DefaultAccount

    Low overridden

    A user enabled the Windows DefaultAccount. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden

    A user enabled the Windows default Guest account

    Low overridden

    A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden

  • A user logged in to the AWS console for the first time Informational Cloud 1 variation

    A user logged in to the AWS console for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.
    Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.

    Variations

    A non-user identity logged in to the AWS console for the first time

    Medium overridden

    A non-user identity logged in to the AWS console for the first time. overridden

  • A user observed and reported unusual activity in Okta Informational Identity Threat Module 2 variations

    A user observed and reported unusual activity in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.
    Investigative actions: Investigate the original event that was reported as suspicious. Contact the user and understand why he reported the activity as suspicious. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.

    Variations

    Multiple users have reported the same suspicious activity

    Medium overridden

    Unusual activity in Okta reported about an IP not linked to an EDR agent, the operation is rare and flagged by multiple users. overridden

    Unusual activity in Okta was reported by a user along with suspicious characteristics

    Low overridden

    A user observed and reported unusual activity in Okta. overridden

  • AWS STS temporary credentials were generated Informational Cloud

    AWS STS temporary credentials were generated for an AWS identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Trusted Relationship (T1199) Forge Web Credentials (T1606)
    Required data: AWS Audit Log
    Attacker's goals: Gain access and persistence to AWS account.
    Investigative actions: Check which operation executed with the new credentials.
  • AWS console login without MFA Informational Cloud

    An identity logged in to the AWS console without MFA.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)
    Required data: AWS Audit Log
    Attacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.
    Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.
  • AWS root account activity Informational Cloud

    The AWS root account has successfully performed an operation in the project.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Use legitimate credentials of a cloud account to access resources.
    Investigative actions: Look for any signs the Root user is compromised. Determine if the Root credentials need to be changed.
  • Abnormal Allocation of compute resources in multiple regions Informational Cloud 4 variations

    An identity allocated an unusual compute resource pool, suspected as mining activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)
    ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Leverage cloud compute resources to generate virtual currency.
    Investigative actions: Verify that the identity creating the resources is legitimate. Check for unusual behavior from this identity, including potential compromise (e.g., exposed access keys or service accounts).

    Variations

    Abnormal Unusual allocation of compute resources in multiple regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Suspicious allocation of compute resources in multiple regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Allocation of compute resources in a high number of regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Allocation of compute resources in multiple regions by an unusual identity

    Low overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

  • Account probing Low Identity Analytics

    A user failed to log in to multiple hosts it never accessed before in a short amount of time.This may indicate the account is compromised and an attacker is probing for a host it can access with those credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Gain access to hosts by using stolen user-account credentials.
    Investigative actions: Check if the user account was compromised, and which resources it could access.
  • Allocation of multiple cloud compute resources Informational Cloud 5 variations

    An identity allocated multiple compute resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)
    ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage cloud compute resources to earn virtual currency.
    Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, service account, etc.

    Variations

    Unusual allocation of multiple cloud compute resources

    High overridden

    An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen across all the projects during the past 30 days. overridden

    Unusual allocation of multiple cloud compute resources

    Medium overridden

    An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden

    Unusual allocation of multiple cloud compute resources

    Medium overridden

    An identity allocated multiple compute resources.The allocated instances contains GPU accelerators, such pattern is related to a crypto mining activity. overridden

    Allocation of multiple cloud compute resources with accelerator gear

    Low overridden

    An identity allocated multiple compute resources.his activity is unusual for this identity in past 30 days. overridden

    Unusual allocation attempt of multiple cloud compute resources

    Low overridden

    An identity attempted to allocate multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden

  • An AWS EKS cluster was created or deleted Informational Cloud

    An AWS EKS cluster has been created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485) Valid Accounts (T1078)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to the cluster and its resources.Gain access to sensitive data stored in the cluster.
    Investigative actions: Check whether the identity is authorized to perform changes to AWS EKS clusters.
  • An AWS SAML provider was modified Informational Cloud

    An AWS SAML provider was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Trusted Relationship (T1199) Modify Authentication Process (T1556)
    Required data: AWS Audit Log
    Attacker's goals: Gain privileged access to AWS accounts.
    Investigative actions: Check what changes were made to the SAML provider.
  • An operation was performed by an identity from a domain that was not seen in the organization Informational Cloud 1 variation

    An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: External Remote Services (T1133)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Gain their initial foothold within the organization and explore the environment to achieve their target.
    Investigative actions: Investigate the external domain name. Check The cloud identity activity in the organization.

