Analytics Alerts
Browse the Cortex analytics alert reference.
87 alerts match the current filters. tactic: TA0001 ✕ technique: T1078 ✕
Show ATT&CK heatmapA Command Line Interface (CLI) command was executed from a GCP serverless compute service Low Cloud 4 variations
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: Gcp Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service
Low overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service
Informational overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
A Command Line Interface (CLI) command was executed from a GCP Cloud Build service
Low overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service
Medium overridden
A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden
A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service
Informational overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service
Low overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
A Kubernetes API operation was successfully invoked by an anonymous user Medium Cloud 1 variation
An unauthenticated user successfully invoked API calls within the Kubernetes cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain initial access to a Kubernetes cluster.Investigative actions: Determine which resources were accessed anonymously. Verify whether the affected resource should be accessed by unauthenticated users.Variations
A Kubernetes API operation was successfully invoked by an anonymous user outside the cluster
High overridden
An unauthenticated user successfully invoked API calls within the Kubernetes cluster. overridden
A Kubernetes node service account activity from external IP Informational Cloud 1 variation
A Kubernetes node service account was seen operating from an external IP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the Kubernetes cluster.Investigative actions: Determine which resources were accessed by the node service account. Investigate other actions made by the node service account.Variations
A Kubernetes node service account was used outside the cluster
Low overridden
A Kubernetes node service account was seen operating from an external IP. overridden
A Service Principal was created in Azure Informational Cloud
A Service Principal was created in Azure. This could indicate a malicious actor attempting to gain access to a resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Azure Audit LogAttacker's goals: Access user data. Gain control of the Azure environment.Investigative actions: Check the Service Principal to ensure it has the correct access rights. Review the Azure Activity Log to determine the source of the Service Principal creation.A Successful VPN connection from TOR High Identity Analytics 1 variation
A successful VPN connection from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Gain initial access to organization and hiding itself.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.Variations
A Successful VPN connection from TOR via Mobile Device
Medium overridden
A successful VPN connection from a TOR exit node. overridden
A Successful login from TOR High Identity Analytics
A successful login from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Gain initial access to the organization while anonymizing the source of the activity.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.A cloud identity executed an API call from an unusual country Informational Cloud 7 variations
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Access sensitive resources and gain high privileges.Investigative actions: Check if the identity routed their traffic via a VPN or shared their credentials with a remote employee.Variations
A suspicious cloud identity executed an API call from an unusual country
Medium overridden
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A Kubernetes identity executed an API call from a country that was not seen in the organization
Medium overridden
A Kubernetes identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A cloud identity executed an API call from a country that was not seen in the organization
Medium overridden
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A cloud identity executed an API call from an unusual country
Informational overridden
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A Kubernetes API call was executed from an unusual country
Low overridden
A Kubernetes identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A cloud API call was executed from an unusual country
Low overridden
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A cloud identity executed an API call from an unusual country using a compromised AWS access key
High overridden
A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden
A compute-attached identity executed API calls outside the instance's region Informational Cloud 6 variations
A compute-attached identity performed actions outside the compute instance region.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Verify whether the compute-attached identity's credentials were intentionally used remotely. Check what API calls were executed using instance's attached role. Check if the suspected instance is compromised.Variations
A compute-attached identity executed API calls outside the Lambda function's region
Informational overridden
A compute-attached identity performed actions outside the Lambda function region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN
High overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual geolocation
Medium overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region from an unusual ASN
Low overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity executed API calls outside the instance's region
Low overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A compute-attached identity failed to execute API calls outside the instance's region
Informational overridden
A compute-attached identity performed actions outside the compute instance region. overridden
A disabled user attempted to authenticate via SSO Informational Identity Analytics
A disabled user attempted to authenticate via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.A disabled user attempted to log in Informational Identity Analytics 1 variation
A disabled user attempted to log in.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: XDR AgentAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user was recently enabled by an authorized entity). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory. Monitor services that may be running with a disabled user's credentials.Variations
Cached interactive login attempt by a disabled user
Informational overridden
A disabled user attempted to log in. overridden
A disabled user attempted to log in to a VPN Low Identity Analytics 1 variation
A disabled user attempted to log in suspiciously to a VPN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. a contractor user). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.Variations
Possible VPN login attempt by disabled user
Informational overridden
A disabled user attempted to log in suspiciously to a VPN. overridden
A possible risky login to Azure Informational Identity Analytics 2 variations
A risky sign-in attempt was observed in Azure.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)Required data: AzureADAttacker's goals: An attacker is attempting to compromise an Azure account by exploiting weak or guessed passwords for initial access.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Azure Risky Login with Suspicious Characteristics
Low overridden
A risky sign-in attempt was observed in Azure. overridden
Azure-Defined High-Risk Login Attempt
Low overridden
A risky sign-in attempt was observed in Azure. overridden
A rare FTP user has been detected on an existing FTP server Low 1 variation
A rare or new FTP user has been detected on an existing FTP server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.Investigative actions: Verify that the new username is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application. Check the logs on the FTP server for a new user creation.Variations
Possible FTP User Scanning Detected
Low overridden
A rare or new FTP user has been detected on an existing FTP server. overridden
A rare local administrator login Informational Identity Analytics 1 variation
A rare local administrator login was observed. This may indicate an attempt to change sensitive settings on the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: The attacker attempts to change sensitive settings on the host.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Variations
Suspicious local administrator login
Low overridden
A rare local administrator login was observed. This may indicate an attempt to change sensitive settings on the host. overridden
A successful SSO sign-in from TOR High Identity Analytics 1 variation
A successful sign-in from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain initial access to organization and hiding itself.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.Variations
A successful SSO sign-in from TOR via Mobile Device
Medium overridden
A successful sign-in from a TOR exit node. overridden
A third-party application was authorized to access the Google Workspace APIs Informational Identity Threat Module
A domain administrator authorized a third-party application to access the Google Workspace APIs. This allows the application to interact with the domain user's data within the authorized scope, as specified in the API call.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Gain access to Google Workspace data and services. Collect confidential information from Google Workspace. Compromise user accounts and data.Investigative actions: Check which account was granted access to the Domain API. Identify the source IP address of the request. Verify the legitimacy of the request.A user accessed Okta's admin application Informational Identity Threat Module 1 variation
An attempt to access Okta's admin management application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).Variations
Suspicious Okta Admin App Access Attempt
Low overridden
A user attempted to access the Okta Admin Application in a suspicious way. overridden
A user accessed multiple unusual resources via SSO Informational Identity Threat Module 3 variations
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Cloud Service Dashboard (T1538) Cloud Service Discovery (T1526)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.Investigative actions: Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.Variations
A user accessed multiple resources via SSO using an anonymized proxy
Medium overridden
A user accessed multiple resources via SSO, using an anonymized proxy, that are unusual for this user. This may be indicative of a compromised account. overridden
Suspicious user access to multiple resources via SSO
Low overridden
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden
Multiple Resource Access from a New IP via SSO
Low overridden
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden
A user account was modified to password never expires Informational Identity Analytics 1 variation
A user account was modified to password never expires.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain access to the account.Investigative actions: Confirm that the account is not a temporary account that could be exploited by an attacker. Verify this action with the user who performed the change. Ensure the organization has a strong password aging policy.Variations
A sensitive account was modified to password never expires
Low overridden
A sensitive user account was modified to password never expires. This account is a sensitive account as part of a sensitive built-in Active Directory group. overridden
A user enabled a default local account Informational Identity Analytics 2 variations
A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001) Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain access to the account and escalate privileges.Investigative actions: Check what rights and permissions were granted to the user. Verify this action with the user who performed the change. Follow actions and activities of the newly enabled default account.Variations
A user enabled the Windows DefaultAccount
Low overridden
A user enabled the Windows DefaultAccount. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden
A user enabled the Windows default Guest account
Low overridden
A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden
A user logged in to the AWS console for the first time Informational Cloud 1 variation
A user logged in to the AWS console for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.Variations
A non-user identity logged in to the AWS console for the first time
Medium overridden
A non-user identity logged in to the AWS console for the first time. overridden
A user observed and reported unusual activity in Okta Informational Identity Threat Module 2 variations
A user observed and reported unusual activity in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.Investigative actions: Investigate the original event that was reported as suspicious. Contact the user and understand why he reported the activity as suspicious. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.Variations
Multiple users have reported the same suspicious activity
Medium overridden
Unusual activity in Okta reported about an IP not linked to an EDR agent, the operation is rare and flagged by multiple users. overridden
Unusual activity in Okta was reported by a user along with suspicious characteristics
Low overridden
A user observed and reported unusual activity in Okta. overridden
AWS STS temporary credentials were generated Informational Cloud
AWS STS temporary credentials were generated for an AWS identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Trusted Relationship (T1199) Forge Web Credentials (T1606)Required data: AWS Audit LogAttacker's goals: Gain access and persistence to AWS account.Investigative actions: Check which operation executed with the new credentials.AWS console login without MFA Informational Cloud
An identity logged in to the AWS console without MFA.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)Required data: AWS Audit LogAttacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.AWS root account activity Informational Cloud
The AWS root account has successfully performed an operation in the project.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Use legitimate credentials of a cloud account to access resources.Investigative actions: Look for any signs the Root user is compromised. Determine if the Root credentials need to be changed.Abnormal Allocation of compute resources in multiple regions Informational Cloud 4 variations
An identity allocated an unusual compute resource pool, suspected as mining activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Leverage cloud compute resources to generate virtual currency.Investigative actions: Verify that the identity creating the resources is legitimate. Check for unusual behavior from this identity, including potential compromise (e.g., exposed access keys or service accounts).Variations
Abnormal Unusual allocation of compute resources in multiple regions
High overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Abnormal Suspicious allocation of compute resources in multiple regions
High overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Abnormal Allocation of compute resources in a high number of regions
High overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Abnormal Allocation of compute resources in multiple regions by an unusual identity
Low overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Account probing Low Identity Analytics
A user failed to log in to multiple hosts it never accessed before in a short amount of time.This may indicate the account is compromised and an attacker is probing for a host it can access with those credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Gain access to hosts by using stolen user-account credentials.Investigative actions: Check if the user account was compromised, and which resources it could access.Allocation of multiple cloud compute resources Informational Cloud 5 variations
An identity allocated multiple compute resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage cloud compute resources to earn virtual currency.Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, service account, etc.Variations
Unusual allocation of multiple cloud compute resources
High overridden
An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen across all the projects during the past 30 days. overridden
Unusual allocation of multiple cloud compute resources
Medium overridden
An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden
Unusual allocation of multiple cloud compute resources
Medium overridden
An identity allocated multiple compute resources.The allocated instances contains GPU accelerators, such pattern is related to a crypto mining activity. overridden
Allocation of multiple cloud compute resources with accelerator gear
Low overridden
An identity allocated multiple compute resources.his activity is unusual for this identity in past 30 days. overridden
Unusual allocation attempt of multiple cloud compute resources
Low overridden
An identity attempted to allocate multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden
An AWS EKS cluster was created or deleted Informational Cloud
An AWS EKS cluster has been created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Impact (TA0040)ATT&CK techniques: Data Destruction (T1485) Valid Accounts (T1078)Required data: AWS Audit LogAttacker's goals: Gain access to the cluster and its resources.Gain access to sensitive data stored in the cluster.Investigative actions: Check whether the identity is authorized to perform changes to AWS EKS clusters.Authentication attempt by a honey user Low Identity Analytics 1 variation
An authentication attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Okta OneLogin PingOneDetector tags: Honey User AnalyticsAttacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other authentication attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the authentication attempt. Follow further actions performed by the user.Variations
Abnormal authentication by a honey user
Medium overridden
An authentication attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials. overridden
Azure storage account blob anonymous access is enabled Informational Cloud
It is possible to configure anonymous access to blobs within the storage account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: Azure Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the blobs within the storage account should be accessed from all networks. Disable public network access or disable blob anonymous access to storage account if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.Cloud activity from a high-risk IP address Informational Cloud 1 variation
An identity executed a cloud API from a high-risk IP address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Gain initial access using a compromised identity while obfuscating origin.Investigative actions: Verify if the user is authorized to use anonymizing services. Review subsequent actions by the user for suspicious activity. Check for other users accessing from the same IP or tunnel operator.Variations
Cloud activity from an unusual high-risk IP
Low overridden
An identity executed a cloud API from a high-risk IP address. overridden
Cloud impersonation attempt by unusual identity type Informational Cloud 2 variations
A suspicious identity type has attempted to impersonate another identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges to bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform sensitive operation on behalf of the impersonated identity.Variations
Cloud impersonation attempt of a management role by unusual identity type
Informational overridden
An unusual cloud identity type attempted to impersonate a management role. overridden
Successful cloud impersonation by an unusual identity type
Medium overridden
A suspicious identity type has successfully impersonated another identity. overridden
FTP Connection Using an Anonymous Login or Default Credentials Low
An FTP connection using an anonymous login was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.Investigative actions: Examine the legitimacy of the application that produced this FTP. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.First Azure AD PowerShell operation for a user Low Identity Threat Module
A user performed an Azure AD operation using a PowerShell user-agent for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: Achieve initial access to a company's resources.Investigative actions: Follow the actions the user performed using PowerShell. Confirm with the user that the action was intended.First SSO Resource Access in the Organization Informational Identity Analytics 1 variation
A resource was accessed for the first time via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Discovery (TA0007)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Cloud Service Discovery (T1526)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use a possibly compromised account to access privileged resources.Investigative actions: Confirm that the activity is benign (e.g. this is a newly approved resource). Follow further actions done by the user that attempted to access the resource.Variations
Abnormal first access to a resource via SSO in the organization
Low overridden
A resource was accessed for the first time via SSO with suspicious characteristics. overridden
First SSO access from ASN for user Informational Identity Analytics 2 variations
A user successfully authenticated via SSO with a new ASN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOneAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.Variations
First SSO access from ASN for user - suspicious characteristics detected
Low overridden
First SSO access from ASN for user that shows suspicious characteristics. overridden
Google Workspace - First SSO access from ASN for user
Informational overridden
A user successfully authenticated via SSO with a new ASN. overridden
First SSO access from ASN in organization Informational Identity Analytics 2 variations
An SSO authentication was made with a new ASN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOneAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the provider or location is allowed or a new user). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.Variations
First successful SSO access from ASN in the organization
Low overridden
An SSO authentication was made with a new ASN. overridden
Google Workspace - First SSO access from ASN in organization
Informational overridden
An SSO authentication was made with a new ASN. overridden
First VPN access from ASN for user Informational Identity Analytics 1 variation
A user logged in to a VPN with a new ASN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.Variations
Unusual VPN access from ASN
Low overridden
An unusual VPN login was made by a user. overridden
First VPN access from ASN in organization Informational Identity Analytics
A VPN connection was attempted from a new ASN.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: See whether the connection was successful. Confirm that the activity is benign (e.g. the provider or location is allowed or a new user). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.GCP service account impersonation attempt Informational Cloud
An attempt to impersonate the GCP service account failed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: Gcp Audit LogAttacker's goals: Escalate privileges to gain elevated access to cloud resources.Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.Granting Access to an Account Informational Cloud
Azure access has been granted to an account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)Required data: Azure Audit LogAttacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.Intense SSO failures Informational Identity Analytics 1 variation
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check whether a successful login was made after unsuccessful attempts.Variations
Intense SSO failures with suspicious characteristics
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt. overridden
Interactive login by a machine account Informational Identity Analytics 1 variation
A machine account performed an interactive or remote interactive login.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: XDR AgentAttacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.Investigative actions: See whether the login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Successful interactive login by a machine account
Low overridden
A machine account performed a successful interactive or remote interactive login. overridden
Interactive login by a service account Low Identity Analytics 2 variations
A service account performed an interactive or remote interactive login.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: XDR AgentAttacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.Investigative actions: See whether the login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Interactive login by a service account to a sensitive server
Medium overridden
Interactive login by a service account to a sensitive server. overridden
Failed interactive login by a service account
Informational overridden
A service account performed an interactive or remote interactive login. overridden
Interactive login from a shared user account Informational Identity Analytics
A user account has been seen active on multiple hosts.Shared accounts are often considered 'bad practice' and may present multiple security risks to the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Gaining access to a shared account and multiple hosts and systems throughout the organization.Investigative actions: Ensure that the shared account is legitimate and has a justified role in the organization.Kubernetes service account activity outside the cluster Informational Cloud 2 variations
A service account user successfully invoked API calls outside the Kubernetes cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the Kubernetes cluster.Investigative actions: Determine which Kubernetes resources were accessed using the service account. Verify whether the service account token was exposed.Variations
Unusual Kubernetes service account activity outside the cluster
Low overridden
A service account user successfully invoked API calls outside the Kubernetes cluster. overridden
Kubernetes service account activity outside the cluster from non-cloud IP
Low overridden
A service account user successfully invoked API calls outside the Kubernetes cluster. overridden
Login attempt by a honey user Low Identity Analytics 1 variation
A login attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentDetector tags: Honey User AnalyticsAttacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.Variations
Successful login by a honey user
Medium overridden
A login attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials. overridden
Multiple Suspicious FTP Login Attempts Low
Multiple suspicious FTP sessions were detected, which may indicate a brute-force attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.Investigative actions: Examine the legitimacy of the application that produced this uncommon FTP connection. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.Multiple failed logins from a single IP Informational Cloud 2 variations
Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Trusted Relationship (T1199) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Gain initial access to the cloud console.Investigative actions: Check if the IP is a known IP. Check if a successful login from the same IP occurred after the failed login attempts.Variations
Multiple failed logins from an unknown IP
Medium overridden
Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.The IP is not a known IP in the organization.This could indicate on an active brute force attempt. overridden
Multiple failed logins from a single IP by a compromised AWS access key
High overridden
Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider. overridden
Multiple risk indicators for a cloud identity High Cloud
Multiple risk indicators detected for a cloud identity, combining unusual activity with activity from unusual geolocation or high-risk IP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Compromise a cloud user account to gain access and perform malicious activities.Investigative actions: Review the user's recent activity for any unauthorized actions.Rotate the user's credentials immediately if confirmed compromised.New FTP Server Low 2 variations
A new FTP server has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.Investigative actions: Verify that the new service is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application.Variations
New FTP Server Accessed Via a Port Scan
Informational overridden
A new FTP server has been detected. overridden
New FTP Server from an external source
Low overridden
A new FTP server has been detected. overridden
New Shared User Account Low Identity Analytics
A user account has been seen active on multiple hosts.Shared accounts are often considered 'bad practice' and may present multiple security risks to the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Hours
- Deduplication:
- 30 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Gaining access to a shared account and multiple hosts and systems throughout the organization.Investigative actions: Ensure that the shared account is legitimate and has a justified role in the organization.Okta Reported Attack Suspected Low Identity Threat Module
Okta Threat Insight Reported Attack Suspected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker might attempt to compromise Okta accounts to gain access to sensitive assets or data.Investigative actions: Examine Okta alerts and search for signs of compromise to evaluate the potential risk.Okta Reported Threat Detected Informational Identity Threat Module 1 variation
Okta Threat Insight Reported Threat Detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.Investigative actions: Investigate the original events that were reported as suspicious. Investigate additional alerts that are activated based on the IP address. Follow further actions done by the ip.Variations
Okta detected multiple threats from the same IP along with other suspicious characteristics
Low overridden
Okta Threat Insight Reported Threat Detected. overridden
Okta account reset password attempt Informational Identity Threat Module 1 variation
A user used a weak factor to reset their Okta password.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: The attacker might deceive the victim into resetting their password, a common tactic in account takeover schemes.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Examine the IP address and assess its reputation. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Suspicious Okta account reset password attempt
Low overridden
A user used a weak factor to reset their Okta password. overridden
Okta account unlock Informational Identity Threat Module 1 variation
Okta user account was unlocked.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 3 Hours
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Examine the user's actions preceding and following the activation of the alert. Initiate contact with the user to verify the authenticity of the account unlock action. Check account the user successfully authenticated after the event. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Okta account unlock with suspicious characteristics
Low overridden
Okta user account was unlocked. overridden
Okta account unlock by admin Informational Identity Threat Module 1 variation
An administrative user unlocked an Okta account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: The attacker's goal is to gain unauthorized access to sensitive information or resources and to gain control over the locked account.Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Examine the user's actions preceding and following the activation of the alert. Initiate contact with the user to verify the authenticity of the account unlock action. Check account the user successfully authenticated after the event. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.Variations
Suspicious Okta account unlock by admin
Low overridden
An administrative user unlocked an Okta account. overridden
Okta device assignment Informational Identity Threat Module 1 variation
A device was assigned as an Okta MFA device to a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 6 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: For purposes of maintaining persistence, an attacker could potentially register his device with various accounts that have been compromised.Investigative actions: Confirm that the device assignments were intentionally made by the users and are legitimate. Examine the IP address and assess its reputation. Continue monitoring the accounts for any subsequent actions that may indicate suspicious behavior.Variations
A suspicious assignment of a mobile device to multiple users
Low overridden
A single device is being used as an Okta MFA device by multiple users. overridden
Possible Impossible Travel Pattern - SSO Informational Identity Analytics 2 variations
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker who compromises user credentials will leverage those credentials to gain initial access to the corporate network.To obfuscate their true origin, adversaries commonly route traffic through proxies or VPNs across multiple geographic locations.Investigative actions: Review the source IPs and AS organizations. Check if they are associated with known corporate VPNs, cloud hosting providers, or personal VPN services. Examine recent activity associated with the user in the relevant SSO provider, focusing on suspicious actions such as MFA changes or unusual data access.Variations
Azure First-Seen Device - Impossible Traveler
Low overridden
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden
Rare Country Login - Impossible Traveler (SSO)
Low overridden
A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden
Potential Okta access limit breach Informational Identity Threat Module 1 variation
A user surpassed Okta's rate limit, leading to an access limit violation. This could suggest a potential account takeover attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Initial Access (TA0001)ATT&CK techniques: Automated Collection (T1119) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).Variations
A breach in access limits within Okta, accompanied by suspicious characteristics
Low overridden
The user exceeded the access threshold in Okta, triggering a violation alert. overridden
Remote usage of AWS Lambda's role Informational Cloud 5 variations
An AWS Lambda's role was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the IAM role was assumed by an unknown identity. Check what API calls were executed using the access-key.Variations
Remote command line usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Medium overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
Low overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Suspicious usage of AWS Lambda's role
High overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Usage of AWS Lambda's role from a known ASN
Informational overridden
An AWS Lambda's role was used externally of the cloud environment. overridden
Remote usage of an AWS service token Low Cloud 1 variation
An AWS service token was used externally of the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Use Alternate Authentication Material: Application Access Token (T1550.001) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate a token and abuse it remotely.Investigative actions: Check what actions were executed using the access-key. Check if the IAM role was assumed by a different identity.Variations
Suspicious usage of AWS service token
Medium overridden
An AWS service token was used externally of the cloud environment. overridden
SSO authentication attempt by a honey user Low Identity Analytics 1 variation
An SSO authentication attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Okta OneLogin PingOneDetector tags: Honey User AnalyticsAttacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.Variations
Abnormal SSO authentication by a honey user
Medium overridden
An SSO authentication attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity. overridden
SSO authentication by a machine account Low Identity Analytics
A machine account successfully authenticated via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.Investigative actions: Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.SSO authentication by a service account Low Identity Analytics 2 variations
A service account successfully authenticated via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.Investigative actions: Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Rare non-interactive SSO authentication by a service account
Informational overridden
A service account successfully authenticated via SSO. overridden
First time SSO authentication by a service account
Medium overridden
A service account successfully authenticated via SSO. overridden
SSO with abnormal operating system Informational Identity Analytics
A user successfully authenticated via SSO with an abnormal operating system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD OktaAttacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.SSO with abnormal user agent Informational Identity Analytics 1 variation
A user successfully authenticated via SSO with an abnormal user agent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Okta AzureAD Azure SignIn Log Duo PingOneAttacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new user agent app). Follow actions and suspicious activities regarding the user.Variations
SSO with an offensive user agent
Low overridden
A user successfully authenticated via SSO with an offensive user agent. overridden
SSO with new operating system Informational Identity Analytics
A user successfully authenticated via SSO with a new operating system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Okta Azure SignIn Log AzureAD DuoAttacker's goals: Use a legitimate user and authenticate via an SSO service to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.Suspicious API call from a Tor exit node High Cloud 2 variations
A cloud API was called from a Tor exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Conceal information about malicious activities, such as location and network usage.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.Variations
Suspicious Kubernetes API call from a Tor exit node
High overridden
A Kubernetes API was called from a Tor exit node. overridden
A Failed API call from a Tor exit node
Informational overridden
A cloud API was called from a Tor exit node. overridden
Suspicious Azure AD interactive sign-in using PowerShell Informational Identity Analytics 1 variation
A user interactively logged in to Azure AD via PowerShell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureADAttacker's goals: The attacker attempts to gain access to the organization's resources.Investigative actions: Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).Variations
Unusual Azure AD interactive sign-in using PowerShell
Low overridden
A user interactively logged in to Azure AD via PowerShell from an unusual geolocation or ASN. overridden
Suspicious MFA request reported by user in Entra ID Informational Identity Threat Module 1 variation
A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker may attempt to gain unauthorized access to the account.Investigative actions: Check if the authentication attempt was legitimate. Investigate any recent unusual login behavior or IP addresses associated with the account. Verify whether the user has recently changed their authentication methods or account settings. Follow the account for possible suspicious or unusual logins.Variations
Suspicious MFA request reported by a sensitive user in Entra ID
Low overridden
A user has flagged an MFA request as suspicious in Microsoft Entra ID. This could indicate a potential compromised user account or unauthorized access attempt. overridden
Suspicious SSO access from ASN Informational Identity Analytics 1 variation
A suspicious SSO authentication was made by a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOneAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.Variations
Google Workspace - Suspicious SSO access from ASN
Informational overridden
A suspicious SSO authentication was made by a user. overridden
Suspicious SSO authentication Informational Identity Analytics 2 variations
A suspicious SSO authentication was made by a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: OktaAttacker's goals: Achieve initial access to a company's resources.Investigative actions: See whether this was a legitimate action. Review the external IP/domain involved in the alert. Contact the user whose account is being accessed and verify that they are actually attempting to log in. Check if the login attempt is coming from an unfamiliar location or device. Look for unusual login patterns, such as login attempts at odd hours. Monitor the user's account for further unusual activity.Variations
Successful SSO authentication with suspicious characteristics
Medium overridden
A user successfully accessed SSO with some suspicious characteristics that flagged this login attempt as a suspicious login. overridden
SSO authentication attempt with suspicious characteristics
Low overridden
A user accessed SSO with some suspicious characteristics that flagged this login attempt as a suspicious login. overridden
Suspicious authentication with Azure Password Hash Sync user Medium Identity Analytics
Authentication to an unusual authentication target was performed by the Azure AD Password Hash Sync user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078) Modify Authentication Process: Hybrid Identity (T1556.007)Required data: AzureADAttacker's goals: The attacker may be attempting to exploit a PHS user, the attacker wants to escalate and abuse this user, to get access to all the user's hashes.Investigative actions: Follow further actions done by the account.Suspicious heavy allocation of compute resources - possible mining activity Medium Cloud 3 variations
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage cloud compute resources to earn virtual currency.Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. access key, service account, etc.Variations
Suspicious heavy allocation of compute resources - possible mining activity
Low overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden
Suspicious heavy allocation of compute resources - possible mining activity
High overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden
Suspicious heavy allocation of compute resources - possible mining activity
