Analytics Alerts
Browse the Cortex analytics alert reference.
249 alerts match the current filters. tactic: TA0005 ✕
Show ATT&CK heatmapA Kubernetes namespace was created or deleted Informational Cloud
A Kubernetes namespace was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Manipulating namespace name to make it appear legitimate or benign.Investigative actions: Check which changes were made to the Kubernetes namespace.A LOLBIN was copied to a different location Informational 2 variations
To evade detection, attackers may copy a LOLBIN executable to a different location.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentAttacker's goals: Command execution via lolbins and detection avoidance via file rename.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the lolbin and try to see if it's benign.Variations
A LOLBIN was copied to a different location using a rare command line
High overridden
To evade detection, attackers may copy a LOLBIN executable to a different location. overridden
A LOLBIN was copied to a different location using a rare command line via a commonly used method
Low overridden
To evade detection, attackers may copy a LOLBIN executable to a different location. overridden
A Service Principal was removed from Azure Informational Cloud
A service principal was removed from Azure. This indicates a change in access permissions and may indicate malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)Required data: Azure Audit LogAttacker's goals: Evade defensive measures by deleting a possibly malicious service principal.Investigative actions: Check the Azure Active Directory audit logs for the details of the removed service principal. Check the Azure role assignments to identify which resources were impacted by the removal of the service principal.A browser was opened in private mode Informational Identity Threat Module
A browser was opened in private mode, which may indicate an attempt to cover tracks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006) Hide Artifacts (T1564)Required data: XDR AgentAttacker's goals: A browser was opened in private mode. Users might use private mode if they wish to stay anonymous online or hide their search and browsing history.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.A cloud identity created or modified a security group Informational Cloud 2 variations
A cloud identity created or modified a security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Bypass network security controls to gain access to restricted cloud resources.Investigative actions: Check which security rules were added or modified. Check whether the identity that modified the security group rules is permitted to perform such action. Check which cloud resources can be affected by the security group.Variations
A cloud identity opened a security group to the Internet
Medium overridden
A cloud identity modified a security group to allow network access from the Internet. overridden
A cloud identity opened a security group to an unknown IP
Low overridden
A cloud identity modified a security group to allow network access from an unknown IP. overridden
A cloud storage configuration was modified Informational Cloud
A cloud storage configuration was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Public Exposure, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: An attacker may use this API to grant storage access permission.Investigative actions: Check if the identity intended to modify the storage configuration. Check if the identity performed additional malicious operations in the cloud environment.A compiled HTML help file wrote a script file to the disk Low
A compiled HTML help file wrote a script file to the disk. Compiled HTLM help files usually don't write script files to the disk. This behavior is often employed by malware that leverages malicious CHM files to deliver a 2nd stage payload.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution: Compiled HTML File (T1218.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Deliver a 2nd stage payload or to avoid detection.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check the file that was written to the disk for malicious activities.A domain was added to the trusted domains list Low Identity Threat Module 2 variations
A domain was added to the Google Workspace trusted domains list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification: Trust Modification (T1484.002)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An adversary may add a trusted domain to collect and exfiltrate data from their target's organization with less restrictive security controls.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new domain in the trusted domains list. Follow further actions done by the account.Variations
A domain was added to the trusted domains list by a non Google Workspace administrative user
Low overridden
A domain was added to the Google Workspace trusted domains list. overridden
A domain was added to the trusted domains list from an unusual ASN
Low overridden
A domain was added to the Google Workspace trusted domains list. overridden
A process is masquerading as a common Microsoft product Informational 5 variations
An attacker might leverage common Microsoft software image names to run malicious processes without being caught.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.Variations
An unsigned actor executed masqueraded process which was downloaded from unexpected source
High overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
An unsigned and rare actor executing masqueraded process with uncommon characteristics
High overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A process that was executed by remote causality actor is masquerading as a common Microsoft product
Medium overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A process is masquerading as a common Microsoft Lolbin
Low overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A process running from a commonly abused directory is masquerading as a common Microsoft product
Low overridden
An attacker might leverage common Microsoft software image names to run malicious processes without being caught. overridden
A process was executed with a command line obfuscated by Unicode character substitution Medium
A process was executed with a command line obfuscated by Unicode character substitution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Obfuscated Files or Information (T1027)Required data: XDR AgentAttacker's goals: Hide its action and avoid detection.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process Informational 8 variations
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by untrusted causality actor
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by a scheduled task
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A suspicious executable with multiple file extensions was created Medium
An executable file with multiple extensions was created. This technique is frequently used to disguise malware as user content.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Bypassing defenses and/or tricking the user into executing a file that seems like a trustworthy file.Investigative actions: Investigate the actor process and the file created to determine if it was used for legitimate purposes or malicious activity.A third-party utility was copied to a different location Informational
To evade detection, attackers may copy a third-party utility executable to a different location.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading: Rename Legitimate Utilities (T1036.003)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: Detection avoidance via file rename.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the destination path of the third-party utility and try to see if it's benign.A user added a Windows firewall rule Informational Identity Threat Module
A user added a new Windows Firewall rule. Adding a firewall rule may indicate an attempt to bypass controls limiting network usage or to disrupt network communications.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Firewall rules determine what traffic your firewall will block or allow. A malicious insider might want to change these rules in an attempt to bypass network limitations or disrupt network communication.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Check Windows Defender Firewall with Advanced Security for a new rule that was added. Check if the new rule was added to different machines as well.A user logged in at an unusual time via SSO Informational Identity Analytics 1 variation
A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOneAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Check the login of the user. Check further actions done by the account (e.g. creating files in suspicious locations, creating users, elevating permissions, etc.). Check if the user accessing remote resources or connecting to other services. Check if the user is logging in from an unusual time zone while traveling. Check if the user usually logs in from this country.Variations
Google Workspace - A user logged in at an unusual time via SSO
Informational overridden
A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised. overridden
A user logged in at an unusual time via VPN Informational Identity Analytics
A user connected to a VPN on a day and hour, which is unusual for this user. This may indicate that the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Check the amount of traffic and how long it continues. Follow further actions done by the user.A user modified an Okta network zone Informational Identity Threat Module 2 variations
An Okta network zone was modified by a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker may attempt to modify an Okta network zone to weaken an organization's security controls.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other network zones have been changed or removed.Variations
The user has made an unusual modification to the Okta Network zone
Medium overridden
An atypical modification to the Okta Network zone has been performed by the user. overridden
A user modified an Okta network zone with suspicious characteristics
Low overridden
An Okta network zone was modified by a user with suspicious characteristics. overridden
A user modified an Okta policy rule Informational Identity Threat Module 1 variation
An Okta policy rule was modified by a user, suggesting a potential compromise of the account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.Variations
A user modified an Okta policy rule with suspicious characteristics
Low overridden
An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden
A user modified the CA audit policy Low Identity Analytics
This may indicate that an attacker is attempting to cover their tracks before an AD CS attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable Windows Event Logging (T1562.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to cover their tracks before an AD CS attack.Investigative actions: Check the user account modifying the CA audit policy and verify its activity. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Examine recent activity from the user account, including logon patterns and privilege changes. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.AI safeguards deletion attempt Informational Cloud 1 variation
A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit Log Azure Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.Investigative actions: Examine which AI models were affected. Investigate any unusual activity originating from the suspected identity.Variations
AI safeguards were successfully deleted
Low overridden
A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden
AI safeguards were modified Informational Cloud 2 variations
A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit Log Azure Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.Investigative actions: Examine changed safeguards filters and determine which AI models were affected. Investigate any unusual activity originating from the suspected identity.Variations
Unusual modification of AI safeguards
Low overridden
A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden
AI safeguards were created or modified
Informational overridden
A cloud identity created or modified AI safeguards. overridden
AWS Bedrock model invocation logging deletion Low Cloud 2 variations
A cloud identity deleted the model invocation logging.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Avoid detection by limiting collected data from models.Investigative actions: Investigate any unusual activity originating from the suspected identity.Variations
AWS Bedrock model invocation logging deletion by an identity with administrative activity
Informational overridden
A cloud identity with administrative activity deleted the model invocation logging. overridden
AWS Bedrock model invocation logging was successfully deleted
Low overridden
A cloud identity successfully deleted the model invocation logging. overridden
AWS CloudTrail has been stopped Informational Cloud 2 variations
A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Verify whether the identity attempted to stop trail logging. Determine if additional trails continue to log activity.Variations
AWS CloudTrail has been stopped
Medium overridden
A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden
AWS CloudTrail has been stopped
Low overridden
A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden
AWS CloudTrail modification Informational Cloud 2 variations
An identity updated a CloudTrail trail configuration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Review the activity of the identity that modified the trail's configuration. Check which trail is affected by this change. Verify whether a new destination has been set for log archiving.Variations
AWS CloudTrail modification
Medium overridden
An identity updated a CloudTrail trail configuration. overridden
AWS CloudTrail modification
Low overridden
An identity updated a CloudTrail trail configuration. overridden
AWS CloudWatch log group deletion Informational Cloud
An AWS CloudWatch log group was deleted, this action permanently deletes all the archives associated with this group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: An attacker may change the configuration of the affected resource to remain undetected.Investigative actions: Check why the identity deleted the log group. Check what resources were affected by this change.AWS CloudWatch log stream deletion Informational Cloud
An AWS CloudWatch log stream was deleted, this action permanently deletes all the archives associated with this stream.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: An attacker may change the configuration of the affected resource to remain undetected.Investigative actions: Check why the identity deleted the log stream. Check which resource is affected by this change.AWS Config Recorder stopped Informational Cloud
Configuration Recorder was stopped for a resource in AWS Config.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: An attacker may change the configuration of the affected resource to remain undetected.Investigative actions: Check the identity which stopped the configuration recording. Check what resources are affected by this change.AWS Flow Logs deletion Informational Cloud
A cloud identity has deleted one or more Flow Logs records.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Exfiltrate information.Investigative actions: Check if the Identity intended to delete the Flow Logs record/s. Check what VPC is affected by this.AWS Guard-Duty detector deletion Low Cloud
AWS Guard-Duty detector was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: This action may assist an attacker to evade detection.Investigative actions: Check why the identity deleted the detector. Check what resources are relevant to the deleted detector.AWS S3 bucket was exposed to public access Low Cloud 2 variations
AWS bucket was publicly shared.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the identity intended to change the state of the bucket to public. Change the bucket or ACL policy for bucket. Restrict permissions for the identity if needed.Variations
AWS S3 bucket was exposed to public access by admin cloud identity
Informational overridden
AWS bucket was publicly shared. overridden
AWS S3 bucket was exposed to public access containing sensitive information
High overridden
AWS bucket was publicly shared. overridden
AWS SecurityHub findings were modified Informational Cloud
AWS SecurityHub findings were modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: AWS Audit LogAttacker's goals: Bypass security measures implemented by AWS SecurityHub.Investigative actions: Check the current AWS SecurityHub settings and verify they are configured properly.AWS config resource deletion Informational Cloud
An AWS config resource deletion this includes:Config rule, organization rule, configuration recorder, remediation configuration, conformance pack, configuration aggregator, delivery channel, retention configuration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: An attacker may modify Config configuration to evade detection.Investigative actions: Check why the identity deleted the configuration. Check what resources are relevant to the deleted config.AWS data asset shared public Low Cloud
A data asset was publicly shared.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.AWS network ACL rule deletion Informational Cloud
An AWS network ACL rule was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.Investigative actions: Identify which VPC and associated resources are affected. Check the rule number, as ACL rules are evaluated in order. Determine whether the rule is ingress or egress.AWS web ACL deletion Informational Cloud 1 variation
Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: To impair defense, this may assist data exfiltration.Investigative actions: Verify if the identity intended to delete the Web ACL. Check what resources are affected by the Web ACL deletion.Variations
Successful AWS web ACL deletion by a non-admin identity
Low overridden
Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted. overridden
An AWS GuardDuty IP set was created Informational Cloud
An AWS GuardDuty IP set has been created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Evade detection.Investigative actions: Check which IP set has been modified and confirm the changes.An AWS S3 bucket configuration was modified Informational Cloud
An AWS S3 bucket configuration has been modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Impair Defenses (T1562) Data Encrypted for Impact (T1486)Required data: AWS Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Modify storage configuration to detection or allow access to sensitive information.Investigative actions: Examine AWS S3 access to identify any suspicious activity. Check which S3 buckets were affected.An AWS SAML provider was modified Informational Cloud
An AWS SAML provider was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Trusted Relationship (T1199) Modify Authentication Process (T1556)Required data: AWS Audit LogAttacker's goals: Gain privileged access to AWS accounts.Investigative actions: Check what changes were made to the SAML provider.An Azure Firewall policy deletion Low Cloud
An Azure Firewall policy was deleted. An attacker might use this technique to disable network defenses.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Exfiltrate information, network persistence of a service/resource.Investigative actions: Check which subnets or specific IP addresses were affected by the change. Check which services were accessed after the firewall change and via which protocols or network traffic.An Azure Firewall rule collection group was modified or deleted Informational Cloud
An Azure Firewall rule collection group was modified or deleted. This could indicate a malicious actor attempting to bypass security measures.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Azure Audit LogAttacker's goals: Bypass security measures to gain access to cloud resources.Investigative actions: Check the Azure Firewall rule collection group to identify the modified or deleted rules.An Azure Firewall was modified Informational Cloud
An Azure Firewall was modified or deleted. This may indicate a security risk.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Azure Audit LogAttacker's goals: Bypass security measures.Investigative actions: Verify whether the identity should be making this action. Check what changes were made to Azure Firewall.An Azure Network Security Group was modified Informational Cloud
An Azure Network Security Group was modified or deleted. This could indicate malicious activity or a misconfiguration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security measures to gain access to cloud resources.Investigative actions: Check the network security settings of the Azure account to identify any recent changes.An Azure Point-to-Site VPN was modified Informational Cloud
An Azure Point-to-Site VPN was modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security controls.Investigative actions: Determine how the Azure Point-to-Site VPN was modified or deleted. Verify whether the identity performing this action is authorized to make such changes.An Azure Suppression Rule was created Informational Cloud
An Azure Suppression Rule was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security measures.Investigative actions: Investigate the user's activity to determine the cause of the alert.An Azure VPN Connection was modified Informational Cloud
Modification or removal of an Azure VPN connection was detected. This alert indicates a change to an existing VPN connection or the deletion of an existing connection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security measures.Investigative actions: Check how Azure VPN Connection was modified. Verify whether the identity should be making this action.An Azure firewall rule group was modified Informational Cloud
An Azure firewall rule group was modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Azure Audit LogAttacker's goals: Bypass security controls to gain access to restricted resources within the Azure cloud environment.Investigative actions: Check the Azure Firewall rule configuration to identify the changes made. Verify whether the identity should be making this action.An app was added to the Google Workspace trusted OAuth apps list Informational Identity Threat Module 2 variations
An identity added an OAuth app to the Google Workspace trusted OAuth apps list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Authentication Process (T1556)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious OAuth apps can be used to request elevated permissions or to impersonate another user.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was added to the trusted apps list looks suspicious. Follow further actions done by the account.Variations
An unusual app was added to the Google Workspace trusted OAuth apps list
Low overridden
An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden
An app was added to the Google Workspace trusted OAuth apps list by a non-administrative identity
Low overridden
An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden
An app was removed from a blocked list in Google Workspace Informational Identity Threat Module 3 variations
An identity removed an app from Google Workspace blocked OAuth or third-party apps list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Authentication Process (T1556)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious OAuth Apps can be used to request elevated permissions or to impersonate another user.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was removed from the trusted apps list looks suspicious. Follow further actions done by the account.Variations
An app was removed from a blocked list in Google Workspace by a suspicious identity
Low overridden
An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden
An app was removed from a blocked list in Google Workspace by a non Google Workspace administrative user
Low overridden
An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden
An app was removed from a blocked list in Google Workspace from an unusual ASN
Low overridden
An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden
An identity disabled bucket logging Informational Cloud
An identity disabled bucket logging.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Avoid detection by disabling cloud logging capabilities.Investigative actions: Determine whether this activity was done on purpose. Examine additional API calls made by the identity.An unsigned process created scheduled task and performed an injection Medium 1 variation
An unsigned process created scheduled task and performed an injection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 4 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Scheduled Task/Job: Scheduled Task (T1053.005) Process Injection (T1055)Required data: XDR AgentDetector tags: Scheduled tasks AnalyticsAttacker's goals: To ensure they have persistence on the system, the threat actor may use scheduled tasks to set persistence, Then, to avoid detection and carry out stealth execution, they may inject a malicious payload into a remote process.Investigative actions: Investigate the injection payload and the injection process. Check if the scheduled task trigger payload is malicious.Variations
Possible an unsigned installer created scheduled task and performed an injection
Low overridden
Possible an unsigned installer created scheduled task and performed an injection. overridden
An unusual cloud identity was granted permissions to a BigQuery resource Informational Cloud 1 variation
An unusual cloud identity was granted permissions to a BigQuery table or dataset.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578)Required data: Gcp Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides inside BigQuery tables or datasets.Investigative actions: Check if {cloud_best_identity_match} intended to change BigQuery resource policy. Verify if the affected tables or datasets did not contain any sensitive information.Variations
Cloud admin granted an unknown identity permissions to a BigQuery resource
Informational overridden
An unusual cloud identity was granted permissions to a BigQuery table or dataset. overridden
Authentication Attempt From a Dormant Account Informational 1 variation
A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 31 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Use a compromised user account that has not been used in a long time and therefore less likely to be noticed.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user returned from a long leave of absence). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.Variations
Authentication Attempt From a Dormant Account to a sensitive server
Low overridden
A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker on a sensitive server. overridden
Azure AD PIM alert disabled Medium Identity Threat Module
An identity disabled an Azure AD PIM alert.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: AzureAD Audit LogAttacker's goals: An attacker might want to disable alerts associated with authentication requirements for privileged access. This may allow malicious activities to go unnoticed.Investigative actions: Check what alert was disabled. Check whether the user that disabled the alert is permitted to perform such actions.Azure AD PIM role settings change Low Identity Threat Module 1 variation
An identity changed the PIM role settings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.Variations
Suspicious Azure AD PIM role settings change
Medium overridden
An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden
Azure Automation Runbook Deletion Informational Cloud
An Azure Automation runbook was deleted. This could disrupt business automation processes or remove a malicious runbook that was part of an attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Impair Defenses (T1562) Service Stop (T1489)Required data: Azure Audit LogAttacker's goals: Stop business services.Investigative actions: Check which runbook was deleted and whether it is malicious or valid.Azure Blob Container Access Level Modification Informational Cloud
Access level modification for a blob container, this action might be dangerous as sensitive data can be exposed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: File and Directory Permissions Modification (T1222)Required data: Azure Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Access restricted data.Investigative actions: Check if and which data was exposed after the access level modification.Azure Event Hub Deletion Low Cloud
An Azure event hub was deleted. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Evade detection.Investigative actions: Check what actions were taken by the identity that deleted the event hub.Azure Kubernetes events were deleted Informational Cloud
Events have been deleted in Azure Kubernetes. This could indicate malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Remove evidence or hinder defenses.Investigative actions: Look for any suspicious activity initiated by the identity.Azure Network Watcher Deletion Low Cloud
Azure Network Watchers are used for monitoring and diagnosing Azure resources. An attacker might use this technique to avoid security mitigations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Avoid security mitigations and detections.Investigative actions: Check which devices are monitored by the deleted Network Watcher.Azure Resource Group Deletion Informational Cloud
Resource group deletion permanently deletes all resources within the group, An attacker might use this technique to avoid detection or destroy procedures/data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Evade detection.Investigative actions: Check which resource group was deleted.Azure Temporary Access Pass (TAP) registered to an account Informational Identity Threat Module 2 variations
An identity registered an Azure Temporary Access Pass (TAP) to an account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: A TAP can allow setting of other authentication methods and can be used as an initial replacement of a multifactor authentication.Investigative actions: Check if the account that got the TAP should get it. Check whether the account that registered the TAP is supposed to perform such actions. Check if the TAP was registered to a privileged account. Follow further actions done by the initiator and the account with the TAP.Variations
Azure Temporary Access Pass (TAP) registered to a privileged account
Medium overridden
An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden
Abnormal Azure Temporary Access Pass (TAP) account registration
Low overridden
An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden
Azure application URI modification Informational Identity Threat Module 1 variation
An identity added or updated an Azure application's URI.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: AzureAD Audit LogAttacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.Investigative actions: Check whether the account that modified the URI is supposed to perform such actions. Check for possible logins from the application modified. Check for possible account consents or credential changes regarding the application. Follow further actions done by the application.Variations
Suspicious Azure application URI modification
Low overridden
An identity added or updated an Azure application's URI. overridden
Azure application credentials added Informational Identity Threat Module 2 variations
An identity added credentials to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: AzureAD Audit LogAttacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.Investigative actions: Check if the modified application is new to the organization. Check whether the account that modified the credentials is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.Variations
Suspicious credential operation on an Azure application
Medium overridden
An identity added a certificate to an Azure application in a suspicious way. overridden
Unusual certificate operation on an Azure application
Low overridden
An identity added a certificate to an Azure application with some unusual parameters. overridden
Azure application removed Informational Cloud
An Azure application has been deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts (T1564)Required data: Azure Audit LogAttacker's goals: Delete apps used for malicious activities. Delete evidence of activity.Investigative actions: Check the Azure Portal for any changes in applications. Review the activities performed by the application.Azure conditional access policy creation or modification Informational Cloud
An Azure conditional access policy was created or modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Bypass authentication controls.Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Azure device code authentication flow used Informational Identity Analytics 3 variations
An Azure AD login was performed with device code flow.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: Azure Audit LogAttacker's goals: An attacker may use a device to access resources in the tenant using an access token from device code authentication flows.Investigative actions: Check what devices are listed with the logged-in user. Check if the account is authorized to use such devices to access resources. Check for possible logins from the device. Follow further actions done by the account and device.Variations
Suspicious Azure device code authentication flow used by an Azure AD privileged user
Medium overridden
An Azure AD login was performed with device code flow. overridden
Suspicious Azure device code authentication flow used
Low overridden
An Azure AD login was performed with device code flow. overridden
Azure device code authentication flow used by an Azure AD privileged user
Low overridden
An Azure AD login was performed with device code flow. overridden
Azure diagnostic configuration deletion Informational Cloud
An attacker might delete the Azure diagnostic settings to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Evade detection.Investigative actions: Check the identity and its actions after the deletion action.Azure mailbox rule creation Informational Cloud 1 variation
A Mailbox rule in Azure was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Defense Evasion (TA0005)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Indicator Removal: Clear Mailbox Data (T1070.008)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Intercept or exfiltrate sensitive information.Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Variations
Unusual Azure mailbox rule creation
Low overridden
A Mailbox rule in Azure was created. overridden
Azure storage account blob anonymous access is enabled Informational Cloud
It is possible to configure anonymous access to blobs within the storage account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: Azure Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the blobs within the storage account should be accessed from all networks. Disable public network access or disable blob anonymous access to storage account if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.Azure storage account was publicly shared Informational Cloud
Azure Storage Account network permissions modified to public, exposing data to any network and unauthorized identities.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogDetector tags: Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: Attackers want to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the storage account should be accessed from all networks. Disable public network access if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.BitLocker key retrieval Informational Identity Threat Module
An identity retrieved a BitLocker Key.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: BitLocker keys are used for mitigating unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive. An attacker that retrieves this key, can potentially access the data that should be encrypted.Investigative actions: Check what key was retrieved. Check for a possible compromised device. Check whether the user is permitted to perform such actions.Change of sudo caching configuration Low 1 variation
Change of sudo caching configuration may have been intended to enable privilege escalation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may use the sudoers file to elevate privileges.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Change of sudo caching configuration in a Kubernetes pod
Low overridden
Change of sudo caching configuration may have been intended to enable privilege escalation. overridden
Chrome OS Remote Access policy was modified in Google Workspace Informational Identity Threat Module 1 variation
A user modified Chrome OS Remote Access configuration in Google Workspace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Lateral Movement (TA0008)ATT&CK techniques: Impair Defenses (T1562) Remote Services (T1021)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may modify remote access settings to maintain persistent access and bypass security controls.Investigative actions: Verify if the configuration change was authorized. Investigate the source IP address and account involved for malicious activity. Follow further actions performed by the account and Remote Access connections performed.Variations
Suspicious Chrome OS Remote Access policy was modified in Google Workspace
Low overridden
This is the first time the user performs this operation in the last 30 days. overridden
Cloud AI agent was modified Informational Cloud 1 variation
A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Modify AI agents to evade certain restrictions and potentially access sensitive data.Investigative actions: Examine changed AI agent and determine how it was affected. Investigate any unusual activity originating from the suspected identity.Variations
Unusual modification of AI agent
Low overridden
A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden
Cloud Organizational policy was created or modified Informational Cloud 1 variation
Cloud organizational policy was created or modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484)Required data: Gcp Audit LogAttacker's goals: Gain elevated privileges, disable security measures, misuse resources or cause disruption.Investigative actions: Check which services were affected by the policy creation. Check The cloud identity activity prior/after the policy creation.Variations
Cloud Organizational policy was created or modified
Low overridden
Cloud organizational policy was created or modified. overridden
Cloud Watch alarm deletion Informational Cloud
A Cloud Watch alarm was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Delete alarm to evade detection.Investigative actions: Check the identity that deleted the alarm. Check the which resource were related to the deleted alarm.Cloud compute volume creation attempt Informational Cloud 1 variation
An attempt was made to create an EBS volume.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive data stored on snapshots.Investigative actions: Review recent activity related to the identity, the created volume and the cloud snapshot.Variations
Cloud compute volume creation attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to create an EBS volume. overridden
Cloud instance creation attempt Informational Cloud
An attempt was made to create a cloud compute instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure: Create Cloud Instance (T1578.002)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Create a new cloud instance to evade detection or leverage it for further malicious activity.Investigative actions: Review recent activity related to the identity and the created cloud instance.Cloud instance deletion attempt Informational Cloud 1 variation
An attempt was made to delete a cloud compute instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: To remove evidence or disrupt operations.Investigative actions: Review recent activity associated with the identity and the deleted instance.Variations
Cloud instance deletion attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to delete a cloud compute instance. overridden
Cloud resource logging was disabled Informational Cloud 3 variations
Cloud resource logging was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Avoiding detection of their activities by limiting the amount of data collected. This action may be preliminary to resource deletion or data exhilaration from the resource. Setting the stage for further attacks, like a Ransomware Attack.Investigative actions: Confirm that the identity intended to disable logging on this resource. Follow further actions done by the identity. Monitor other (non-disabled) activity logs related to this resource.Variations
Cloud resource logging was disabled - failed attempt
Informational overridden
A failed attempt to disable cloud resource logging. overridden
Cloud resource logging was disabled on an Azure DB/storage resource
Informational overridden
Cloud resource logging was disabled on a DB/storage resource. overridden
Cloud resource logging was disabled on a GCP DB/storage resource
Low overridden
Cloud resource logging was disabled on a DB/storage resource. overridden
Cloud snapshot created or modified Informational Cloud 3 variations
A cloud identity has created or modified a cloud snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.Variations
Cloud snapshot was configured for public access
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Cloud snapshot was shared with an unusual AWS account(s)
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Previously unseen GCP principal was bound to cloud snapshot
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
CloudTrail logging deletion Informational Cloud 2 variations
CloudTrail logging trail deletion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Verify whether the identity attempted to delete the trail. Determine whether an additional trail needs to be enabled.Variations
Successful CloudTrail logging deletion by a non-admin identity
Medium overridden
CloudTrail logging trail deletion. overridden
Successful CloudTrail logging deletion by an unusual identity
Low overridden
CloudTrail logging trail deletion. overridden
Common third-party software name masquerading Informational 2 variations
An attacker might leverage common third-party software image names to run malicious processes without being caught.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Masquerading (T1036)Required data: XDR AgentDetector tags: EDR Windows Disguised ProcessesAttacker's goals: An attacker is attempting to masquerade as a common third-party software image to execute malicious code.Investigative actions: Investigate the executed process image and check if it is malicious. Investigate the actor process that executed the process and check if it is malicious.Variations
Common third-party software name masquerading which was downloaded from an unexpected source
Low overridden
An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden
Common third-party software name masquerading with uncommon characteristics by actor with uncommon characteristics
Low overridden
An attacker might leverage common third-party software image names to run malicious processes without being caught. overridden
Compute activity in dormant cloud region Informational Cloud 3 variations
A compute resource was created or updated in a cloud region that has been dormant for this project.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Unused/Unsupported Cloud Regions (T1535)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Create compute resources in unmonitored regions to evade detection for purposes such as hijacking resources or establishing persistence.Investigative actions: Verify if compute resources are authorized in this region. Terminate unauthorized compute resources and disable unused regions.Variations
Compute activity in dormant cloud region from a non-VPN IP address
Informational overridden
A compute resource was created or updated in a cloud region that has been dormant for this project. overridden
A cloud compute instance was created in a dormant region
Medium overridden
A compute resource was created or updated in a cloud region that has been dormant for this project. overridden
Compute activity in dormant cloud region by a compromised AWS access key
High overridden
A compute resource was created or updated in a cloud region that has been dormant for this project. overridden
Conditional Access policy removed Low Identity Threat Module
An identity removed a Conditional Access policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. Without a Conditional Access policy, an attacker would be able to access the tenant without possible blockage for later access.Investigative actions: Check implications of the policy being removed. Check whether the user changing the configuration is permitted to perform such actions.Conhost.exe spawned a suspicious cmd process Low 3 variations
Attackers may abuse the conhost process to execute malicious files and evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218)Required data: XDR AgentAttacker's goals: Investigate the processes being spawned on the host for malicious activities.Investigative actions: An adversary may use the conhost process to evade detection.Variations
Conhost.exe spawned a suspicious powershell encoded command
High overridden
Attackers may abuse the conhost process to execute malicious files and evade detection. overridden
Conhost.exe spawned a suspicious scripting process with long command line
Medium overridden
Attackers may abuse the conhost process to execute malicious files and evade detection. overridden
Conhost.exe spawned a suspicious child process
Medium overridden
Attackers may abuse the conhost process to execute malicious files and evade detection. overridden
Data Sharing between GCP and Google Workspace was disabled Informational Identity Threat Module 3 variations
An identity has modified data sharing settings between GCP and Google Workspace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Indicator Removal (T1070) Impair Defenses (T1562) Data Manipulation (T1565) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check whether Google Workspace audit log events were configured to be sent to Google Cloud. Follow further actions done by the account.Variations
Data Sharing between GCP and Google Workspace was disabled by a suspicious identity
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data Sharing between GCP and Google Workspace was disabled from an unusual ASN
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data encryption was disabled Informational Cloud
A cloud identity has disabled data encryption.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Weaken Encryption (T1600) Impair Defenses (T1562)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: An attacker is trying to access sensitive data in plaintext. An attacker might try to exfiltrate plaintext data to an endpoint controlled by the attacker and avoid detection. An attacker can re-encrypt the data with a key that is available only to the attacker.Investigative actions: Check if the identity intended to disable data encryption. Check which cloud assets were affected by manipulating the above-mentioned configuration file. Check if the identity performed additional suspicious actions to affected assets.Delayed Deletion of Files Low
A command line deleting files used the time-out or ping commands to delay the file deletion. This is suspicious, as malware sometimes uses these techniques to cover their tracks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal: File Deletion (T1070.004)Required data: XDR AgentAttacker's goals: Evade security controls and possibly cover their tracks.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Deletion of AD CS certificate database entries Informational Identity Analytics 1 variation
A user has deleted rows from the certificate database of an AD CS server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to cover their tracks after issuing certificates.Investigative actions: Check the user account deleting the certificate database entries and verify its activity. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Examine recent activity from the user account, including logon patterns and privilege changes.Variations
Abnormal deletion of AD CS certificate database entries
Low overridden
A user has deleted rows from the certificate database of an AD CS server. overridden
Device Registration Policy modification Informational Identity Threat Module 1 variation
An identity changed the Device Registration policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion. With a modified Device Registration policy, an attacker might be able to access the tenant without possible blockage for later access.Investigative actions: Check what policy has been changed. Check whether the user changing the configuration is permitted to perform such actions.Variations
A user modified the Device Registration Policy for the first time
Low overridden
An identity changed the Device Registration policy. overridden
Disable Microsoft Defender Antivirus via registry Low
Disable Microsoft Defender Antivirus via registry.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversary may attempt to disable defender antivirus to execute malicious tools and move through the network without triggering alarms.Investigative actions: Investigate the process that set or create the registry key.EBS volume attachment attempt Informational Cloud 2 variations
An attempt was made to attach an EBS volume to an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)Required data: AWS Audit LogAttacker's goals: Attach a volume to a cloud instance to exfiltrate sensitive data stored on EBS volumes.Investigative actions: Review recent activity related to the identity, the attached volume and the cloud instance.Variations
EBS volume attachment attempt for volume with sensitive data
Informational overridden
An attempt was made to attach an EBS volume with sensitive data to an EC2 instance. overridden
EBS volume attachment attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to attach an EBS volume to an EC2 instance. overridden
EBS volume detachment attempt Informational Cloud 1 variation
An attempt was made to detach an AWS EBS volume from an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive data stored on the detached volume.Investigative actions: Review recent activity related to the identity and the detached volume.Variations
EBS volume detachment attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to detach an AWS EBS volume from an EC2 instance. overridden
Email attachment with Right-to-Left Override Unicode character Low Email
The email message contains an attachment with a hidden Right-to-Left Override Unicode character.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: EvasionAttacker's goals: Bypass security filters and deliver malicious content to users Mislead recipients into opening a malicious file by obscuring its true nature Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.Email attachment with multiple extensions Informational Email 2 variations
This may indicate an attempt at masquerading the true file type through the misuse of multiple extensions in the attachment name.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005)ATT&CK techniques: User Execution: Malicious File (T1204.002) Masquerading: Double File Extension (T1036.007)Required data: Microsoft 365 EmailsAttacker's goals: Deploy malicious attachments through emails to compromise systems or gain unauthorized access.Investigative actions: Check the file types and investigate the legitimacy of files intended to be sent via email. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them. Check the email address for any unusual spellings or missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address.Variations
Email executable attachment with multiple extensions
Low overridden
This could be a potential attempt to trick the user into executing such file(s). overridden
Email executable attachment with multiple executable extensions
Low overridden
This could be a potential attempt to trick the user into executing such file(s). overridden
Email attachment(s) with potentially malicious MIME type Informational Email 2 variations
The email message contains an attachment(s) with a potentially malicious MIME type.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading: Masquerade File Type (T1036.008) User Execution (T1204)Required data: Microsoft 365 EmailsAttacker's goals: Deploy malicious attachments through emails to compromise systems, gain unauthorized access, or facilitate cyber threats.Investigative actions: Carefully analyze attachments for any indications of suspicious or malicious behavior. Scrutinize the attachments for any suspicious indications. Confirm whether the attachments were successfully delivered to the recipient's mailbox. If the attachments were delivered successfully, verify whether the recipient downloaded them.Variations
Attachment(s) with potentially malicious MIME type unusual for the organization
Informational overridden
At least one attachment with a potentially malicious file mime-type was received in an email for the first time within the organization in the past 30 days. overridden
Attachment(s) with a potentially malicious MIME type that is unusual for the recipient
Informational overridden
At least one attachment with a potentially malicious file mime-type was received in an email for the first time for the recipient in the past 30 days. overridden
Email containing a link with an IP address convention was detected Informational Email
A link with IP address convention was detected within the email body.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Masquerading (T1036) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user into clicking the link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Email containing a redirected link Informational Email 1 variation
An email with a redirected link has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Execution (TA0002)ATT&CK techniques: Hide Artifacts (T1564) User Execution (T1204)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Attackers can use link redirection to disguise malicious URLs.Investigative actions: Carefully analyze the full redirection chain. Be cautious with this process, as clicking on links can pose security risks. Use URL reputation services to check if the final destination or any of the intermediate URLs are known to be malicious or associated with phishing. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Email containing a redirected link with multiple redirections
Informational overridden
An email with a redirected link has been detected.The email contains at least one redirected link with multiple redirection patterns, which is concerning as it can obscure malicious URLs and evade security filters. overridden
Email with URL shortener detected Informational Email
A URL shortener was detected in the email body.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts (T1564)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Attackers use URL shorteners to hide the true destination of a link, making it easier to trick recipients into clicking on it.Investigative actions: Examine the sender's IP ֿֿaddress and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.