    Variations

    An operation was performed by an identity from a domain that was not seen in the tenant

    Low overridden

    An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before. overridden

  • An unusual process in ingress-nginx has accessed a service-account token file High Cloud

    An unusual process in ingress-nginx has read a service-account token.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: An attacker is attempting to gain unauthorized access by leveraging valid credentials.
    Investigative actions: Check if the process is intended to preform these actions.
  • Attempted Azure application access from unknown tenant Informational Cloud 2 variations

    A Microsoft Graph API was unsuccessfully executed by an Azure application from an unknown tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Abuse serverless services to execute code in cloud environments.
    Investigative actions: Validate the legitimacy of the tenant in question. Investigate any unusual activity originating from the application.

    Variations

    Attempted Azure application access from an unusual tenant

    Medium overridden

    A Microsoft Graph API was unsuccessfully executed by an Azure application from an unknown tenant. overridden

    Azure application access from unknown tenant

    Low overridden

    A Microsoft Graph API was executed by an Azure application from an unknown tenant. overridden

  • Authentication attempt by a honey user Low Identity Analytics 1 variation

    An authentication attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Okta OneLogin PingOne
    Detector tags: Honey User Analytics
    Attacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.
    Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other authentication attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the authentication attempt. Follow further actions performed by the user.

    Variations

    Abnormal authentication by a honey user

    Medium overridden

    An authentication attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials. overridden

  • Azure application consent Informational Identity Threat Module 1 variation

    An identity consented permissions to an application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Phishing (T1566) Phishing: Spearphishing Link (T1566.002) Steal Application Access Token (T1528) Trusted Relationship (T1199)
    Required data: AzureAD Audit Log
    Attacker's goals: Get access to credentials, data or an organization via applications with sufficient permissions.
    Investigative actions: Follow further actions by the consenting user. Check for new resource creations by the new user. Check how the consenting user got to the application. Verify the application creators. Check what permissions the application requested. Check for possible phishing in the organization.

    Variations

    First seen Azure admin consent to an application

    Low overridden

    An administrative identity consented permissions to an application. overridden

  • Azure storage account blob anonymous access is enabled Informational Cloud

    It is possible to configure anonymous access to blobs within the storage account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the blobs within the storage account should be accessed from all networks. Disable public network access or disable blob anonymous access to storage account if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.
  • Chrome Extension Installed By User Informational Identity Threat Module

    A Chrome extension was installed or updated by a Google Workspace user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) Software Extensions: Browser Extensions (T1176.001)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may leverage browser extensions installation to gain Initial Access and Persistence, enabling them to intercept credentials and hijack active web sessions.
    Investigative actions: Review the extension installed, it's OAuth scopes, reputation and permissions. Analyze subsequent network traffic from the user's device or browser for connections to newly registered domains. Investigate the source IP and identity for previous malicious activity or anomalies.
  • ClickFix - PowerShell executed through the run application Low 4 variations

    An attacker may be trying to trick a user to execute PowerShell through the run application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing (T1566)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may be trying to trick a user to execute PowerShell through the run application.
    Investigative actions: Check if the command line is known in the organization or malicious. And ask the user what is the source of it.

    Variations

    ClickFix - PowerShell command executed through the run application and using Invoke-Expression cmdlet

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Long PowerShell command executed through the run application with URL in the command

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Long encoded PowerShell command executed through the run application

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

    ClickFix - Schedule task PowerShell command executed through the run application

    High overridden

    An attacker may be trying to trick a user to execute PowerShell through the run application. overridden

  • Cloud IMDS access followed by remote token usage Medium Cloud

    A request was made to the cloud Instance Metadata Service (IMDS) followed by a remote usage of EC2 role token.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)
    Required data: AWS Audit Log XDR Agent
    Attacker's goals: Gain unauthorized access by leveraging valid cloud credentials.
    Investigative actions: Identify the process that accessed the IMDS on the cloud instance. Examine the AWS API calls made by the stolen token, focusing on unusual or sensitive actions. Assess the role's permissions and rotate credentials if compromise is confirmed.
  • Cloud activity from a high-risk IP address Informational Cloud 1 variation

    An identity executed a cloud API from a high-risk IP address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Gain initial access using a compromised identity while obfuscating origin.
    Investigative actions: Verify if the user is authorized to use anonymizing services. Review subsequent actions by the user for suspicious activity. Check for other users accessing from the same IP or tunnel operator.

    Variations

    Cloud activity from an unusual high-risk IP

    Low overridden

    An identity executed a cloud API from a high-risk IP address. overridden

  • Cloud impersonation attempt by unusual identity type Informational Cloud 2 variations

    A suspicious identity type has attempted to impersonate another identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges to bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform sensitive operation on behalf of the impersonated identity.

    Variations

    Cloud impersonation attempt of a management role by unusual identity type

    Informational overridden

    An unusual cloud identity type attempted to impersonate a management role. overridden

    Successful cloud impersonation by an unusual identity type

    Medium overridden

    A suspicious identity type has successfully impersonated another identity. overridden

  • Download pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.
  • Email attachment with a potentially malicious file extension Informational Email 2 variations

    The email message includes attachments with file types that are typically blocked by the email vendor as a precaution due to their suspicious nature.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution (T1204)
    Required data: Microsoft 365 Emails
    Attacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.
    Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's domain to confirm its legitimacy. Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before. Verify if the sender's IP address is identifiable.

    Variations

    Attachment(s) with a potentially malicious file extension unusual for the organization

    Informational overridden

    At least one attachment with a potentially malicious file extension was received in an email for the first time within the organization in the past 30 days. overridden

    Attachment(s) with a potentially malicious file extension unusual for the recipient

    Informational overridden

    At least one attachment with a potentially malicious file extension was received in an email for the first time for the recipient in the past 30 days. overridden

  • Email marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values Informational Email 4 variations

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Spam
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Email with high Spam Confidence Level and Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with high Spam Confidence Level or Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with medium Spam Confidence Level and Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with medium Spam Confidence Level or Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

  • Email mimics replies or forwards without an actual ongoing conversation Informational Email

    An email with a subject line or body that includes signs of a reply or forward without an actual ongoing conversation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566) Trusted Relationship (T1199)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Create the illusion of being part of an existing email conversation to build trust and reduce the target's suspicion, mislead recipients by concealing harmful intents such as phishing or malware distribution.
    Investigative actions: Analyze the full set of email headers to confirm the absence of legitimate References and In-Reply-To headers and verify if the email was altered or forged. Investigate if the sender's domain is known, flagged, or associated with suspicious activity to detect possible impersonation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email was received from an unknown address using a public provider domain Informational Email

    The email was received from an unknown address, that was seen for the first time in the organization in the past month, and registered under a public provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email was received from an unknown sender using a disposable domain Low Email

    The email was received from an unknown sender using a disposable email provider, first seen in the organization in the past month.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email with file-sharing link containing auto-download parameter Low Email 1 variation

    The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Execution (TA0002)
    ATT&CK techniques: Phishing: Spearphishing Link (T1566.002) User Execution: Malicious File (T1204.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: The attacker may be attempting to deliver malware or exfiltrate data using auto-download file-sharing links.
    Investigative actions: Analyze the linked file(s) to determine if they pose any security risk. Check the sender's communication history within the organization. Analyze the file reputation using sandbox or threat intelligence sources. Verify whether similar links were sent to other users.

    Variations

    External email with file-sharing link containing auto-download parameter

    Low overridden

    The email contains a link to a file-sharing service that includes parameters likely to trigger automatic download. overridden

  • Exchange DKIM signing configuration disabled Low Identity Threat Module Email 1 variation

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    A recently configured Exchange DKIM signing configuration was disabled

    Informational overridden

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed. overridden

  • Exchange Safe Attachment policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Attachment policy, which provides phishing protection to email attachments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Attachment (T1566.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may attempt to disable the Safe Attachment policy to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.
  • Exchange Safe Link policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Link policy, which provides phishing protection to emails that contain hyperlinks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Link (T1566.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to bypass security measures associated with hyperlinks in email messages.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for email messages received with hyperlinks. Check for a possible phishing campaign on the organization.
  • Exchange anti-phish policy disabled or removed Low Identity Threat Module Email 1 variation

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    Recently configured Exchange anti-phish policy disabled or removed

    Informational overridden

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign. overridden

  • Executable or Script file written by a web server process Low 3 variations

    An uncommon executable or script file was created, written, or renamed by a web server process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Webshell Analytics
    Attacker's goals: Gain the ability to execute commands on the host and establish persistence.
    Investigative actions: Review web server access logs for suspicious requests or uploads. Inspect the dropped file to determine whether it contains malicious content.

    Variations

    A driver was written by a web server process

    Low overridden

    An uncommon driver file was created, written, or renamed by a web server process. overridden

    Executable or Script file written by a web server process in an internet facing server

    Low overridden

    An uncommon executable or script file was created, written, or renamed by a web server process. overridden

    Executable or Script file written by a web server process with connections from various sources and high web traffic

    Low overridden

    An uncommon executable or script file was created, written, or renamed by a web server process. overridden

  • External user added a link to a Microsoft Teams chat Informational Identity Threat Module 1 variation

    An external user added a link to a Microsoft Teams chat.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Confirm that the external tenant and user are authorized to share links or files with users in the organization. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that have been sent in the conversation. Evaluate the external domain reputation. Review past communication from the external user. Follow further actions done by the account.

    Variations

    An external user sent a link via Microsoft Teams with suspicious parameters

    Low overridden

    An external user sent a link with suspicious parameters in a Microsoft Teams conversation. overridden

  • External user call via Microsoft Teams Informational Identity Threat Module 2 variations

    An external user called a user in the organization via Microsoft Teams.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing: Spearphishing Voice (T1566.004)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct voice phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Confirm that the external tenant and external user are authorized to call users in the organization. Check external domain reputation. Follow further actions performed by the user who participated in the call. Verify if the user account was compromised or was a victim of a voice phishing campaign.

    Variations

    A first seen external user with a suspicious name initiated a Microsoft Teams call

    Medium overridden

    A first seen external user with a suspicious name successfully called via Microsoft Teams a user in the organization. overridden

    An external user with a suspicious name initiated a Microsoft Teams call

    Low overridden

    An external user with a suspicious name called via Microsoft Teams a user in the organization. overridden

  • External user created a Microsoft Teams conversation with suspicious operations Informational Identity Threat Module 9 variations

    An external user created a Microsoft Teams conversation with users in the organization with additional suspicious operations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Confirm that the tenant and user are authorized to start a conversation with users in the organization. Verify whether any user was removed from the conversation, and determine the reason for their removal. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that might have been sent in the conversation. Check external domain reputation. Review past communication from the external user. Follow further actions done by the account.

    Variations

    An external user initiated a Microsoft Teams chat in which a suspicious link was shared and a member was removed

    Low overridden

    An external user initiated a Microsoft Teams chat in which a link, with a domain that hasn't been seen the last 30 days, was shared, and a member was removed. overridden

    An external user created a chat and shortly after sent a link with a newly seen domain name

    Low overridden

    An external user created a chat and shortly after sent a link to a conversation via Microsoft Teams that refers to a domain that was seen for the first time in the past 30 days. overridden

    An external user initiated a Microsoft Teams chat in which a link was shared and a member was removed

    Low overridden

    An external user initiated a Microsoft Teams chat in which a link with a rarely seen domain was shared, and a member was removed. overridden

    An external user created a chat then sent a link with a file for the first time via Microsoft Teams

    Low overridden

    An external user sent a link for the first time during the past 30 days in a Microsoft Teams conversation, and the link points to a file. overridden

    An external user created a chat with a suspicious user or chat name and then sent a link via Microsoft Teams

    Low overridden

    An external user created a chat with a suspicious user or chat name and sent a link in Microsoft Teams, which can be a phishing attempt. overridden

    External user created a Microsoft Teams conversation with a suspicious user or chat name and shortly after removed a user from it

    Low overridden

    An external user created a conversation with a suspicious user or chat name, and then removed a member, which could indicate potential suspicious activity. overridden

    An external user created a chat then sent a link via Microsoft Teams

    Informational overridden

    An external user created a chat and sent a link in Microsoft Teams, which can be a phishing attempt. overridden

    An external user created a chat and then sent a link via Microsoft Teams

    Informational overridden

    An external user created a chat and sent a link in Microsoft Teams, which can be a phishing attempt. overridden

    External user created a Microsoft Teams conversation and shortly after removed a user from it

    Informational overridden

    An external user created a conversation and then removed a member, which could indicate potential suspicious activity. overridden

  • External user started a Microsoft Teams conversation Informational Identity Threat Module 5 variations

    An external user started a Microsoft Teams conversation with users in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Confirm that the tenant and user are authorized to start a conversation with users in the organization. Verify the content of the conversation and validate that there is no phishing attempt being made. Inspect links and URLs that might have been sent in the conversation. Check external domain reputation. Review past communication from the external user. Follow further actions done by the account.

    Variations

    An external user started multiple conversations in Microsoft Teams with suspicious chat names

    Low overridden

    An external user started a Microsoft Teams conversation with users in the organization. overridden

    An external user started a conversation in Microsoft Teams with a suspicious user or chat name

    Low overridden

    An external user started a Microsoft Teams conversation with users in the organization. overridden

    An external user started multiple conversations in Microsoft Teams

    Low overridden

    An external user started a Microsoft Teams conversation with users in the organization. overridden

    External user started a Microsoft Teams conversation and sent a message

    Informational overridden

    An external user started a Microsoft Teams conversation with users in the organization. overridden

    An external user started conversations in Microsoft Teams with many internal users

    Informational overridden

    An external user started a Microsoft Teams conversation with users in the organization. overridden

  • FTP Connection Using an Anonymous Login or Default Credentials Low

    An FTP connection using an anonymous login was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this FTP. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.
  • Failed Login For a Long Username With Special Characters Informational

    A long username containing special characters failed to log in to the domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Exploit Public-Facing Application (T1190)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: An attacker is trying to get code execution on internet-facing assets through command injection.
    Investigative actions: Is the host running internet-facing services? Are we looking at sanction vulnerability scanning?
  • First Azure AD PowerShell operation for a user Low Identity Threat Module

    A user performed an Azure AD operation using a PowerShell user-agent for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: Achieve initial access to a company's resources.
    Investigative actions: Follow the actions the user performed using PowerShell. Confirm with the user that the action was intended.
  • First SSO Resource Access in the Organization Informational Identity Analytics 1 variation

    A resource was accessed for the first time via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Discovery (TA0007)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Cloud Service Discovery (T1526)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use a possibly compromised account to access privileged resources.
    Investigative actions: Confirm that the activity is benign (e.g. this is a newly approved resource). Follow further actions done by the user that attempted to access the resource.

    Variations

    Abnormal first access to a resource via SSO in the organization

    Low overridden

    A resource was accessed for the first time via SSO with suspicious characteristics. overridden

  • First SSO access from ASN for user Informational Identity Analytics 2 variations

    A user successfully authenticated via SSO with a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOne
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.

    Variations

    First SSO access from ASN for user - suspicious characteristics detected

    Low overridden

    First SSO access from ASN for user that shows suspicious characteristics. overridden

    Google Workspace - First SSO access from ASN for user

    Informational overridden

    A user successfully authenticated via SSO with a new ASN. overridden

  • First SSO access from ASN in organization Informational Identity Analytics 2 variations

    An SSO authentication was made with a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOne
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the provider or location is allowed or a new user). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.

    Variations

    First successful SSO access from ASN in the organization

    Low overridden

    An SSO authentication was made with a new ASN. overridden

    Google Workspace - First SSO access from ASN in organization

    Informational overridden

    An SSO authentication was made with a new ASN. overridden

  • First VPN access from ASN for user Informational Identity Analytics 1 variation

    A user logged in to a VPN with a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.

    Variations

    Unusual VPN access from ASN

    Low overridden

    An unusual VPN login was made by a user. overridden

  • First VPN access from ASN in organization Informational Identity Analytics

    A VPN connection was attempted from a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: See whether the connection was successful. Confirm that the activity is benign (e.g. the provider or location is allowed or a new user). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.
  • GCP service account impersonation attempt Informational Cloud

    An attempt to impersonate the GCP service account failed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: Gcp Audit Log
    Attacker's goals: Escalate privileges to gain elevated access to cloud resources.
    Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.
  • Granting Access to an Account Informational Cloud

    Azure access has been granted to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)
    Required data: Azure Audit Log
    Attacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.
    Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.
  • Intense SSO failures Informational Identity Analytics 1 variation

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check whether a successful login was made after unsuccessful attempts.

    Variations

    Intense SSO failures with suspicious characteristics

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt. overridden

  • Interactive login by a machine account Informational Identity Analytics 1 variation

    A machine account performed an interactive or remote interactive login.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.
    Investigative actions: See whether the login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Successful interactive login by a machine account

    Low overridden

    A machine account performed a successful interactive or remote interactive login. overridden

  • Interactive login by a service account Low Identity Analytics 2 variations

    A service account performed an interactive or remote interactive login.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.
    Investigative actions: See whether the login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Interactive login by a service account to a sensitive server

    Medium overridden

    Interactive login by a service account to a sensitive server. overridden

    Failed interactive login by a service account

    Informational overridden

    A service account performed an interactive or remote interactive login. overridden

  • Interactive login from a shared user account Informational Identity Analytics

    A user account has been seen active on multiple hosts.Shared accounts are often considered 'bad practice' and may present multiple security risks to the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Gaining access to a shared account and multiple hosts and systems throughout the organization.
    Investigative actions: Ensure that the shared account is legitimate and has a justified role in the organization.
  • Kubernetes service account activity outside the cluster Informational Cloud 2 variations

    A service account user successfully invoked API calls outside the Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the Kubernetes cluster.
    Investigative actions: Determine which Kubernetes resources were accessed using the service account. Verify whether the service account token was exposed.

    Variations

    Unusual Kubernetes service account activity outside the cluster

    Low overridden

    A service account user successfully invoked API calls outside the Kubernetes cluster. overridden

    Kubernetes service account activity outside the cluster from non-cloud IP

    Low overridden

    A service account user successfully invoked API calls outside the Kubernetes cluster. overridden

  • Login attempt by a honey user Low Identity Analytics 1 variation

    A login attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Detector tags: Honey User Analytics
    Attacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.
    Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.

    Variations

    Successful login by a honey user

    Medium overridden

    A login attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials. overridden

  • Microsoft Office Process Spawning a Suspicious One-Liner Medium

    A Microsoft Office process spawned a commonly abused process with a full command (not a script), this is a typically malicious behavior.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is trying to gain code execution on the host.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. For example, employees working in finance may have legitimate use cases for complex Excel commands.
  • Microsoft Office injects code into a process Low 5 variations

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Phishing: Spearphishing Attachment (T1566.001) Process Injection (T1055)
    Required data: XDR Agent
    Detector tags: Injection Analytics
    Attacker's goals: An attacker attempts to gain code execution via a phishing document. Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
    Investigative actions: Check the source of the document (received by mail or loaded locally). Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unsigned Microsoft Office injects code into a process

    High overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process to a non-standard PE section

    High overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process to an undeclared memory page

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office injects code into a process from an unsigned process

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

    Microsoft Office macro-enabled spreadsheet (XLSM) injects code into a process

    Medium overridden

    An attacker may inject payloads into processes via Microsoft Office. While legitimate in certain cases, code injection can also be used in malicious ways. overridden

  • Microsoft Office process spawns a commonly abused process Low

    Microsoft Office process spawns a commonly abused process with an uncommon command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution (T1204) Phishing: Spearphishing Attachment (T1566.001)
    Required data: XDR Agent
    Attacker's goals: An attacker attempts to gain code execution via a phishing document.
    Investigative actions: Check the source of the document (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.
  • Microsoft Office process spawns conhost.exe Low

    This unusual parent-child relationship may indicate that a Microsoft Office application executed a console-based application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: User Execution: Malicious File (T1204.002) Phishing (T1566)
    Required data: XDR Agent
    Attacker's goals: An attacker attempts to gain code execution via an Office application or via an Office document.
    Investigative actions: Check the source of the file or email (received by mail or loaded locally). Investigate the child processes for malicious activity and network connections to an external host.
  • Multiple Suspicious FTP Login Attempts Low

    Multiple suspicious FTP sessions were detected, which may indicate a brute-force attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this uncommon FTP connection. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.
  • Multiple failed logins from a single IP Informational Cloud 2 variations

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Gain initial access to the cloud console.
    Investigative actions: Check if the IP is a known IP. Check if a successful login from the same IP occurred after the failed login attempts.

    Variations

    Multiple failed logins from an unknown IP

    Medium overridden

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.The IP is not a known IP in the organization.This could indicate on an active brute force attempt. overridden

    Multiple failed logins from a single IP by a compromised AWS access key

    High overridden

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider. overridden

  • Multiple risk indicators for a cloud identity High Cloud

    Multiple risk indicators detected for a cloud identity, combining unusual activity with activity from unusual geolocation or high-risk IP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Compromise a cloud user account to gain access and perform malicious activities.
    Investigative actions: Review the user's recent activity for any unauthorized actions.Rotate the user's credentials immediately if confirmed compromised.
  • New FTP Server Low 2 variations

    A new FTP server has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.
    Investigative actions: Verify that the new service is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application.

    Variations

    New FTP Server Accessed Via a Port Scan

    Informational overridden

    A new FTP server has been detected. overridden

    New FTP Server from an external source

    Low overridden

    A new FTP server has been detected. overridden

  • New Shared User Account Low Identity Analytics

    A user account has been seen active on multiple hosts.Shared accounts are often considered 'bad practice' and may present multiple security risks to the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Hours
    Deduplication:
    30 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Gaining access to a shared account and multiple hosts and systems throughout the organization.
    Investigative actions: Ensure that the shared account is legitimate and has a justified role in the organization.
  • Numerous emails sent by a single sender to multiple internal recipients Informational Email

    Numerous emails were sent to multiple internal recipients. This may indicate spam or any other malicious attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Phishing, Spam
    Attacker's goals: Trick the user into clicking a link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Okta FastPass reported phishing attack suspected Low Identity Analytics

    Okta FastPass authentication reported a phishing attack suspected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: An attacker might attempt to compromise Okta accounts to gain initial access to the organization, sensitive assets or data.
    Investigative actions: Examine Okta alerts and search for signs of compromise to evaluate the potential risk. Examine email logs and headers to understand how the phishing email bypassed email security filters. Review the details of the phishing attempt, including the source email address, sender domain, and the content of the phishing message if available. Review recent login attempts, session details, and activity logs in OKTA for anomalies. Use threat intelligence feeds to identify if similar phishing tactics are part of a larger campaign. Examine historical access logs to see if there have been other attempts from the same IP or country and evaluate the potential threat level.
  • Okta Reported Attack Suspected Low Identity Threat Module

    Okta Threat Insight Reported Attack Suspected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker might attempt to compromise Okta accounts to gain access to sensitive assets or data.
    Investigative actions: Examine Okta alerts and search for signs of compromise to evaluate the potential risk.
  • Okta Reported Threat Detected Informational Identity Threat Module 1 variation

    Okta Threat Insight Reported Threat Detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.
    Investigative actions: Investigate the original events that were reported as suspicious. Investigate additional alerts that are activated based on the IP address. Follow further actions done by the ip.

    Variations

    Okta detected multiple threats from the same IP along with other suspicious characteristics

    Low overridden

    Okta Threat Insight Reported Threat Detected. overridden

  • Okta User Session Impersonation Informational Identity Threat Module 1 variation

    A user has initiated a session impersonation in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker's goal is to gain unauthorized access to sensitive information or perform malicious actions on behalf of the impersonated user.
    Investigative actions: Ensure the user is authorized to impersonate a user session. Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.

    Variations

    Okta User Session Impersonation with suspicious characteristics

    Low overridden

    A user has initiated a session impersonation with suspicious characteristics in Okta. overridden

  • Okta account reset password attempt Informational Identity Threat Module 1 variation

    A user used a weak factor to reset their Okta password.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: The attacker might deceive the victim into resetting their password, a common tactic in account takeover schemes.
    Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Examine the IP address and assess its reputation. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

    Variations

    Suspicious Okta account reset password attempt

    Low overridden

    A user used a weak factor to reset their Okta password. overridden

  • Okta account unlock Informational Identity Threat Module 1 variation

    Okta user account was unlocked.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    3 Hours
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.
    Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Examine the user's actions preceding and following the activation of the alert. Initiate contact with the user to verify the authenticity of the account unlock action. Check account the user successfully authenticated after the event. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

    Variations

    Okta account unlock with suspicious characteristics

    Low overridden

    Okta user account was unlocked. overridden

  • Okta account unlock by admin Informational Identity Threat Module 1 variation

    An administrative user unlocked an Okta account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.
    Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Examine the user's actions preceding and following the activation of the alert. Initiate contact with the user to verify the authenticity of the account unlock action. Check account the user successfully authenticated after the event. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

    Variations

    Suspicious Okta account unlock by admin

    Low overridden

    An administrative user unlocked an Okta account. overridden

  • Okta device assignment Informational Identity Threat Module 1 variation

    A device was assigned as an Okta MFA device to a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    6 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: For purposes of maintaining persistence, an attacker could potentially register his device with various accounts that have been compromised.
    Investigative actions: Confirm that the device assignments were intentionally made by the users and are legitimate. Examine the IP address and assess its reputation. Continue monitoring the accounts for any subsequent actions that may indicate suspicious behavior.

    Variations

    A suspicious assignment of a mobile device to multiple users

    Low overridden

    A single device is being used as an Okta MFA device by multiple users. overridden

  • Possible ConsentFix - OAuth Token Theft Detected Informational Identity Threat Module 1 variation

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Phishing (T1566) User Execution: Malicious Link (T1204.001) Steal Application Access Token (T1528)
    Required data: AzureAD
    Attacker's goals: Bypass identity trust controls to gain persistent unauthorized access to cloud resources.
    Investigative actions: Check for successful logins to Azure CLI or PowerShell from anomalous IPs. Review sign-in logs for User-Agents associated with CLI tools or scripts. Revoke all active OAuth refresh tokens for the user immediately.

    Variations

    OAuth Token Theft - Potential Session Hijacking Detected from new ASN

    Low overridden

    Detection of potential OAuth token theft via a forced 'localhost' redirect and first-party app abuse.This indicates an attacker has likely bypassed MFA to hijack a user's cloud session. overridden

  • Possible IPFS traffic was detected Informational

    The host attempted to access other nodes in an IPFS manner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.
    Investigative actions: Check the host for IPFS client software. Examine the client's network traffic for uploaded or downloaded file hashes.
  • Possible Impossible Travel Pattern - SSO Informational Identity Analytics 2 variations

    A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker who compromises user credentials will leverage those credentials to gain initial access to the corporate network.To obfuscate their true origin, adversaries commonly route traffic through proxies or VPNs across multiple geographic locations.
    Investigative actions: Review the source IPs and AS organizations. Check if they are associated with known corporate VPNs, cloud hosting providers, or personal VPN services. Examine recent activity associated with the user in the relevant SSO provider, focusing on suspicious actions such as MFA changes or unusual data access.

    Variations

    Azure First-Seen Device - Impossible Traveler

    Low overridden

    A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden

    Rare Country Login - Impossible Traveler (SSO)

    Low overridden

    A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden

  • Possible multistage attack in Microsoft Teams Low Identity Threat Module 1 variation

    Possible multistage attack in Microsoft Teams.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Verify the suspicious activity to validate the legitimacy of the user's actions. Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links. Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content. Evaluate the external tenant reputation. Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login. Follow further actions done by the account.

    Variations

    Malicious activity had been detected with strong indicators

    Medium overridden

    Malicious Microsoft Teams activity detected across multiple indicators, the activities have strong indications of a malicious action. overridden

  • Possible phishing attack via Microsoft Teams Low Identity Threat Module 3 variations

    An external tenant is possibly attempting a phishing attack via Microsoft Teams.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Microsoft Teams to conduct phishing attacks by exploiting trusted communication channels with users inside the organization.
    Investigative actions: Verify the suspicious sign-in activity to validate the legitimacy of the suspicious login. Review Teams chat logs and meeting invites for interactions with external tenants, focusing on unusual file sharing or unsolicited links. Hunt for known phishing indicators (suspicious domains, URL patterns, or IPs) in the Teams messages and linked content. Evaluate the external tenant reputation. Check for anomalous MS Teams actions like suspicious application installation, message extraction, policy changes or internal spear phishing attempts linked to the user post-login. Follow further actions done by the account.

    Variations

    Potential phishing attack with post compromise stages had been detected

    High overridden

    Suspicious Microsoft Teams phishing activity detected across multiple indicators, the activities have strong indications of a malicious login and post compromise actions. overridden

    Potential phishing attack via Microsoft Teams has been detected

    Medium overridden

    Suspicious Microsoft Teams phishing activity detected across multiple indicators, the activities have strong indications of a malicious login. overridden

    Potential phishing attack with post compromise activities in Microsoft Teams has been detected

    Medium overridden

    Suspicious Microsoft Teams phishing activity detected across multiple indicators. overridden

  • Possible use of IPFS was detected Informational 1 variation

    The host produced traffic consistent with IPFS.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.
    Investigative actions: Check the host for IPFS client software. Look at the user's website history for IPFS url's and check the content ID (CID) for malicious indicators. Examine the client's network traffic for uploaded or downloaded file hashes.

    Variations

    Possible use of IPFS was detected

    Informational overridden

    The host produced traffic consistent with IPFS. overridden