Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

82 alerts match the current filters. tactic: TA0003 ✕ technique: T1098 ✕

Show ATT&CK heatmap
  • A Google Workspace user was added to a group Informational Identity Threat Module

    A user added another user to a Google Workspace group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may manipulate accounts and groups to maintain access to victim systems.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the user was added to a sensitive group. Follow further actions done by the account.
  • A cloud identity invoked IAM related persistence operations Informational Cloud 2 variations

    A cloud identity invoked IAM related persistence operations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Create Account: Cloud Account (T1136.003) Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Maintain persistence in cloud environments.
    Investigative actions: Check what API calls were executed by the identity. Check what cloud resources were affected. Look for signs that the identity is compromised.

    Variations

    A cloud identity invoked compute instance related persistence operations

    Informational overridden

    A cloud identity invoked compute instance related persistence operations. overridden

    A cloud identity invoked compute function related persistence operations

    Informational overridden

    A cloud identity invoked compute function related persistence operations. overridden

  • A computer account was promoted to DC Low Identity Analytics

    A computer account was promoted to a domain controller via a User Account Control (UAC) change.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain domain administrator privileges.
    Investigative actions: Verify if the domain controller promotion is expected. Check if the computer account is a new account. Confirm this action with the user who performed the change. Follow actions by the account and if it performed a DCSync.
  • A process modified an SSH authorized_keys file Informational 3 variations

    A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers, Generic Persistence Analytics
    Attacker's goals: Adversaries use this to ensure that they possess the corresponding private key and may log in as an existing user via SSH.
    Investigative actions: Check the file modification, try to understand the impact of the related processes and network connections.

    Variations

    A process modified an SSH authorized_keys2 file

    Low overridden

    A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden

    A process modified an SSH authorized_keys file from within a Kubernetes Pod

    Low overridden

    A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden

    Unpopular process modified the SSH authorized_keys file

    Low overridden

    An unpopular process modified the SSH authorized_keys file. overridden

  • A user accessed Okta's admin application Informational Identity Threat Module 1 variation

    An attempt to access Okta's admin management application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    Suspicious Okta Admin App Access Attempt

    Low overridden

    A user attempted to access the Okta Admin Application in a suspicious way. overridden

  • A user certificate was issued with a mismatch Informational Identity Analytics 1 variation

    A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.
    Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.

    Variations

    Suspicious certificate issuance with a mismatch

    Low overridden

    A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden

  • A user enabled a default local account Informational Identity Analytics 2 variations

    A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001) Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain access to the account and escalate privileges.
    Investigative actions: Check what rights and permissions were granted to the user. Verify this action with the user who performed the change. Follow actions and activities of the newly enabled default account.

    Variations

    A user enabled the Windows DefaultAccount

    Low overridden

    A user enabled the Windows DefaultAccount. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden

    A user enabled the Windows default Guest account

    Low overridden

    A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden

  • A user logged in to the AWS console for the first time Informational Cloud 1 variation

    A user logged in to the AWS console for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.
    Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.

    Variations

    A non-user identity logged in to the AWS console for the first time

    Medium overridden

    A non-user identity logged in to the AWS console for the first time. overridden

  • A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations

    A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.

    Variations

    Rare user authentication with a certificate via Schannel

    Low overridden

    A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

    Abnormal authentication with a certificate via Schannel

    Informational overridden

    An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

  • A user was added to a Windows security group Informational Identity Analytics 4 variations

    A user was added to a Windows security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added a member to a Windows privileged group for the first time

    Medium overridden

    A user was added to a Windows security privileged group. overridden

    User added to a Windows privileged group

    Low overridden

    A user was added to a Windows security privileged group. overridden

    User removed from a Windows privileged group

    Informational overridden

    A user was removed from a Windows security privileged group. overridden

    A user was removed from a Windows security group

    Informational overridden

    A user was removed from a Windows security group. overridden

  • AWS console login without MFA Informational Cloud

    An identity logged in to the AWS console without MFA.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)
    Required data: AWS Audit Log
    Attacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.
    Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.
  • An identity attached an administrative policy to an IAM user or role Informational Cloud 3 variations

    An identity attached an administrative policy to an IAM user or role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges in cloud environments.
    Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.

    Variations

    An identity attached an administrative policy to itself

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    An identity failed to attach an administrative policy to an IAM user or role

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    A suspicious identity attached an administrative policy to an IAM user/role

    Low overridden

    An identity attached an administrative policy to an IAM user or role. overridden

  • An identity created or updated password for an IAM user Informational Cloud 1 variation

    An identity created or updated an AWS console password for an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges, maintain persistence in cloud environments.
    Investigative actions: Verify whether the identity should be making this action. Examine what additional API calls were made by the identity.

    Variations

    A suspicious identity created or updated password for an IAM user

    Low overridden

    An identity created or updated an AWS console password for an IAM user. overridden

  • An unknown account was invited to the AWS organization Informational Cloud

    An unknown account was invited to your AWS organization.The target account was not seen in your tenant for the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: AWS Audit Log
    Attacker's goals: Establish persistent access to the compromised cloud account.
    Investigative actions: Identify the invited account ID and ownership. Review additional actions performed by the identity and role.
  • Azure Automation Webhook creation Informational Cloud

    Azure Automation Webhook can be used to pass a payload with specific attributes to run a malicious Runbook.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the identity actions prior/after the webhook creation. Find which Runbook was executed using the webhook.
  • Azure Service principal/Application creation Informational Cloud

    An Azure Service principal/Application was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To gain persistent access and elevate privileges within the environment.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Azure account creation by a non-standard account Informational Identity Threat Module 1 variation

    An Azure AD account creation was performed by a user that doesn't typically create users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Create Account (T1136)
    Required data: AzureAD Audit Log
    Attacker's goals: Create a backdoor account for later access to Azure AD or Azure resources, or delete evidence of such an account.
    Investigative actions: Follow further actions by the initiator. Check for new resource creations by the new user. Check if the new user was added to a privileged role. Follow further actions done by the new user.

    Variations

    Unusual Azure account creation by a non-standard account

    Low overridden

    An Azure AD account creation was performed by a user that doesn't typically create users. overridden

  • Azure application URI modification Informational Identity Threat Module 1 variation

    An identity added or updated an Azure application's URI.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.
    Investigative actions: Check whether the account that modified the URI is supposed to perform such actions. Check for possible logins from the application modified. Check for possible account consents or credential changes regarding the application. Follow further actions done by the application.

    Variations

    Suspicious Azure application URI modification

    Low overridden

    An identity added or updated an Azure application's URI. overridden

  • Azure application credentials added Informational Identity Threat Module 2 variations

    An identity added credentials to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.
    Investigative actions: Check if the modified application is new to the organization. Check whether the account that modified the credentials is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.

    Variations

    Suspicious credential operation on an Azure application

    Medium overridden

    An identity added a certificate to an Azure application in a suspicious way. overridden

    Unusual certificate operation on an Azure application

    Low overridden

    An identity added a certificate to an Azure application with some unusual parameters. overridden

  • Azure device code authentication flow used Informational Identity Analytics 3 variations

    An Azure AD login was performed with device code flow.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
    Required data: Azure Audit Log
    Attacker's goals: An attacker may use a device to access resources in the tenant using an access token from device code authentication flows.
    Investigative actions: Check what devices are listed with the logged-in user. Check if the account is authorized to use such devices to access resources. Check for possible logins from the device. Follow further actions done by the account and device.

    Variations

    Suspicious Azure device code authentication flow used by an Azure AD privileged user

    Medium overridden

    An Azure AD login was performed with device code flow. overridden

    Suspicious Azure device code authentication flow used

    Low overridden

    An Azure AD login was performed with device code flow. overridden

    Azure device code authentication flow used by an Azure AD privileged user

    Low overridden

    An Azure AD login was performed with device code flow. overridden

  • Azure domain federation settings modification attempt Low Identity Threat Module 1 variation

    A user or application attempted to modify the federation settings of the domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.
    Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.

    Variations

    A successful Azure domain federation settings modification

    Medium overridden

    A user or application successfully modified the federation settings of the domain. overridden

  • Azure group creation/deletion Informational Cloud

    A group in Azure was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain persistence to the environment.
    Investigative actions: Check group's assigned roles. Check which members were added to the group.
  • Azure permission delegation granted Informational Cloud 1 variation

    An identity delegated permissions to access a certain resource or application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log
    Attacker's goals: Gain control over user accounts.
    Investigative actions: Check the user access logs for any suspicious activity. Review the permissions granted and the scope of the permissions.

    Variations

    Azure permission delegation granted by an Azure AD privileged user

    Low overridden

    An identity delegated permissions to access a certain resource or application. overridden

  • Azure user creation/deletion Informational Cloud

    A user in Azure was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain persistence into the account.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Azure user password reset Informational Cloud

    The password of an Azure AD user was reset.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: An attacker may attempt to gain access to the account.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Cloud access key creation Informational Cloud 2 variations

    Cloud access key creation by a cloud identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Persist in the environment.
    Investigative actions: investigate the identity who created the access keys. Check the access key activity in the organization.

    Variations

    Successful access key creation by an unusual identity type

    Informational overridden

    Cloud access key creation by a cloud identity. overridden

    Unusual successful cloud access key creation

    Informational overridden

    Cloud access key creation by a cloud identity. overridden

  • Credentials were added to Azure application Informational Cloud

    Credentials were added to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: An attacker can establish a backdoor in the application by adding additional credentials to it, such as secrets or certificates.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Exchange mailbox delegation permissions added Informational Identity Threat Module Email 1 variation

    A user added delegation permissions to an Exchange mailbox.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    4 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)
    Required data: Office 365 Audit
    Attacker's goals: Add delegation permissions to a mailbox for persistence reasons.
    Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents).

    Variations

    Addition of Exchange mailbox delegation permissions with suspicious characteristics

    Low overridden

    A user added delegation permissions to an Exchange mailbox. overridden

  • Exchange mailbox folder permission modification Informational Identity Threat Module Email 1 variation

    A user modified permissions to an Exchange mailbox folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may add permissions to a mailbox folder for persistence reasons. For instance, an attacker may assign the Default or Anonymous user permissions. This will allow them to maintain persistent access to the mailbox folder, which may lead to exfiltration of the messages.
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Check for abnormal Azure AD non-interactive logins by the user. Monitor for changes that may indicate excessively broad permissions.

    Variations

    Exchange mailbox folder permission modification for a default user

    Low overridden

    A user modified permissions to an Exchange mailbox folder. The user granted the permission is a default user, which effectively grants the permission to any user. overridden

  • External user invitation to Azure tenant Informational Cloud

    An external user was invited to Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain unauthorized access to the tenant.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • GCP Service Account key creation Informational Cloud

    A GCP service account key was created. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Gcp Audit Log
    Attacker's goals: Persistence using the created key.
    Investigative actions: Check what actions were taken using the newly created service account key. Check what other actions were taken by the identity that created the key.
  • GCP administrative role granted to a cloud identity Informational Cloud

    A cloud identity granted an administrative IAM role to another identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.
  • GCP sensitive Cloud Run role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Cloud Run IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within the cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Cloud Run role granted

    Medium overridden

    A cloud identity granted itself a sensitive Cloud Run IAM role. overridden

  • GCP sensitive Deployment Manager role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Deployment Manager IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within the cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Deployment Manager role granted

    Medium overridden

    A cloud identity granted itself a sensitive Deployment Manager IAM role. overridden

  • GCP sensitive Functions role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Functions IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Functions role granted

    Medium overridden

    A cloud identity granted itself a sensitive Functions IAM role. overridden

  • GCP sensitive IAM role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive IAM role granted

    Medium overridden

    A cloud identity granted itself a sensitive IAM role. overridden

  • GCP sensitive Secret Manager role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Secret Manager IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Secret Manager role granted

    Medium overridden

    A cloud identity granted itself a sensitive Secret Manager IAM role. overridden

  • GCP sensitive compute role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive compute IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive compute role granted

    Medium overridden

    A cloud identity granted itself a sensitive compute IAM role. overridden

  • GCP sensitive role granted to group Low Cloud 1 variation

    A cloud identity granted a sensitive role to a group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the group.

    Variations

    GCP sensitive role granted to group

    Medium overridden

    A cloud identity granted a sensitive role to a group. overridden

  • GCP sensitive storage role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive storage IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive storage role granted

    Medium overridden

    A cloud identity granted itself a sensitive storage IAM role. overridden

  • GCP set IAM policy activity Informational Cloud

    A cloud identity had modified a resource policy bindings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.
  • Google Workspace organizational unit was modified Informational Identity Threat Module

    A Google Workspace admin modified an organizational unit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may change the organizational unit the user belongs to, so they could inherit permissions for applications and resources that were inaccessible before.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.
  • Google Workspace user authentication information changed Informational Identity Threat Module 2 variations

    Google Workspace authentication information was changed for a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006) Account Manipulation (T1098)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may manipulate user authentication information to obtain Persistence or Bypass Multi-Factor Authentication (MFA) controls.
    Investigative actions: Verify if the authentication information change was authorized. Follow further actions done by the user and IP address.

    Variations

    Google Workspace administrative user authentication information changed

    Low overridden

    Google Workspace authentication information was changed for a user. overridden

    Google Workspace user authentication information changed by another account

    Low overridden

    Google Workspace authentication information was changed for a user. overridden

  • IAM User added to an IAM group Informational Cloud

    An IAM user was added to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add a user to a group to establish persistence or escalate privileges within a cloud account.
    Investigative actions: Identify the identity that executed the API call. Determine which IAM user was added to the group. Evaluate the group's permissions to determine their applicability to the IAM user.
  • IAM inline policy was added to group Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM inline policy was added to role Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM inline policy was added to user Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM instance profile was associated with EC2 instance Informational Cloud

    An AWS IAM instance profile was associated with EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM instance profile was created Informational Cloud

    An AWS IAM instance profile was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM instance profile was replaced for EC2 instance Informational Cloud

    An AWS IAM instance profile was replaced for EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM policy default version was changed Informational Cloud

    A cloud identity set the specified version of an AWS IAM policy as the policy's default.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy version was created Informational Cloud

    A cloud identity created an AWS-managed IAM policy version.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy was attached to group Informational Cloud

    A cloud identity attached an AWS IAM policy to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy was attached to role Informational Cloud 1 variation

    An AWS IAM policy was attached to this role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.

    Variations

    Administrative IAM policy was attached to role

    Informational overridden

    An AWS IAM policy was attached to this role. overridden

  • IAM role trust policy modification Informational Cloud

    A cloud identity updated the trust policy of an AWS IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM role was created Informational Cloud

    An IAM role was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity or role.
  • Identity assigned an Azure AD Administrator Role Informational Identity Threat Module 2 variations

    An identity was assigned an Azure AD Administrator role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.
    Investigative actions: Check if the added account is new to the organization. Check whether the account that added the account to the role is permitted to perform such actions. Check what can be affected by the assigned role Follow further actions done by the account that was added to the role.

    Variations

    Identity assigned an Azure AD Administrator Role by an Application

    Medium overridden

    An identity was assigned an Azure AD Administrator role by an application. overridden

    Suspicious Azure AD Administrator Role assignment

    Low overridden

    An identity was assigned an Azure AD Administrator role. overridden

  • Member added to a Windows local security group Informational Identity Analytics 2 variations

    A member was added to a Windows local security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added to the Windows local Administrator group

    Low overridden

    A member was added to a Windows local security group. overridden

    Member added to the Windows local Administrator group

    Informational overridden

    A member was added to a Windows local security group. overridden

  • New Teams application published to the organization catalog Informational Identity Threat Module 1 variation

    A new Teams application was published to the organization catalog.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.
    Investigative actions: Confirm that the application was created by a certified and trusted entity. Evaluate the permissions requested by the application to determine if they are excessive or unusual. Determine if it is within the user's role to publish this type of application. Correlate the alert with the sign-in event to get additional information on the identity performing the action. Follow further actions done by the account.

    Variations

    A Microsoft Teams application was published to the organization catalog by an unusual user

    Low overridden

    A new Teams application was published to the organization catalog. overridden

  • New cloud identity created with administrative policy Low Cloud 1 variation

    New cloud identity was created and assigned administrative policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Create Account: Cloud Account (T1136.003) Create Account (T1136) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges in cloud environments.
    Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user/role to whom the administrative policy was attached.

    Variations

    Administrative IAM User Created with Credentials

    Low overridden

    New cloud identity was created and assigned administrative policy. overridden

  • Okta API Token Created Informational Identity Threat Module 1 variation

    A user created a new API token in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.
    Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.

    Variations

    An Okta API token was generated with suspicious characteristics

    Low overridden

    A user created a new API token in Okta with suspicious conditions. overridden

  • Owner was added to Azure application Informational Cloud

    An Owner was added to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain administrative control and manipulate the application's permissions and settings.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Potential creation of persistent cloud credentials Informational Cloud

    A cloud identity invoked a credential-related persistence operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Forge Web Credentials (T1606) Use Alternate Authentication Material: Application Access Token (T1550.001)
    Required data: AWS Audit Log
    Attacker's goals: Maintain persistence in cloud environments.
    Investigative actions: Check what API calls were executed by the identity. Check what resources are affected by this change. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.
  • SPNs cleared from a machine account Low Identity Analytics 1 variation

    Service principal names were cleared from a machine account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Follow actions performed by the user. Look for associated sAMAccountName rename events.

    Variations

    SPNs cleared from a machine account for the first time

    Medium overridden

    Service principal names were cleared from a machine account. overridden

  • Service ticket request with a spoofed sAMAccountName Medium Identity Analytics

    A Kerberos service ticket (ST) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Follow actions by the account and if it performed a DCSync.
  • SharePoint Site Collection admin group addition Informational Identity Threat Module 2 variations

    A user made an addition to the site collection administrators group in SharePoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Office 365 Audit
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Check the IP address from which the access originated. Verify the activity with the performing user. Follow further actions done by the account.

    Variations

    SharePoint site collection admin added to personal site

    Informational overridden

    A user was added as a site collection admin to a personal site, indicating that the user has accessed the SharePoint service for the first time. overridden

    Abnormal SharePoint Site Collection admin group addition

    Low overridden

    A user made an addition to the site collection administrators group in SharePoint. This user has not made any SharePoint site admin additions over the past 30 days. overridden

  • Suspicious account attribute modification that matches that of another account Low Identity Analytics 1 variation

    Suspicious account attribute modification that matches that of another account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might modify account attributes to elevate privileges and get access to strong accounts in the domain.
    Investigative actions: Check if any associated certificates were granted. Check if any login attempts were made by the impersonated accounts using certificates. Check if any Kerberos TGT tickets were generated by the impersonated accounts using certificates.

    Variations

    Suspicious account attribute modification that matches that of a sensitive machine account

    Medium overridden

    Suspicious account attribute modification that matches that of another account. overridden

  • Suspicious cloud compute instance SSH keys modification attempt Informational Cloud 7 variations

    An identity attempted to modify the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004) Remote Services: Cloud Services (T1021.007) Remote Services: Direct Cloud VM Connections (T1021.008)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Maintain persistence on a compromised compute instance. Escalate local privileges to gain root on compute instance.
    Investigative actions: Investigate if SSH keys were modified or added at the instance or project level. Investigate which permissions were obtained as a result of the SSH keys modification.

    Variations

    Suspicious cloud compute instance SSH keys modification attempt by an identity with high administrative activity

    Informational overridden

    An identity attempted to modify the SSH keys of a single compute instance.The identity has high administrative activityThis may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Instance SSH keys were modified for the first time in the cloud provider

    High overridden

    An identity has modified the SSH keys of an instance for the first time in the cloud provider.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious cloud compute instance SSH keys modification by a service account

    Medium overridden

    A service account has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious cloud compute instance SSH keys modification

    Informational overridden

    An identity has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden

    Suspicious GCP project level metadata modification by a service account

    Low overridden

    A service account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden

    Suspicious GCP project level metadata modification

    Informational overridden

    An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden

    Suspicious GCP project level metadata modification attempt

    Informational overridden

    An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden

  • Suspicious dNSHostName attribute change to DC name Medium Identity Analytics

    The dNSHostName attribute of a machine account was changed to a Domain Controller server name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • Suspicious modification of the AdminSDHolder's ACL Low Identity Analytics

    A user modified the AdminSDHolder ACL, which may be an indication of a privilege escalation attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers attempt to obtain full control privileges and then move laterally.
    Investigative actions: Check if a new user was added to the AdminSDHolder object. Check if a suspicious user account was recently created. Check if a user was added to a privileged group (e.g. Domain Admins). Investigate any other potentially suspicious behavior from the compromised user. Search for actions that may trigger SDProp, such as modifying the registry or executing an LDAP query.
  • Suspicious sAMAccountName change Low Identity Analytics 1 variation

    The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.

    Variations

    Suspicious sAMAccountName change to DC hostname

    Medium overridden

    The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign. overridden

  • TGT request with a spoofed sAMAccountName - Event log Medium Identity Analytics

    A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • TGT request with a spoofed sAMAccountName - Network Medium Identity Analytics

    A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • Unusual AWS credentials creation Low

    AWS utility was used to create an access key and a secret key.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: XDR Agent
    Attacker's goals: Maintain access to an AWS provider.
    Investigative actions: Check the machine timeline and look for abnormal activity. Investigate what other calls were made to the AWS account.
  • Unusual AWS user added to group Low 1 variation

    AWS user added to AWS group, possibly to elevate privileges and gain more access to resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Gain persistence and elevate privileges.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    Unusual AWS user added to group from a Kubernetes Pod

    Low overridden

    AWS user added to AWS group, possibly to elevate privileges and gain more access to resources. overridden

  • Unusual Identity and Access Management (IAM) activity Informational Cloud 2 variations

    A cloud identity performed an unusual IAM operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.Using the modified accounts, the attacker may perform additional activities in an evasive manner.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive IAM operation that it shouldn't.

    Variations

    Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance

    Medium overridden

    A cloud Internet facing instance performed an unusual IAM operation. overridden

    Unusual Identity and Access Management (IAM) activity

    Low overridden

    A cloud non-user identity performed an unusual IAM operation. overridden

  • Unusual user account enablement Informational Identity Analytics 1 variation

    A user enabled an account. This user does not usually enable user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may enable a user account to gain persistence.
    Investigative actions: Investigate the associated enabling event. Check if the user is authorized to enable accounts. Confirm that the account enablement was expected. If the account enablement seems suspicious, address it accordingly by disabling the account again, forcing a password change, or monitoring its activity.

    Variations

    Unusual sensitive user account enablement

    Low overridden

    A user enabled a sensitive account. This user does not usually enable user accounts. overridden

  • Unverified domain added to Azure AD Informational Identity Threat Module 1 variation

    A new unverified domain was added to Azure AD.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.
    Investigative actions: Check if the new domain is known for the organization. Check whether the user changing the configuration is permitted. Monitor network activity to and from the added domain.

    Variations

    Rare unverified domain addition to Azure AD

    Low overridden

    A new unverified domain was added to Azure AD. overridden

  • User account delegation change Informational Identity Analytics 2 variations

    A user account was modified with delegation to a service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to control an Active Directory environment.
    Investigative actions: Verify this action with the user who performed the change. Check if the account modified is a service account. Follow actions by the user, including TGT and TGS requests. Monitor for anomalous Kerberos activity.

    Variations

    User account delegation to KRBTGT

    High overridden

    A user account was modified with delegation to the KRBTGT service. overridden

    User account delegation to a DC

    Low overridden

    A user account was modified with delegation to a service on a domain controller. overridden

  • User added a new device to Okta Verify instance Informational Identity Threat Module 1 variation

    The user has successfully registered a new device with the Okta Verify application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: Attackers may exploit the device registration process in Okta by registering unauthorized devices, thereby gaining access to sensitive resources and user accounts within an organization.
    Investigative actions: Reach out to the user responsible for the device registration to confirm its legitimacy. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN). Make sure the IP address is not showing any abnormal activity. Monitor the activity from the new registered device and ensure that it matches the user's normal activity.

    Variations

    Suspicious device enrollment to Okta

    Low overridden

    A new device was registered on Okta with suspicious characteristics, which increased the alert severity. overridden

  • User added to a group and removed Informational Identity Analytics 2 variations

    A user was added to an Active Directory group and removed within a short period of time, which may be a sign of compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Check for any suspicious actions performed by the added user. Check for a possible compromise of the initiating user.

    Variations

    Rare privileged group addition and removal

    Medium overridden

    A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden

    User added to a privileged group and removed

    Low overridden

    A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden

  • User added to the SMS Admins local group Low Identity Analytics 1 variation

    A user was added to the SMS Admins local group. This may indicate a potential attack targeting the Microsoft Configuration Manager infrastructure.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.
    Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.

    Variations

    User added to the SMS Admins group and removed

    Medium overridden

    A user was added to the SMS Admins group and removed within a short period of time, which may be a sign of compromise. overridden