Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0005 ✕ technique: T1550 ✕
Show ATT&CK heatmapAzure application URI modification Informational Identity Threat Module 1 variation
An identity added or updated an Azure application's URI.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: AzureAD Audit LogAttacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.Investigative actions: Check whether the account that modified the URI is supposed to perform such actions. Check for possible logins from the application modified. Check for possible account consents or credential changes regarding the application. Follow further actions done by the application.Variations
Suspicious Azure application URI modification
Low overridden
An identity added or updated an Azure application's URI. overridden
Azure application credentials added Informational Identity Threat Module 2 variations
An identity added credentials to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: AzureAD Audit LogAttacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.Investigative actions: Check if the modified application is new to the organization. Check whether the account that modified the credentials is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.Variations
Suspicious credential operation on an Azure application
Medium overridden
An identity added a certificate to an Azure application in a suspicious way. overridden
Unusual certificate operation on an Azure application
Low overridden
An identity added a certificate to an Azure application with some unusual parameters. overridden
Azure device code authentication flow used Informational Identity Analytics 3 variations
An Azure AD login was performed with device code flow.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: Azure Audit LogAttacker's goals: An attacker may use a device to access resources in the tenant using an access token from device code authentication flows.Investigative actions: Check what devices are listed with the logged-in user. Check if the account is authorized to use such devices to access resources. Check for possible logins from the device. Follow further actions done by the account and device.Variations
Suspicious Azure device code authentication flow used by an Azure AD privileged user
Medium overridden
An Azure AD login was performed with device code flow. overridden
Suspicious Azure device code authentication flow used
Low overridden
An Azure AD login was performed with device code flow. overridden
Azure device code authentication flow used by an Azure AD privileged user
Low overridden
An Azure AD login was performed with device code flow. overridden