Analytics Alerts
Browse the Cortex analytics alert reference.
9 alerts match the current filters. tactic: TA0005 ✕ technique: T1556 ✕
Show ATT&CK heatmapA user modified an Okta policy rule Informational Identity Threat Module 1 variation
An Okta policy rule was modified by a user, suggesting a potential compromise of the account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.Variations
A user modified an Okta policy rule with suspicious characteristics
Low overridden
An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden
An AWS SAML provider was modified Informational Cloud
An AWS SAML provider was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Trusted Relationship (T1199) Modify Authentication Process (T1556)Required data: AWS Audit LogAttacker's goals: Gain privileged access to AWS accounts.Investigative actions: Check what changes were made to the SAML provider.An app was added to the Google Workspace trusted OAuth apps list Informational Identity Threat Module 2 variations
An identity added an OAuth app to the Google Workspace trusted OAuth apps list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Authentication Process (T1556)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious OAuth apps can be used to request elevated permissions or to impersonate another user.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was added to the trusted apps list looks suspicious. Follow further actions done by the account.Variations
An unusual app was added to the Google Workspace trusted OAuth apps list
Low overridden
An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden
An app was added to the Google Workspace trusted OAuth apps list by a non-administrative identity
Low overridden
An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden
An app was removed from a blocked list in Google Workspace Informational Identity Threat Module 3 variations
An identity removed an app from Google Workspace blocked OAuth or third-party apps list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Authentication Process (T1556)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Malicious OAuth Apps can be used to request elevated permissions or to impersonate another user.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was removed from the trusted apps list looks suspicious. Follow further actions done by the account.Variations
An app was removed from a blocked list in Google Workspace by a suspicious identity
Low overridden
An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden
An app was removed from a blocked list in Google Workspace by a non Google Workspace administrative user
Low overridden
An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden
An app was removed from a blocked list in Google Workspace from an unusual ASN
Low overridden
An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden
MFA was disabled for a Google Workspace user Informational Identity Threat Module 2 variations
Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may impair defenses by disabling Multi-Factor Authentication (MFA) to maintain persistence and evade detection.Investigative actions: Verify if the MFA disablement was authorized. Investigate the source IP and User Agent for previous malicious activity or anomalies. Follow further actions done by the user and IP address.Variations
MFA was disabled for a Google Workspace administrative user
Medium overridden
Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden
MFA was disabled for a Google Workspace user by a different account for the first time
Low overridden
Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden
MFA was disabled for an Azure identity Low Identity Threat Module 2 variations
MFA was disabled for the user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process (T1556)Required data: AzureAD Audit LogAttacker's goals: This allows the attacker to connect using this account without the need for the additional layer of authentication.Investigative actions: Follow further actions by the initiator. Check the login activity from this account. Follow further actions done by this account.Variations
Suspicious MFA was disabled for an Azure identity
Medium overridden
MFA was disabled for the user. overridden
MFA was disabled for an Azure identity regularly by the user
Informational overridden
MFA was disabled for the user. overridden
Modification of PAM Informational 1 variation
Modification of PAM configuration files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process: Pluggable Authentication Modules (T1556.003)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Credential access, defense evasion or persistence.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Modification of PAM from a Kubernetes pod
Informational overridden
Modification of PAM configuration files. overridden
Suspicious authentication with Azure Password Hash Sync user Medium Identity Analytics
Authentication to an unusual authentication target was performed by the Azure AD Password Hash Sync user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)ATT&CK techniques: Valid Accounts (T1078) Modify Authentication Process: Hybrid Identity (T1556.007)Required data: AzureADAttacker's goals: The attacker may be attempting to exploit a PHS user, the attacker wants to escalate and abuse this user, to get access to all the user's hashes.Investigative actions: Follow further actions done by the account.Weakly-Encrypted Kerberos TGT Response Informational 1 variation
A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process: Domain Controller Authentication (T1556.001)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Manipulate the domain controller authentication process to bypass standard authentication and gain access to hosts and resources in environments relying on single-factor authentication.Investigative actions: Identify the user or entity that requested the TGT during the alert timeframe. Determine whether a legitimate service or application requested weak Kerberos encryption. Verify whether the domain controller is patched against the Skeleton Key vulnerability (CVE-2016-1567).Variations
Abnormal Weakly-Encrypted Kerberos TGT Response
Low overridden
A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack. overridden