Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0001 ✕ technique: T1538 ✕
Show ATT&CK heatmapA user accessed multiple unusual resources via SSO Informational Identity Threat Module 3 variations
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Cloud Service Dashboard (T1538) Cloud Service Discovery (T1526)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.Investigative actions: Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.Variations
A user accessed multiple resources via SSO using an anonymized proxy
Medium overridden
A user accessed multiple resources via SSO, using an anonymized proxy, that are unusual for this user. This may be indicative of a compromised account. overridden
Suspicious user access to multiple resources via SSO
Low overridden
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden
Multiple Resource Access from a New IP via SSO
Low overridden
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden