Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0003 ✕ technique: T1059 ✕
Show ATT&CK heatmapGoogle Workspace automation was created Informational Identity Threat Module 1 variation
Google Workspace automation was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.Variations
Google Workspace automation was created for a public document
Low overridden
The document that the automation was created for is publicly shared. overridden
Okta API Token Created Informational Identity Threat Module 1 variation
A user created a new API token in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.Variations
An Okta API token was generated with suspicious characteristics
Low overridden
A user created a new API token in Okta with suspicious conditions. overridden