Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0004 ✕ technique: T1134 ✕
Show ATT&CK heatmapExecution of command from within a Kubernetes pod using kubelet credentials Low 1 variation
A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Access Token Manipulation (T1134)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Unusual execution of command from within a Kubernetes pod using kubelet credentials
Medium overridden
A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API. overridden
Okta API Token Created Informational Identity Threat Module 1 variation
A user created a new API token in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.Variations
An Okta API token was generated with suspicious characteristics
Low overridden
A user created a new API token in Okta with suspicious conditions. overridden
User added SID History to an account Informational Identity Analytics 1 variation
A user added SID history to an account. This may be indicative of a user's migration between domains or a SID injection attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Access Token Manipulation: SID-History Injection (T1134.005)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversaries may use SID history to escalate privileges and bypass access controls.Investigative actions: Verify if migration between domains was involved. Search for suspicious actions by the user, such as forged Kerberos tickets.Variations
Suspicious SID History Addition
Medium overridden
A user added SID history to an account. The account was not migrated between domains, which may indicate a SID injection attack. overridden