Analytics Alerts
Browse the Cortex analytics alert reference.
5 alerts match the current filters. tactic: TA0005 ✕ technique: T1484 ✕
Show ATT&CK heatmapA domain was added to the trusted domains list Low Identity Threat Module 2 variations
A domain was added to the Google Workspace trusted domains list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification: Trust Modification (T1484.002)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An adversary may add a trusted domain to collect and exfiltrate data from their target's organization with less restrictive security controls.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new domain in the trusted domains list. Follow further actions done by the account.Variations
A domain was added to the trusted domains list by a non Google Workspace administrative user
Low overridden
A domain was added to the Google Workspace trusted domains list. overridden
A domain was added to the trusted domains list from an unusual ASN
Low overridden
A domain was added to the Google Workspace trusted domains list. overridden
A user modified an Okta policy rule Informational Identity Threat Module 1 variation
An Okta policy rule was modified by a user, suggesting a potential compromise of the account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.Variations
A user modified an Okta policy rule with suspicious characteristics
Low overridden
An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden
Azure AD PIM alert disabled Medium Identity Threat Module
An identity disabled an Azure AD PIM alert.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: AzureAD Audit LogAttacker's goals: An attacker might want to disable alerts associated with authentication requirements for privileged access. This may allow malicious activities to go unnoticed.Investigative actions: Check what alert was disabled. Check whether the user that disabled the alert is permitted to perform such actions.Azure conditional access policy creation or modification Informational Cloud
An Azure conditional access policy was created or modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Domain or Tenant Policy Modification (T1484)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Bypass authentication controls.Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Cloud Organizational policy was created or modified Informational Cloud 1 variation
Cloud organizational policy was created or modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484)Required data: Gcp Audit LogAttacker's goals: Gain elevated privileges, disable security measures, misuse resources or cause disruption.Investigative actions: Check which services were affected by the policy creation. Check The cloud identity activity prior/after the policy creation.Variations
Cloud Organizational policy was created or modified
Low overridden
Cloud organizational policy was created or modified. overridden