Analytics Alerts
Browse the Cortex analytics alert reference.
7 alerts match the current filters. tactic: TA0004 ✕ technique: T1484 ✕
Show ATT&CK heatmapA GCP service account was delegated domain-wide authority in Google Workspace Low Identity Threat Module 1 variation
A Google Workspace admin has enabled domain-wide delegation to a GCP service account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious Apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
A Google Workspace admin has enabled domain-wide delegation to a GCP service account and granted him access to a sensitive scope
Medium overridden
A Google Workspace admin has enabled domain-wide delegation to a GCP service account. overridden
A Google Workspace service was configured as unrestricted Informational Identity Threat Module 3 variations
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
A Google Workspace service was configured as unrestricted by a suspicious identity
Low overridden
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden
A Google Workspace service was configured as unrestricted from an unusual ASN
Low overridden
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden
A Google Workspace service was configured as unrestricted by a non-administrative identity
Informational overridden
An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden
A user accessed Okta's admin application Informational Identity Threat Module 1 variation
An attempt to access Okta's admin management application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).Variations
Suspicious Okta Admin App Access Attempt
Low overridden
A user attempted to access the Okta Admin Application in a suspicious way. overridden
Azure domain federation settings modification attempt Low Identity Threat Module 1 variation
A user or application attempted to modify the federation settings of the domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.Variations
A successful Azure domain federation settings modification
Medium overridden
A user or application successfully modified the federation settings of the domain. overridden
Gmail delegation was turned on for the organization Informational Identity Threat Module
A Google Workspace admin turned on Gmail delegation for all the organization's users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Email Collection.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if any user in the organization granted other users access to their mail inbox. Follow further actions done by the account.Google Marketplace restrictions were modified Informational Identity Threat Module 3 variations
An identity modified Google Marketplace Restrictions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious Apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
Google Marketplace restrictions were modified by a suspicious identity
Low overridden
An identity modified Google Marketplace Restrictions. overridden
Google Marketplace restrictions were modified from an unusual ASN
Low overridden
An identity modified Google Marketplace Restrictions. overridden
Google Marketplace restrictions were modified by a non Google Workspace administrative user
Informational overridden
An identity modified Google Marketplace Restrictions. overridden
Google Workspace third-party application's security settings were changed Informational Identity Threat Module 3 variations
An identity changed Google Workspace third-party application's security settings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious apps can be used to access the organization's Google data.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.Variations
Google Workspace third-party application's security settings were changed by a suspicious identity
Low overridden
An identity changed Google Workspace third-party application's security settings. overridden
Google Workspace third-party application's security settings were changed from an unusual ASN
Low overridden
An identity changed Google Workspace third-party application's security settings. overridden
Google Workspace third-party application's security settings were changed by a non Google Workspace administrative user
Informational overridden
An identity changed Google Workspace third-party application's security settings. overridden