Analytics Alerts
Browse the Cortex analytics alert reference.
9 alerts match the current filters. tactic: TA0006 ✕ technique: T1556 ✕
Show ATT&CK heatmapA user attempted to bypass Okta MFA Low Identity Threat Module 1 variation
A user may have attempted to bypass Okta MFA.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process (T1556) Multi-Factor Authentication Request Generation (T1621)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Contact the user who attempted to bypass MFA and ensure the request was legitimate. Check if the user successfully authenticated after the event.Variations
A successful bypass of Okta MFA
Low overridden
Suspicious MFA bypass attempt in Okta. overridden
A user modified an Okta MFA factor Informational Identity Threat Module 1 variation
An Okta MFA factor was modified by a user, suggesting a potential compromise of the account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Contact the user and ensure the operation was legitimate. Check if the user modifies more factors. If the user activates a weak factor, check for abnormal successful sign-ins from different countries and times. If the user deactivates a strong factor, check if he authenticates with unusual factors and checks for abnormal successful sign-ins from different countries and times.Variations
Abnormal Okta MFA Factor Authentication Modification
Low overridden
An OKTA MFA factor was modified by a user with suspicious conditions. overridden
Google Workspace user authentication information changed Informational Identity Threat Module 2 variations
Google Workspace authentication information was changed for a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006) Account Manipulation (T1098)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may manipulate user authentication information to obtain Persistence or Bypass Multi-Factor Authentication (MFA) controls.Investigative actions: Verify if the authentication information change was authorized. Follow further actions done by the user and IP address.Variations
Google Workspace administrative user authentication information changed
Low overridden
Google Workspace authentication information was changed for a user. overridden
Google Workspace user authentication information changed by another account
Low overridden
Google Workspace authentication information was changed for a user. overridden
Granting Access to an Account Informational Cloud
Azure access has been granted to an account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)Required data: Azure Audit LogAttacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.Key credential attribute modification Informational Identity Analytics 2 variations
A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process (T1556)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker may be attempting to add shadow credentials to an account, gaining persistent unauthorized access.Investigative actions: Follow further PKINIT authentication activity by the modified identity. Verify if Windows Hello for Business is enabled, as this is a common benign cause for this activity. Check if the modified credential maps to an existing device ID in Entra ID. Examine recent activity from the user account, including logon patterns and privilege changes.Variations
Possible shadow credentials addition
Medium overridden
A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden
Key credential attribute addition
Low overridden
A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden
MFA Disabled for Google Workspace Low Identity Threat Module 1 variation
An administrator has disabled Multi-Factor Authentication for Google Workspace users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Gain access to Google Workspace accounts with disabled MFA. Exploit Google Workspace accounts with weaker security. Steal sensitive data from Google Workspace accounts.Investigative actions: Check the MFA settings for the Google Workspace users. Identify the users who have MFA disabled and investigate the reason for it. Check the security log to see if there have been any suspicious activities in the account.Variations
MFA Disabled for Google Workspace from an unusual caller IP ASN
Low overridden
An administrator has disabled Multi-Factor Authentication for Google Workspace users. overridden
MFA was disabled for an Azure identity Low Identity Threat Module 2 variations
MFA was disabled for the user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process (T1556)Required data: AzureAD Audit LogAttacker's goals: This allows the attacker to connect using this account without the need for the additional layer of authentication.Investigative actions: Follow further actions by the initiator. Check the login activity from this account. Follow further actions done by this account.Variations
Suspicious MFA was disabled for an Azure identity
Medium overridden
MFA was disabled for the user. overridden
MFA was disabled for an Azure identity regularly by the user
Informational overridden
MFA was disabled for the user. overridden
Modification of PAM Informational 1 variation
Modification of PAM configuration files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005) Credential Access (TA0006)ATT&CK techniques: Modify Authentication Process: Pluggable Authentication Modules (T1556.003)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Credential access, defense evasion or persistence.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Modification of PAM from a Kubernetes pod
Informational overridden
Modification of PAM configuration files. overridden
Weakly-Encrypted Kerberos TGT Response Informational 1 variation
A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process: Domain Controller Authentication (T1556.001)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Manipulate the domain controller authentication process to bypass standard authentication and gain access to hosts and resources in environments relying on single-factor authentication.Investigative actions: Identify the user or entity that requested the TGT during the alert timeframe. Determine whether a legitimate service or application requested weak Kerberos encryption. Verify whether the domain controller is patched against the Skeleton Key vulnerability (CVE-2016-1567).Variations
Abnormal Weakly-Encrypted Kerberos TGT Response
Low overridden
A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack. overridden