Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. tactic: TA0003 ✕ technique: T1021 ✕

Show ATT&CK heatmap
  • A user logged in to the AWS console for the first time Informational Cloud 1 variation

    A user logged in to the AWS console for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.
    Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.

    Variations

    A non-user identity logged in to the AWS console for the first time

    Medium overridden

    A non-user identity logged in to the AWS console for the first time. overridden

  • Rare Scheduled Task RPC activity Informational 3 variations

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)
    ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to query and manage services on a local or remote host.
    Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.

    Variations

    Rare remote task registration and creation via Scheduled Task RPC interface

    Medium overridden

    The endpoint performed abnormal task registration and creation via Scheduled Task RPC interface to a remote host. overridden

    Rare remote task creation via Scheduled Task RPC interface

    Medium overridden

    The endpoint performed abnormal task registration or creation via Scheduled Task RPC interface to a remote host. overridden

    Rare Scheduled Task RPC activity

    Low overridden

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host. overridden

  • Rare Scheduled Task RPC activity from a rarely seen host Low

    The endpoint performed abnormal Scheduled Task RPC activity to a remote host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Persistence (TA0003)
    ATT&CK techniques: Remote Services (T1021) Scheduled Task/Job (T1053)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: NDR Lateral Movement Analytics, NDR Unmanaged Subnet Analytics
    Attacker's goals: Attackers may attempt to gain persistence or move laterally over the network by executing code on remote hosts using scheduled tasks. The ITaskSchedulerService RPC interface is used to create and manage scheduled tasks on a local or remote host.
    Investigative actions: Review the action of the created scheduled task on the remote host. Correlate the RPC call from the source host and understand which software initiated it. Verify that this isn't IT activity.
  • Suspicious cloud compute instance SSH keys modification attempt Informational Cloud 7 variations

    An identity attempted to modify the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004) Remote Services: Cloud Services (T1021.007) Remote Services: Direct Cloud VM Connections (T1021.008)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Maintain persistence on a compromised compute instance. Escalate local privileges to gain root on compute instance.
    Investigative actions: Investigate if SSH keys were modified or added at the instance or project level. Investigate which permissions were obtained as a result of the SSH keys modification.

    Variations

    Suspicious cloud compute instance SSH keys modification attempt by an identity with high administrative activity

    Informational overridden

    An identity attempted to modify the SSH keys of a single compute instance.The identity has high administrative activityThis may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Instance SSH keys were modified for the first time in the cloud provider

    High overridden

    An identity has modified the SSH keys of an instance for the first time in the cloud provider.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious cloud compute instance SSH keys modification by a service account

    Medium overridden

    A service account has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious cloud compute instance SSH keys modification

    Informational overridden

    An identity has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious GCP project level metadata modification by a service account

    Low overridden

    A service account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden

    Suspicious GCP project level metadata modification

    Informational overridden

    An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden

    Suspicious GCP project level metadata modification attempt

    Informational overridden

    An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden