Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

49 alerts match the current filters. tactic: TA0006 ✕ technique: T1110 ✕

Show ATT&CK heatmap
  • A user connected from a new country Informational Identity Analytics 1 variation

    A user connected from an unusual country that the user has not connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    A user connected from a new country - suspicious characteristics detected

    Low overridden

    The user connected from a country they have not accessed from previously, which may indicate potential account compromise due to unusual or suspicious characteristics. overridden

  • A user connected to a VPN from a new country Informational Identity Analytics 1 variation

    A user connected to a VPN from an unusual country that the user has not connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.

    Variations

    A user connected to a VPN from a suspicious country

    Low overridden

    A user connected to a VPN service from an unusual country. This may indicate the account was compromised. overridden

  • A user logged in from an abnormal country or ASN Informational Identity Analytics 1 variation

    A user logged in from an unusual country or ASN. This may indicate that the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country. Check for any other suspicious activity related to the account. Check other ASNs and Countries that the user logged in from. Look for additional login attempts.

    Variations

    A service account successfully logged in from a new country or ASN

    Low overridden

    A service account successfully logged in to an internet facing server from an unusual country or ASN. This may indicate that the account was compromised. overridden

  • A user rejected an SSO request from an unusual country Low Identity Analytics

    A user rejected an SSO authentication request from an abnormal country.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Okta
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Verify the reject cause of the MFA attempts. Check to see if the user has successfully authenticated around the time of the alert, and confirm it's a legitimate login. Verify the authentication attempt from the rare country is benign.
  • Account probing Low Identity Analytics

    A user failed to log in to multiple hosts it never accessed before in a short amount of time.This may indicate the account is compromised and an attacker is probing for a host it can access with those credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Gain access to hosts by using stolen user-account credentials.
    Investigative actions: Check if the user account was compromised, and which resources it could access.
  • Brute-force attempt on a local account Informational Identity Analytics 1 variation

    A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the account.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    Brute force on a local account

    Low overridden

    A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack. overridden

  • Email contains URL delivering high-risk file type Informational Email 1 variation

    Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: To bypass attachment-based blocking by delivering malware or exploiting payloads via URLs pointing to file types commonly blocked by email vendors.
    Investigative actions: Review the URLs and determine if they host executable or script-based content. Check threat intelligence sources for reputation or known associations with malware. Investigate whether any users clicked the URL or downloaded the file. Analyze the file content using sandbox or static analysis tools.

    Variations

    External email with URL delivers blocked file types

    Low overridden

    Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery. overridden

  • Excessive user account lockouts Low Identity Analytics 2 variations

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Determine if any programs have stored outdated credentials, causing account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.

    Variations

    Excessive user account lockouts from a suspicious source

    Medium overridden

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden

    Excessive account lockouts on suspicious users

    Medium overridden

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden

  • External Login Password Spray Informational Identity Analytics 6 variations

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Check the amount of time in between each login attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful login attempts and the ratio of login success versus login failures.

    Variations

    External Login Password Spray Involving a Honey User

    Medium overridden

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden

    External Login Password Spray from Multiple Source Hosts

    Informational overridden

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden

    Successful External Login Password Spray on a Domain Controller

    Medium overridden

    An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden

    Successful External Login Password Spray on a sensitive server

    Medium overridden

    An abnormally high amount of user account login attempts were seen on a sensitive server within a short period of time. overridden

    Successful External Login Password Spray

    Low overridden

    An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden

    External Login Password Spray on a Domain Controller

    Low overridden

    An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden

  • External email with a single internal recipient hidden in BCC Informational Email 1 variation

    External email with mailbox owner hidden in BCC as the only internal recipient.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Attacker's goals: BCC enables sending the same email to multiple hidden recipients without revealing them to each other.
    Investigative actions: Review the headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.

    Variations

    External email with only a hidden internal BCC recipient

    Informational overridden

    External email with no visible recipients, mailbox owner is hidden in BCC. overridden

  • FTP Connection Using an Anonymous Login or Default Credentials Low

    An FTP connection using an anonymous login was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this FTP. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.
  • First VPN access attempt from a country in organization Informational Identity Analytics 1 variation

    A user attempted to connect from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.

    Variations

    First successful VPN access from a country in organization

    Low overridden

    A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden

  • First connection from a country in organization Informational Identity Analytics 1 variation

    A user connected to an SSO service from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    First successful SSO connection from a country in organization

    Informational overridden

    A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden

  • Granting Access to an Account Informational Cloud

    Azure access has been granted to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)
    Required data: Azure Audit Log
    Attacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.
    Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.
  • Hydra Password Brute-Force Tool Execution High 1 variation

    Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: The attacker attempts to gain access to the account or host.
    Investigative actions: Verify that the commands are executed from a trusted source. Audit the victim account or host and verify that they haven't been compromised.

    Variations

    Hydra Password Brute-Force Tool Execution from a Kubernetes pod

    High overridden

    Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown. overridden

  • IP Rotation Pattern in SSO Spray Informational Identity Analytics 2 variations

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker may be attempting to compromise user accounts through unauthorized access attempts.
    Investigative actions: Determine if the activity was performed by a legitimate user. Check for any successful logins that occurred following a series of failed attempts. Investigate the AS organization and evaluate the ASN's reputation for malicious activity. Review historical login behavior from the same IP addresses or ASN. Validate whether MFA was triggered or bypassed during the authentication attempts.

    Variations

    Potential Targeted SSO Password Spray Activity Detected

    Medium overridden

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden

    Suspicious SSO Login Attempts from Multiple IPs

    Low overridden

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden

  • Impossible traveler - SSO Low Identity Analytics 3 variations

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    6 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.

    Variations

    Impossible traveler - non-interactive SSO authentication

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

    Possible Impossible traveler via SSO

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

    SSO impossible traveler from a VPN or proxy

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

  • Impossible traveler - VPN Low Identity Analytics 3 variations

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user routed their traffic via a proxy, or shared their credentials with a remote employee.

    Variations

    Possible Impossible traveler via VPN

    Informational overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

    VPN impossible traveler from a VPN or proxy

    Informational overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

    VPN impossible traveler with an unusual parameter

    Medium overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

  • Intense SSO failures Informational Identity Analytics 1 variation

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check whether a successful login was made after unsuccessful attempts.

    Variations

    Intense SSO failures with suspicious characteristics

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt. overridden

  • Interactive local account enumeration Low Identity Analytics

    Multiple non-existing accounts attempted interactive local logins to a host within a short period.This may indicate that an attacker has physical access to the host and is trying to enumerate accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Discover valid accounts to gain credentials.
    Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.
  • Internal Login Password Spray Informational Identity Analytics 5 variations

    An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Check the amount of time in between each authentication attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful authentication attempts and the ratio of login success versus login failures. Monitor for potential abuse of MFA on users who have successfully logged in.

    Variations

    Suspicious intensive and short internal Login Password Spray

    Medium overridden

    An abnormally high number of login attempts within a very short period of time and suspicious automated behavior. overridden

    High-Volume Internal Password Spray Attack

    Medium overridden

    Over 500 user accounts failed to login within a short period of time. overridden

    Internal Login Password Spray with many wrong password attempts

    Low overridden

    An abnormally high amount of user account login attempts with wrong password were seen with a wrong password within a short period of time. overridden

    Internal Login Password Spray attempt on local user

    Low overridden

    An abnormally high number of login attempts with the same username to different domains or local machines within a short period of time. overridden

    Internal Login Password Spray on many users

    Low overridden

    An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack. overridden

  • Kerberos Pre-Auth Failures by Host Low

    The endpoint failed an unusual number of Kerberos pre-authentications (TGT requests) from at least three users when compared to its baseline.This can indicate a password-spraying attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.
    Investigative actions: Verify whether the host that generated the alert is normally used by many users (for example, a terminal server). Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • Kerberos Pre-Auth Failures by User and Host Informational

    The user account on this host failed Kerberos pre-authentications (TGT requests) an unusual number of times.This can indicate a Kerberos brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker is attempting to guess the credentials for the user account.
    Investigative actions: Verify that the password for the account has not been changed recently, without updating the user or the program using it. Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • Moniker link detected in URL(s) Informational Email 2 variations

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Malicious URLs
    Attacker's goals: Trick the user on clicking the link, while avoiding detection.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    A suspicious Moniker link, SMB and suspicious extension detected

    Medium overridden

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden

    A suspicious Moniker link pointing to SMB detected

    Low overridden

    A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden

  • Multiple Suspicious FTP Login Attempts Low

    Multiple suspicious FTP sessions were detected, which may indicate a brute-force attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this uncommon FTP connection. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.
  • Multiple user accounts failed login due to account lockouts Low Identity Analytics 1 variation

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if any programs were cached with old credentials, resulting in account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.

    Variations

    Excessive user account login failure due to lockout from a suspicious source

    Medium overridden

    A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden

  • NTLM Brute Force Informational Identity Analytics 2 variations

    This may indicate an NTLM brute force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    NTLM brute force on a sensitive user

    Medium overridden

    This may indicate an NTLM brute force attack. overridden

    High-frequency NTLM brute force attempts detected

    Low overridden

    This may indicate an NTLM brute force attack. overridden

  • NTLM Brute Force on a Service Account Low Identity Analytics

    This may indicate a NTLM brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the service accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • NTLM Brute Force on an Administrator Account Low Identity Analytics

    This may indicate an NTLM brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the administrator accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.
  • NTLM Password Spray Informational Identity Analytics 1 variation

    A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time. This may be indicative of a NTLM password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: The attacker may attempt to guess user credential by password spray attack over multiple machines.
    Investigative actions: Verify any successful authentication made by one of the user accounts referenced by the alert, as these may indicate the attacker managed to guess the credentials.

    Variations

    NTLM password spray on a sensitive entity

    Low overridden

    A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time on a sensitive entity. This may be indicative of a NTLM password spray attack. overridden

  • Outbound email contains file-sharing service link sent to external recipient Informational Email 2 variations

    Identifies outbound emails that include links to file-sharing services sent externally.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Exfiltrate data by sharing a link to a file-sharing service with external recipients, bypassing attachment inspection and potentially evading visibility controls.
    Investigative actions: Review the shared URL to determine if the file is publicly accessible or shared outside the organization. Check if the file-sharing domain has been previously used by this sender or others in the organization. Investigate recent outbound emails for similar use of file-sharing services or unusual external recipients.

    Variations

    Outbound email to external recipient(s) uses first-seen for organization file-sharing service

    Informational overridden

    Identifies outbound emails that include links to file-sharing services sent externally. overridden

    Outbound email to external recipient(s) uses first-seen for sender file-sharing service

    Informational overridden

    Identifies outbound emails that include links to file-sharing services sent externally. overridden

  • Outbound email includes an external BCC recipient observed for the first time Informational Email 1 variation

    Internal sender BCC'd an external recipient whose address has not been observed in prior communications.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Use BCC to covertly exfiltrate data to an unusual external recipient without visibility to other recipients or monitoring systems.
    Investigative actions: Review headers and content for anomalies or potential exposure of sensitive data. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.

    Variations

    Outbound email sent to an unknown external BCC recipient with no To or CC addresses

    Low overridden

    Internal sender BCC'd an external recipient whose address has not been observed in prior communications. overridden

  • Outbound email to an address hosted by a public email service provider Informational Email 1 variation

    Internal sender emailed to an address hosted by a public email service provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration, Account Takeover
    Attacker's goals: Extracting valuable information outside the company.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Outbound email to a single address hosted by a public email service provider

    Informational overridden

    Internal sender emailed to a single recipient with public email service provider. overridden

  • Possible Brute-Force attempt Informational Identity Analytics 2 variations

    This may indicate a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)
    ATT&CK techniques: Brute Force (T1110) Remote Services (T1021)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    Possible Brute-Force attempt on a Honey User Account

    Medium overridden

    This may indicate a brute-force attack. overridden

    Possible Brute-Force attempt with a successful login and suspicious characteristics

    Low overridden

    This may indicate a brute-force attack. overridden

  • Possible brute force on sudo user Informational 1 variation

    A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: The attacker may gain full privileges to the host.
    Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.

    Variations

    Possible brute force on sudo user

    Low overridden

    A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password. overridden

  • Possible brute force or configuration change attempt on cytool High

    An unusual amount of cytool commands were executed in a short period from a user who doesn't usually run these commands.This may indicate an attempt to guess the Administrator password.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: The attacker may disable the agent to perform malicious activities.
    Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.
  • Possible external RDP Brute-Force Low Identity Analytics 2 variations

    Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to gain access to the accounts.
    Investigative actions: If the source IP is an internal IP, adjust network IP ranges. Identify the user performing RDP and check that it is authorized. Check whether this IP has a malicious reputation. Reset the user's password. Follow further actions done by the user.

    Variations

    Possible external RDP Brute-Force on a Honey User Account

    Medium overridden

    Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack. overridden

    Potential External Brute-Force via RDP on Sensitive User

    Medium overridden

    Multiple failed remote logins from an external IP with a sensitive user and at least one successful login.This may indicate a successful brute-force attack. overridden

  • Remote account enumeration Informational Identity Analytics 2 variations

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Discover valid accounts to gain credentials.
    Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.

    Variations

    Suspicious Remote domain account enumeration

    Medium overridden

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden

    Remote account enumeration on domain accounts

    Low overridden

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden

  • SSH authentication brute force attempts Informational Identity Analytics 2 variations

    A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    3 Hours
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Attackers attempt to log in to a remote host.
    Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.

    Variations

    Successful SSH Brute Force

    Low overridden

    A user successfully authenticated via SSH after an excessive number of failures in a short period. overridden

    Possible SSH Brute Force

    Low overridden

    A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack. overridden

  • SSO Brute Force Informational Identity Analytics 3 variations

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.

    Variations

    SSO Brute Force on a Honey User Account

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

    SSO Brute Force Threat Detected

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

    SSO Brute Force Activity Observed

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

  • SSO Password Spray Informational Identity Analytics 3 variations

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: See whether this was a legitimate action. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.

    Variations

    SSO Password Spray Involving a Honey User

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

    SSO Password Spray Threat Detected

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

    SSO Password Spray Activity Observed

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

  • Single account excessively locked out Informational Identity Analytics 1 variation

    A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if there were any successful authentications (event ID 4624). Determine if any programs have stored outdated credentials, causing account lockouts. Check recent user activity for unusual behavior, such as logins from unfamiliar locations or devices. Confirm whether the user's credentials have been compromised or leaked. Review if the account is enrolled in multifactor authentication (MFA). Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.

    Variations

    Single suspicious account excessively locked out

    Low overridden

    A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account. overridden

  • Sudden spike in outbound email volume Informational Email 2 variations

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    2 Hours
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Attacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Sudden spike in outbound emails sent to external recipients

    Informational overridden

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden

    Sudden spike in outbound emails sent to internal recipients

    Informational overridden

    Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden

  • Suspicious Kerberos Pre-Auth Failures by Host Low Identity Analytics

    An endpoint failed unusual number of Kerberos pre-authentications (TGT requests) which may indicate a password-spraying attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.
    Investigative actions: Identify the source host from which the failed logons originated, by making sure the IP is not a shared address. Review source host activity to detect any additional suspicious or lateral movement behavior. Correlate successful logons from the source host to identify potential account compromises following the failed attempts.
  • Suspicious sshpass command execution Low 1 variation

    The sshpass command was executed, This could be an attempt to check for credential stuffing.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Credential Stuffing (T1110.004)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to check and reuse credentials on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Suspicious sshpass command execution in a Kubernetes pod

    Low overridden

    The sshpass command was executed, This could be an attempt to check for credential stuffing. overridden

  • Usage of homograph characters detected in an email attachment(s) name Informational Email 1 variation

    Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)
    Required data: Microsoft 365 Emails
    Detector tags: Evasion, Phishing
    Attacker's goals: Evade file scanner defenses, tricking recipients into running malicious attachments.
    Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. Scrutinize the attachments related to the email message. Monitor file-related actions taken related to the attachment.

    Variations

    Usage of homograph characters detected in an email attachment(s) extension

    Low overridden

    Detected non-latin characters within an email attachment's extension(s).Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers. overridden

  • User attempted to connect from a suspicious country Informational Identity Analytics 1 variation

    A user connected from an unusual country. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    User successfully connected from a suspicious country

    Low overridden

    A user successfully connected from an unusual country. This may indicate the account was compromised. overridden

  • VPN Login Password Spray Informational Identity Analytics 2 variations

    An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: Analyze the time intervals between login attempts to check for patterns indicative of a password spraying attack. Investigate the cause of the login failures (e.g. incorrect passwords, account lockouts, other factors). Review the geographic regions behind the failed login attempts. Investigate if a successful login was made after unsuccessful attempts. Cross-reference the IP address with threat intelligence sources to see if it is associated with known malicious activity.

    Variations

    Successful VPN Password Spray Threat Detected with unusual characteristics

    Medium overridden

    An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden

    VPN login password spray with unusual characteristics

    Low overridden

    An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden

  • VPN login Brute-Force attempt Informational Identity Analytics 2 variations

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force (T1110) Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: An attacker attempts to gain access to the account.
    Investigative actions: Verify successful connections by the user account, as these can indicate the attacker managed to guess the credentials. Analyze login patterns for abnormal times, locations, or IPs for suspicious activity. Look for VPN login attempts from countries where the organization does not typically operate. Cross-reference the IP addresses with threat intelligence sources. Follow further actions taken by the account.

    Variations

    Successful VPN Login Brute Force

    Low overridden

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden

    VPN login brute-force attempt with suspicious characteristics

    Low overridden

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden