Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

14 alerts match the current filters. tactic: TA0006 ✕ technique: T1586 ✕

Show ATT&CK heatmap
  • A user connected from a new country Informational Identity Analytics 1 variation

    A user connected from an unusual country that the user has not connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    A user connected from a new country - suspicious characteristics detected

    Low overridden

    The user connected from a country they have not accessed from previously, which may indicate potential account compromise due to unusual or suspicious characteristics. overridden

  • A user connected to a VPN from a new country Informational Identity Analytics 1 variation

    A user connected to a VPN from an unusual country that the user has not connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.

    Variations

    A user connected to a VPN from a suspicious country

    Low overridden

    A user connected to a VPN service from an unusual country. This may indicate the account was compromised. overridden

  • A user logged in from an abnormal country or ASN Informational Identity Analytics 1 variation

    A user logged in from an unusual country or ASN. This may indicate that the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: XDR Agent
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country. Check for any other suspicious activity related to the account. Check other ASNs and Countries that the user logged in from. Look for additional login attempts.

    Variations

    A service account successfully logged in from a new country or ASN

    Low overridden

    A service account successfully logged in to an internet facing server from an unusual country or ASN. This may indicate that the account was compromised. overridden

  • A user rejected an SSO request from an unusual country Low Identity Analytics

    A user rejected an SSO authentication request from an abnormal country.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Okta
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Verify the reject cause of the MFA attempts. Check to see if the user has successfully authenticated around the time of the alert, and confirm it's a legitimate login. Verify the authentication attempt from the rare country is benign.
  • First VPN access attempt from a country in organization Informational Identity Analytics 1 variation

    A user attempted to connect from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.

    Variations

    First successful VPN access from a country in organization

    Low overridden

    A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden

  • First connection from a country in organization Informational Identity Analytics 1 variation

    A user connected to an SSO service from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    First successful SSO connection from a country in organization

    Informational overridden

    A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden

  • IP Rotation Pattern in SSO Spray Informational Identity Analytics 2 variations

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker may be attempting to compromise user accounts through unauthorized access attempts.
    Investigative actions: Determine if the activity was performed by a legitimate user. Check for any successful logins that occurred following a series of failed attempts. Investigate the AS organization and evaluate the ASN's reputation for malicious activity. Review historical login behavior from the same IP addresses or ASN. Validate whether MFA was triggered or bypassed during the authentication attempts.

    Variations

    Potential Targeted SSO Password Spray Activity Detected

    Medium overridden

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden

    Suspicious SSO Login Attempts from Multiple IPs

    Low overridden

    A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden

  • Impossible traveler - SSO Low Identity Analytics 3 variations

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    6 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.

    Variations

    Impossible traveler - non-interactive SSO authentication

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

    Possible Impossible traveler via SSO

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

    SSO impossible traveler from a VPN or proxy

    Informational overridden

    User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden

  • Impossible traveler - VPN Low Identity Analytics 3 variations

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    7 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user routed their traffic via a proxy, or shared their credentials with a remote employee.

    Variations

    Possible Impossible traveler via VPN

    Informational overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

    VPN impossible traveler from a VPN or proxy

    Informational overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

    VPN impossible traveler with an unusual parameter

    Medium overridden

    A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden

  • Multiple Okta MFA requests sent to a user Informational Identity Analytics 1 variation

    Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Multi-Factor Authentication Request Generation (T1621)
    Required data: Okta
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Verify the reasoning behind the MFA request rejections. Follow further actions performed by the user.

    Variations

    Multiple Okta MFA requests sent to a user with unusual characteristics

    Low overridden

    Multiple SSO MFA attempts were sent to the user. This may indicate an MFA fatigue attack. overridden

  • SSO Brute Force Informational Identity Analytics 3 variations

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force (T1110) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.

    Variations

    SSO Brute Force on a Honey User Account

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

    SSO Brute Force Threat Detected

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

    SSO Brute Force Activity Observed

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden

  • SSO Password Spray Informational Identity Analytics 3 variations

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.
    Investigative actions: See whether this was a legitimate action. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.

    Variations

    SSO Password Spray Involving a Honey User

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

    SSO Password Spray Threat Detected

    Medium overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

    SSO Password Spray Activity Observed

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden

  • User attempted to connect from a suspicious country Informational Identity Analytics 1 variation

    A user connected from an unusual country. This may indicate the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.

    Variations

    User successfully connected from a suspicious country

    Low overridden

    A user successfully connected from an unusual country. This may indicate the account was compromised. overridden

  • VPN login Brute-Force attempt Informational Identity Analytics 2 variations

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)
    ATT&CK techniques: Brute Force (T1110) Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: An attacker attempts to gain access to the account.
    Investigative actions: Verify successful connections by the user account, as these can indicate the attacker managed to guess the credentials. Analyze login patterns for abnormal times, locations, or IPs for suspicious activity. Look for VPN login attempts from countries where the organization does not typically operate. Cross-reference the IP addresses with threat intelligence sources. Follow further actions taken by the account.

    Variations

    Successful VPN Login Brute Force

    Low overridden

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden

    VPN login brute-force attempt with suspicious characteristics

    Low overridden

    A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden