Analytics Alerts
Browse the Cortex analytics alert reference.
4 alerts match the current filters. tactic: TA0003 ✕ technique: T1021 ✕
Show ATT&CK heatmapA user logged in to the AWS console for the first time Informational Cloud 1 variation
A user logged in to the AWS console for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.Variations
A non-user identity logged in to the AWS console for the first time
Medium overridden
A non-user identity logged in to the AWS console for the first time. overridden
Rare Scheduled Task RPC activity Informational 3 variations
The endpoint performed abnormal Scheduled Task RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to query and manage services on a local or remote host.Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Variations
Rare remote task registration and creation via Scheduled Task RPC interface
Medium overridden
The endpoint performed abnormal task registration and creation via Scheduled Task RPC interface to a remote host. overridden
Rare remote task creation via Scheduled Task RPC interface
Medium overridden
The endpoint performed abnormal task registration or creation via Scheduled Task RPC interface to a remote host. overridden
Rare Scheduled Task RPC activity
Low overridden
The endpoint performed abnormal Scheduled Task RPC activity to a remote host. overridden
Rare Scheduled Task RPC activity from a rarely seen host Low
The endpoint performed abnormal Scheduled Task RPC activity to a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet AnalyticsAttacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to create and manage scheduled tasks on a local or remote host.Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.Suspicious cloud compute instance SSH keys modification attempt Informational Cloud 7 variations
An identity attempted to modify the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004) Remote Services: Cloud Services (T1021.007) Remote Services: Direct Cloud VM Connections (T1021.008)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Maintain persistence on a compromised compute instance. Escalate local privileges to gain root on compute instance.Investigative actions: Investigate if SSH keys were modified or added at the instance or project level. Investigate which permissions were obtained as a result of the SSH keys modification.Variations
Suspicious cloud compute instance SSH keys modification attempt by an identity with high administrative activity
Informational overridden
An identity attempted to modify the SSH keys of a single compute instance.The identity has high administrative activityThis may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Instance SSH keys were modified for the first time in the cloud provider
High overridden
An identity has modified the SSH keys of an instance for the first time in the cloud provider.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious cloud compute instance SSH keys modification by a service account
Medium overridden
A service account has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious cloud compute instance SSH keys modification
Informational overridden
An identity has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious GCP project level metadata modification by a service account
Low overridden
A service account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious GCP project level metadata modification
Informational overridden
An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious GCP project level metadata modification attempt
Informational overridden
An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden