Analytics Alerts
Browse the Cortex analytics alert reference.
15 alerts match the current filters. tactic: TA0005 ✕ technique: T1078 ✕
Show ATT&CK heatmapA user logged in at an unusual time via SSO Informational Identity Analytics 1 variation
A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOneAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Check the login of the user. Check further actions done by the account (e.g. creating files in suspicious locations, creating users, elevating permissions, etc.). Check if the user accessing remote resources or connecting to other services. Check if the user is logging in from an unusual time zone while traveling. Check if the user usually logs in from this country.Variations
Google Workspace - A user logged in at an unusual time via SSO
Informational overridden
A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised. overridden
A user logged in at an unusual time via VPN Informational Identity Analytics
A user connected to a VPN on a day and hour, which is unusual for this user. This may indicate that the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Check the amount of traffic and how long it continues. Follow further actions done by the user.Authentication Attempt From a Dormant Account Informational 1 variation
A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 31 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Use a compromised user account that has not been used in a long time and therefore less likely to be noticed.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user returned from a long leave of absence). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.Variations
Authentication Attempt From a Dormant Account to a sensitive server
Low overridden
A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker on a sensitive server. overridden
Azure AD PIM role settings change Low Identity Threat Module 1 variation
An identity changed the PIM role settings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.Variations
Suspicious Azure AD PIM role settings change
Medium overridden
An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden
Azure Temporary Access Pass (TAP) registered to an account Informational Identity Threat Module 2 variations
An identity registered an Azure Temporary Access Pass (TAP) to an account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: A TAP can allow setting of other authentication methods and can be used as an initial replacement of a multifactor authentication.Investigative actions: Check if the account that got the TAP should get it. Check whether the account that registered the TAP is supposed to perform such actions. Check if the TAP was registered to a privileged account. Follow further actions done by the initiator and the account with the TAP.Variations
Azure Temporary Access Pass (TAP) registered to a privileged account
Medium overridden
An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden
Abnormal Azure Temporary Access Pass (TAP) account registration
Low overridden
An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden
Azure storage account blob anonymous access is enabled Informational Cloud
It is possible to configure anonymous access to blobs within the storage account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: Azure Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the blobs within the storage account should be accessed from all networks. Disable public network access or disable blob anonymous access to storage account if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.Failed Login For Locked-Out Account Informational
A locked-out user account (event ID 4725 or 4740) was used in a Kerberos TGT pre-authentication attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Authenticate using the principal in the TGT, not knowing that it has been revoked.Investigative actions: Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory. Check whether the attempt to use the principals (user accounts) specified in the alert are legitimate. For example, a user or a script that was not updated that the account has been revoked. The lockout can be temporary, for example, in the case of too many login attempts, and may not be visible after the account was released. Search for Windows Event Log 4740 to ascertain whether the account was locked out during the time of the alert.Login by a dormant user Informational Identity Analytics 1 variation
A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: XDR AgentAttacker's goals: Use a compromised user account that has not been used for a long time and is therefore less likely to be noticed.Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.Variations
Cached interactive login by a dormant user
Informational overridden
A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker. overridden
Masquerading as a default local account Low Identity Analytics 3 variations
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker is attempting to evade detection.Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.Variations
Masquerading as a default local account for the first time
Medium overridden
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden
Potential masquerading as a power user account
Low overridden
A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden
Masquerading as a default Administrator account
Informational overridden
A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden
Short-lived Azure AD user account Informational Identity Threat Module 1 variation
An Azure AD user was created and deleted within a short period of time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: AzureAD Audit LogAttacker's goals: Evasion using a valid account.Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.Variations
Abnormal Short-lived Azure AD user account
Low overridden
An Azure AD user was created and deleted within a short period of time. overridden
Short-lived user account Low Identity Analytics 2 variations
A user was created and deleted within a short period of time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Evasion using a valid account.Investigative actions: Check the user who created the account and verify the activity. Confirm that the account creation was not accidental.Variations
Abnormal short-lived user account
Low overridden
A user was observed creating and deleting an account a short time later. This user does not regularly create and delete accounts. overridden
Short-lived hidden user account
Medium overridden
A user was created with a name that mimics a machine account and later deleted within a short period of time. This may be an attacker's attempt to evade detection. overridden
Suspicious authentication with Azure Password Hash Sync user Medium Identity Analytics
Authentication to an unusual authentication target was performed by the Azure AD Password Hash Sync user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078) Modify Authentication Process: Hybrid Identity (T1556.007)Required data: AzureADAttacker's goals: The attacker may be attempting to exploit a PHS user, the attacker wants to escalate and abuse this user, to get access to all the user's hashes.Investigative actions: Follow further actions done by the account.Unusual cloud identity impersonation Informational Cloud 3 variations
A cloud identity attempted to impersonate another identity for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.Variations
Unusual cloud identity impersonation of a management role
Informational overridden
A cloud identity attempted to impersonate a management role for the first time. overridden
Suspicious cloud identity impersonation was succeeded
Medium overridden
A cloud identity has impersonated another identity for the first time. overridden
Suspicious cloud identity impersonation was failed
Informational overridden
A cloud identity has failed to impersonate another identity. overridden
Unusual user-agent for a cloud identity Informational Cloud 1 variation
A cloud identity has executed an API call with an unusual user-agent.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Evade detection by using non-standard tools or scripts.Investigative actions: Examine the recent actions of the user for any abnormal or unauthorized behavior. Verify if the user intentionally used a new device or tool.Variations
Unusual user-agent for a cloud identity by a compromised AWS access key
Medium overridden
A cloud identity has executed an API call with an unusual user-agent. overridden
VPN login by a dormant user Informational Identity Analytics
A dormant user logged on to a VPN service after having been unused for a month or longer.This may indicate the account is misused by an attacker.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use a compromised user account which has not been used for a long while, and therefore is less likely to be noticed.Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check if the user initiated other logins aside from a VPN login. Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.