Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

53 alerts match the current filters. tactic: TA0004 ✕ technique: T1098 ✕

Show ATT&CK heatmap
  • A Kubernetes cluster role binding was created or deleted Informational Cloud

    A Kubernetes cluster role binding was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Escalate privileges to gain access to restricted resources in the Kubernetes cluster.
    Investigative actions: Check which changes were made to the Kubernetes cluster role binding.
  • A Kubernetes role binding was created or deleted Informational Cloud

    A Kubernetes role binding was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Obtain Kubernetes secrets to access restricted information.
    Investigative actions: Check which changes were made to the Kubernetes secret.
  • A cloud identity had escalated its permissions Informational Cloud 4 variations

    A cloud identity had updated its permissions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation (T1098)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    A cloud identity with high administrative activity had escalated its permissions

    Informational overridden

    A cloud identity with high administrative activity had updated its permissions. overridden

    A cloud compute service had escalated its permissions

    Medium overridden

    A cloud compute service had updated its permissions. overridden

    A cloud non-human identity had escalated its permissions

    Low overridden

    A cloud non-human identity had updated its permissions. overridden

    A cloud identity escalated its permissions to a high privilege role/policy

    Low overridden

    A cloud identity escalated its permissions by adding itself to a high privileged policy/role/group. overridden

  • A computer account was promoted to DC Low Identity Analytics

    A computer account was promoted to a domain controller via a User Account Control (UAC) change.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain domain administrator privileges.
    Investigative actions: Verify if the domain controller promotion is expected. Check if the computer account is a new account. Confirm this action with the user who performed the change. Follow actions by the account and if it performed a DCSync.
  • A user accessed Okta's admin application Informational Identity Threat Module 1 variation

    An attempt to access Okta's admin management application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    Suspicious Okta Admin App Access Attempt

    Low overridden

    A user attempted to access the Okta Admin Application in a suspicious way. overridden

  • A user certificate was issued with a mismatch Informational Identity Analytics 1 variation

    A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.
    Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.

    Variations

    Suspicious certificate issuance with a mismatch

    Low overridden

    A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden

  • A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations

    A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.

    Variations

    Rare user authentication with a certificate via Schannel

    Low overridden

    A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

    Abnormal authentication with a certificate via Schannel

    Informational overridden

    An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

  • A user was added to a Windows security group Informational Identity Analytics 4 variations

    A user was added to a Windows security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added a member to a Windows privileged group for the first time

    Medium overridden

    A user was added to a Windows security privileged group. overridden

    User added to a Windows privileged group

    Low overridden

    A user was added to a Windows security privileged group. overridden

    User removed from a Windows privileged group

    Informational overridden

    A user was removed from a Windows security privileged group. overridden

    A user was removed from a Windows security group

    Informational overridden

    A user was removed from a Windows security group. overridden

  • AWS support case creation Informational Cloud

    A cloud identity has created a new case in AWS support.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Manipulation (T1098)
    Required data: AWS Audit Log
    Attacker's goals: Obtaining a list of resources that could be targeted for lateral movement or convincing AWS's support to perform actions on their behalf.
    Investigative actions: Investigate any unusual activity originating from the suspected identity. View the contents of the newly created case {case_id} .
  • An identity attached an administrative policy to an IAM user or role Informational Cloud 3 variations

    An identity attached an administrative policy to an IAM user or role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges in cloud environments.
    Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.

    Variations

    An identity attached an administrative policy to itself

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    An identity failed to attach an administrative policy to an IAM user or role

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    A suspicious identity attached an administrative policy to an IAM user/role

    Low overridden

    An identity attached an administrative policy to an IAM user or role. overridden

  • An identity created or updated password for an IAM user Informational Cloud 1 variation

    An identity created or updated an AWS console password for an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges, maintain persistence in cloud environments.
    Investigative actions: Verify whether the identity should be making this action. Examine what additional API calls were made by the identity.

    Variations

    A suspicious identity created or updated password for an IAM user

    Low overridden

    An identity created or updated an AWS console password for an IAM user. overridden

  • Azure domain federation settings modification attempt Low Identity Threat Module 1 variation

    A user or application attempted to modify the federation settings of the domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.
    Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.

    Variations

    A successful Azure domain federation settings modification

    Medium overridden

    A user or application successfully modified the federation settings of the domain. overridden

  • Credentials were added to Azure application Informational Cloud

    Credentials were added to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: An attacker can establish a backdoor in the application by adding additional credentials to it, such as secrets or certificates.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • External user invitation to Azure tenant Informational Cloud

    An external user was invited to Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain unauthorized access to the tenant.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • GCP administrative role granted to a cloud identity Informational Cloud

    A cloud identity granted an administrative IAM role to another identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.
  • GCP sensitive Cloud Run role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Cloud Run IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within the cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Cloud Run role granted

    Medium overridden

    A cloud identity granted itself a sensitive Cloud Run IAM role. overridden

  • GCP sensitive Deployment Manager role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Deployment Manager IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within the cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Deployment Manager role granted

    Medium overridden

    A cloud identity granted itself a sensitive Deployment Manager IAM role. overridden

  • GCP sensitive Functions role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Functions IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Functions role granted

    Medium overridden

    A cloud identity granted itself a sensitive Functions IAM role. overridden

  • GCP sensitive IAM role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive IAM role granted

    Medium overridden

    A cloud identity granted itself a sensitive IAM role. overridden

  • GCP sensitive Secret Manager role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive Secret Manager IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive Secret Manager role granted

    Medium overridden

    A cloud identity granted itself a sensitive Secret Manager IAM role. overridden

  • GCP sensitive compute role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive compute IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive compute role granted

    Medium overridden

    A cloud identity granted itself a sensitive compute IAM role. overridden

  • GCP sensitive role granted to group Low Cloud 1 variation

    A cloud identity granted a sensitive role to a group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the group.

    Variations

    GCP sensitive role granted to group

    Medium overridden

    A cloud identity granted a sensitive role to a group. overridden

  • GCP sensitive storage role granted Informational Cloud 1 variation

    A cloud identity granted itself a sensitive storage IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    GCP sensitive storage role granted

    Medium overridden

    A cloud identity granted itself a sensitive storage IAM role. overridden

  • GCP set IAM policy activity Informational Cloud

    A cloud identity had modified a resource policy bindings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Gcp Audit Log
    Attacker's goals: Maintain persistent access or escalate privileges within cloud environment.
    Investigative actions: Verify which permissions were granted to the identity.
  • IAM User added to an IAM group Informational Cloud

    An IAM user was added to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add a user to a group to establish persistence or escalate privileges within a cloud account.
    Investigative actions: Identify the identity that executed the API call. Determine which IAM user was added to the group. Evaluate the group's permissions to determine their applicability to the IAM user.
  • IAM inline policy was added to group Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM inline policy was added to role Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM inline policy was added to user Informational Cloud

    A cloud identity added an AWS IAM inline policy to an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM instance profile was associated with EC2 instance Informational Cloud

    An AWS IAM instance profile was associated with EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM instance profile was created Informational Cloud

    An AWS IAM instance profile was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM instance profile was replaced for EC2 instance Informational Cloud

    An AWS IAM instance profile was replaced for EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.
  • IAM policy default version was changed Informational Cloud

    A cloud identity set the specified version of an AWS IAM policy as the policy's default.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy version was created Informational Cloud

    A cloud identity created an AWS-managed IAM policy version.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy was attached to group Informational Cloud

    A cloud identity attached an AWS IAM policy to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM policy was attached to role Informational Cloud 1 variation

    An AWS IAM policy was attached to this role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.
    Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.

    Variations

    Administrative IAM policy was attached to role

    Informational overridden

    An AWS IAM policy was attached to this role. overridden

  • IAM role trust policy modification Informational Cloud

    A cloud identity updated the trust policy of an AWS IAM role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.
  • IAM role was created Informational Cloud

    An IAM role was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.
    Investigative actions: Investigate any unusual activity originating from the suspected identity or role.
  • Member added to a Windows local security group Informational Identity Analytics 2 variations

    A member was added to a Windows local security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added to the Windows local Administrator group

    Low overridden

    A member was added to a Windows local security group. overridden

    Member added to the Windows local Administrator group

    Informational overridden

    A member was added to a Windows local security group. overridden

  • Okta API Token Created Informational Identity Threat Module 1 variation

    A user created a new API token in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.
    Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.

    Variations

    An Okta API token was generated with suspicious characteristics

    Low overridden

    A user created a new API token in Okta with suspicious conditions. overridden

  • Okta admin privilege assignment Informational Identity Threat Module 1 variation

    A user assigned admin privileges to a new user or group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker is attempting to gain access to sensitive information or systems, while privilege escalation involves their attempt to increase control and access within the system or network.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Analyze the actions carried out by the user responsible for granting permission.

    Variations

    Abnormal Okta admin privilege assignment with suspicious characteristics

    Low overridden

    A suspicious user assignment of admin privileges to a new user or group. overridden

  • Owner was added to Azure application Informational Cloud

    An Owner was added to an Azure application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain administrative control and manipulate the application's permissions and settings.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Possible Privilege Escalation using Delegated MSA account Informational Identity Analytics 1 variation

    An attacker might abuse dMSA account to escalate its privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers may leverage dMSA account migration process to escalate privileges.
    Investigative actions: Confirm that the user is authorized to create and modify dMSA accounts in the domain. Verify the user should have permissions on the OU under which the dMSA account was created. Validate that the dMSA account should be created under the OU that appeared in the log (use the GUID). Verify that the user superseded an account, with the dMSA account, that should have superseded. Check the GUID of the dMSA object to get the account itself (can be viewed also in computer account creation event). Check what is the superseded account in the attribute 'msDS-ManagedAccountPrecededByLink' of the dMSA object. Investigate the host that initiated the dMSA account migration process for malicious activity.

    Variations

    Possible Privilege Escalation using Delegated MSA account attempt

    Medium overridden

    An attacker might abuse dMSA account to escalate its privileges. overridden

  • Privileged role used by Azure application Informational Cloud 1 variation

    An Azure application with high-level API permissions invoked a request to the Microsoft Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Leverage high-level permissions to gain persistence and access to sensitive information.
    Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.

    Variations

    First-time privileged role is used by Azure application

    Low overridden

    An Azure application with high-level API permissions invoked a request to the Microsoft Graph API. overridden

  • SPNs cleared from a machine account Low Identity Analytics 1 variation

    Service principal names were cleared from a machine account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Follow actions performed by the user. Look for associated sAMAccountName rename events.

    Variations

    SPNs cleared from a machine account for the first time

    Medium overridden

    Service principal names were cleared from a machine account. overridden

  • Service ticket request with a spoofed sAMAccountName Medium Identity Analytics

    A Kerberos service ticket (ST) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Follow actions by the account and if it performed a DCSync.
  • Suspicious account attribute modification that matches that of another account Low Identity Analytics 1 variation

    Suspicious account attribute modification that matches that of another account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker might modify account attributes to elevate privileges and get access to strong accounts in the domain.
    Investigative actions: Check if any associated certificates were granted. Check if any login attempts were made by the impersonated accounts using certificates. Check if any Kerberos TGT tickets were generated by the impersonated accounts using certificates.

    Variations

    Suspicious account attribute modification that matches that of a sensitive machine account

    Medium overridden

    Suspicious account attribute modification that matches that of another account. overridden

  • Suspicious dNSHostName attribute change to DC name Medium Identity Analytics

    The dNSHostName attribute of a machine account was changed to a Domain Controller server name.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • Suspicious sAMAccountName change Low Identity Analytics 1 variation

    The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.

    Variations

    Suspicious sAMAccountName change to DC hostname

    Medium overridden

    The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign. overridden

  • TGT request with a spoofed sAMAccountName - Event log Medium Identity Analytics

    A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • TGT request with a spoofed sAMAccountName - Network Medium Identity Analytics

    A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Elevate privileges from standard domain user to domain admin.
    Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.
  • Unusual Identity and Access Management (IAM) activity Informational Cloud 2 variations

    A cloud identity performed an unusual IAM operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.Using the modified accounts, the attacker may perform additional activities in an evasive manner.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive IAM operation that it shouldn't.

    Variations

    Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance

    Medium overridden

    A cloud Internet facing instance performed an unusual IAM operation. overridden

    Unusual Identity and Access Management (IAM) activity

    Low overridden

    A cloud non-user identity performed an unusual IAM operation. overridden

  • User added to a group and removed Informational Identity Analytics 2 variations

    A user was added to an Active Directory group and removed within a short period of time, which may be a sign of compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Check for any suspicious actions performed by the added user. Check for a possible compromise of the initiating user.

    Variations

    Rare privileged group addition and removal

    Medium overridden

    A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden

    User added to a privileged group and removed

    Low overridden

    A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden

  • User added to the SMS Admins local group Low Identity Analytics 1 variation

    A user was added to the SMS Admins local group. This may indicate a potential attack targeting the Microsoft Configuration Manager infrastructure.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.
    Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.

    Variations

    User added to the SMS Admins group and removed

    Medium overridden

    A user was added to the SMS Admins group and removed within a short period of time, which may be a sign of compromise. overridden