Analytics Alerts
Browse the Cortex analytics alert reference.
14 alerts match the current filters. tactic: TA0001 ✕ technique: T1199 ✕
Show ATT&CK heatmapAWS STS temporary credentials were generated Informational Cloud
AWS STS temporary credentials were generated for an AWS identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Trusted Relationship (T1199) Forge Web Credentials (T1606)Required data: AWS Audit LogAttacker's goals: Gain access and persistence to AWS account.Investigative actions: Check which operation executed with the new credentials.An AWS SAML provider was modified Informational Cloud
An AWS SAML provider was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Trusted Relationship (T1199) Modify Authentication Process (T1556)Required data: AWS Audit LogAttacker's goals: Gain privileged access to AWS accounts.Investigative actions: Check what changes were made to the SAML provider.Attempted Azure application access from unknown tenant Informational Cloud 2 variations
A Microsoft Graph API was unsuccessfully executed by an Azure application from an unknown tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Trusted Relationship (T1199)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Abuse serverless services to execute code in cloud environments.Investigative actions: Validate the legitimacy of the tenant in question. Investigate any unusual activity originating from the application.Variations
Attempted Azure application access from an unusual tenant
Medium overridden
A Microsoft Graph API was unsuccessfully executed by an Azure application from an unknown tenant. overridden
Azure application access from unknown tenant
Low overridden
A Microsoft Graph API was executed by an Azure application from an unknown tenant. overridden
Azure application consent Informational Identity Threat Module 1 variation
An identity consented permissions to an application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Phishing (T1566) Phishing: Spearphishing Link (T1566.002) Steal Application Access Token (T1528) Trusted Relationship (T1199)Required data: AzureAD Audit LogAttacker's goals: Get access to credentials, data or an organization via applications with sufficient permissions.Investigative actions: Follow further actions by the consenting user. Check for new resource creations by the new user. Check how the consenting user got to the application. Verify the application creators. Check what permissions the application requested. Check for possible phishing in the organization.Variations
First seen Azure admin consent to an application
Low overridden
An administrative identity consented permissions to an application. overridden
Cloud impersonation attempt by unusual identity type Informational Cloud 2 variations
A suspicious identity type has attempted to impersonate another identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges to bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform sensitive operation on behalf of the impersonated identity.Variations
Cloud impersonation attempt of a management role by unusual identity type
Informational overridden
An unusual cloud identity type attempted to impersonate a management role. overridden
Successful cloud impersonation by an unusual identity type
Medium overridden
A suspicious identity type has successfully impersonated another identity. overridden
Download pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.Email mimics replies or forwards without an actual ongoing conversation Informational Email
An email with a subject line or body that includes signs of a reply or forward without an actual ongoing conversation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Phishing (T1566) Trusted Relationship (T1199)Required data: Microsoft 365 EmailsDetector tags: SpoofingAttacker's goals: Create the illusion of being part of an existing email conversation to build trust and reduce the target's suspicion, mislead recipients by concealing harmful intents such as phishing or malware distribution.Investigative actions: Analyze the full set of email headers to confirm the absence of legitimate References and In-Reply-To headers and verify if the email was altered or forged. Investigate if the sender's domain is known, flagged, or associated with suspicious activity to detect possible impersonation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.GCP service account impersonation attempt Informational Cloud
An attempt to impersonate the GCP service account failed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: Gcp Audit LogAttacker's goals: Escalate privileges to gain elevated access to cloud resources.Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.Multiple failed logins from a single IP Informational Cloud 2 variations
Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Trusted Relationship (T1199) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Gain initial access to the cloud console.Investigative actions: Check if the IP is a known IP. Check if a successful login from the same IP occurred after the failed login attempts.Variations
Multiple failed logins from an unknown IP
Medium overridden
Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.The IP is not a known IP in the organization.This could indicate on an active brute force attempt. overridden
Multiple failed logins from a single IP by a compromised AWS access key
High overridden
Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider. overridden
Okta User Session Impersonation Informational Identity Threat Module 1 variation
A user has initiated a session impersonation in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Trusted Relationship (T1199)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker's goal is to gain unauthorized access to sensitive information or perform malicious actions on behalf of the impersonated user.Investigative actions: Ensure the user is authorized to impersonate a user session. Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.Variations
Okta User Session Impersonation with suspicious characteristics
Low overridden
A user has initiated a session impersonation with suspicious characteristics in Okta. overridden
Rare MS-Update Server was detected Informational 1 variation
The endpoint requested an MS-Update operation from a rare update server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Trusted Relationship (T1199)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server. Attackers may use the MS-Update protocol to execute unauthorized code through Microsoft binaries.Investigative actions: Inspect the legitimacy of the server as a WSUS functioning server. Verify that your MS-Update network routine is HTTPS enforced Verify that this MS-Update server is not a newly deployed server as part of a legitimate IT activity.Variations
Rare MS-Update Server was detected
Informational overridden
The endpoint requested an MS-Update operation from a rare update server. overridden
Unusual cloud identity impersonation Informational Cloud 3 variations
A cloud identity attempted to impersonate another identity for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.Variations
Unusual cloud identity impersonation of a management role
Informational overridden
A cloud identity attempted to impersonate a management role for the first time. overridden
Suspicious cloud identity impersonation was succeeded
Medium overridden
A cloud identity has impersonated another identity for the first time. overridden
Suspicious cloud identity impersonation was failed
Informational overridden
A cloud identity has failed to impersonate another identity. overridden
Unusual cross projects activity Low Cloud 1 variation
A suspicious activity between different cloud projects.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Trusted Relationship (T1199)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse an existing connection and pivot through multiple projects to find their target.Investigative actions: Check if the identity intended to perform actions on the project. Check the operations that were performed on the project {caller_project}. Check if the identity performed additional operations in the cloud environment that might be malicious.Variations
Suspicious cross projects activity
Medium overridden
A suspicious activity between different cloud projects. overridden
Upload pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.