Medium overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden
Suspicious usage of EC2 token Low Cloud 1 variation
An AWS EC2 STS token was used externally from an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Steal Application Access Token (T1528) Unsecured Credentials (T1552) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogAttacker's goals: Exfiltrate token and abuse it remotely.Investigative actions: Check if the access key was generated by the attached instance. Check what actions were executed by the access key. Check if the relevant instance is compromised.Variations
Suspicious usage of EC2 token
Medium overridden
An AWS EC2 STS token was used externally from an EC2 instance. overridden
Unusual AWS Bedrock model access request Informational Cloud
A cloud identity requested access to an AWS Bedrock model.MITRE ATLAS Technique: AML.T0012 - Valid Accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Gain access to cloud AI/ML resources and services.Investigative actions: Examine which AWS Bedrock models were affected. Investigate any unusual activity originating from the suspected identity.Unusual cloud identity impersonation Informational Cloud 3 variations
A cloud identity attempted to impersonate another identity for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.Variations
Unusual cloud identity impersonation of a management role
Informational overridden
A cloud identity attempted to impersonate a management role for the first time. overridden
Suspicious cloud identity impersonation was succeeded
Medium overridden
A cloud identity has impersonated another identity for the first time. overridden
Suspicious cloud identity impersonation was failed
Informational overridden
A cloud identity has failed to impersonate another identity. overridden
Unusual user account unlock Informational Identity Analytics 1 variation
A user unlocked an account. This user does not usually unlock user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may unlock a user account to gain unauthorized access.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4625, 4776 events). Check if the user is authorized to unlock accounts. Confirm that the user unlock was expected. Monitor services that may be running with a user's credentials, resulting in lockouts.Variations
Unusual sensitive user account unlock
Low overridden
A user unlocked a sensitive account. This user does not usually unlock user accounts. overridden
Unusual user-agent for a cloud identity Informational Cloud 1 variation
A cloud identity has executed an API call with an unusual user-agent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Evade detection by using non-standard tools or scripts.Investigative actions: Examine the recent actions of the user for any abnormal or unauthorized behavior. Verify if the user intentionally used a new device or tool.Variations
Unusual user-agent for a cloud identity by a compromised AWS access key
Medium overridden
A cloud identity has executed an API call with an unusual user-agent. overridden
User signed in to an application via Power Automate for the first time Informational Identity Threat Module 1 variation
A user signed in to an application via Power Automate for the first time. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)ATT&CK techniques: Valid Accounts (T1078) Automated Exfiltration (T1020)Required data: AzureADAttacker's goals: Use automation flows to automate data exfiltration, C2 communication, lateral movement and evade DLP solutions.Investigative actions: Check if this was a desired behavior as part of the automation flow. Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Look for signs of different data exfiltration via email, shared links or uploads to online storage.Variations
User signed in to an uncommon application via Power Automate for the first time
Low overridden
A user signed in to an uncommon application via Power Automate for the first time. This may be indicative of a compromised account. overridden
VPN access with an abnormal operating system Informational Identity Analytics 2 variations
A user accessed a VPN with an abnormal operating system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use a legitimate user and connect to a VPN service to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has really moved to a new operating system). Follow actions and suspicious activities regarding the user.Variations
VPN access with a suspicious operating system
Medium overridden
A user accessed a VPN with an abnormal operating system. overridden
VPN access from an abnormal operating system with suspicious characteristics
Low overridden
A user accessed a VPN from an abnormal operating system with some more suspicious characteristics that flagged this login attempt as a suspicious login. overridden
VPN login attempt by a honey user Low Identity Analytics 1 variation
A VPN login attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Global Protect Third-Party VPNsDetector tags: Honey User AnalyticsAttacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.Variations
Abnormal VPN login by a honey user
Medium overridden
A VPN login attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity. overridden
VPN login by a service account Low Identity Analytics 1 variation
A service account attempted to log in to a VPN service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network and access privileged resources.Investigative actions: See whether the service authentication was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Rare VPN login by an administrative service account
Medium overridden
An administrative service account attempted to log in to a VPN service. overridden
VPN login with a machine account Informational Identity Analytics 1 variation
A machine account successfully logged in to a VPN service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised in the past to gain access to the network and access privileged resources.Investigative actions: See whether the service login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.Variations
Rare VPN login with a machine account
Low overridden
A machine account successfully logged in to a VPN service. overridden