Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0005 ✕ technique: T1555 ✕

Show ATT&CK heatmap
  • Potential extraction of NAA Account Credentials in Microsoft Configuration Manager Low Identity Analytics 1 variation

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005)
    ATT&CK techniques: Unsecured Credentials (T1552) Deobfuscate/Decode Files or Information (T1140) Credentials from Password Stores (T1555)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.
    Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.

    Variations

    Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager

    Medium overridden

    Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account. overridden