Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

14 alerts match the current filters. tactic: TA0007 ✕ technique: T1069 ✕

Show ATT&CK heatmap
  • A user executed multiple LDAP enumeration queries Informational Identity Analytics 1 variation

    A user executed multiple LDAP enumeration queries.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server)
    Attacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.
    Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.

    Variations

    A user executed suspicious LDAP enumeration queries

    Low overridden

    A user executed multiple LDAP enumeration queries. overridden

  • AWS IAM permission groups discovery operation Informational Cloud 1 variation

    AWS IAM permission groups discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Cloud Groups (T1069.003)
    Required data: AWS Audit Log
    Attacker's goals: Understand the IAM structure and relationships between users, groups, and roles. Identify high-privilege identities or misconfigurations for privilege escalation.
    Investigative actions: Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address. Check if the operation is followed by or correlated with other enumeration actions.

    Variations

    Unusual AWS IAM permission groups discovery operation

    Informational overridden

    First execution of an AWS IAM permission groups discovery operation by a non-user identity. overridden

  • An Azure identity performed multiple actions that were denied Informational Cloud 3 variations

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Execute various of commands to explore the cloud environment.
    Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.

    Variations

    An Azure application attempted multiple actions on resources that were denied

    Medium overridden

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden

    An Azure identity attempted multiple actions on resources that were denied

    Low overridden

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden

    An Azure application performed multiple actions that were denied

    Low overridden

    An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden

  • Cloud user performed multiple actions that were denied Informational Cloud 1 variation

    An identity performed multiple actions that were denied, which may indicate it is being misused.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Execute various commands to explore the cloud environment.
    Investigative actions: Check if the API calls were made by the identity.Check if there are additional calls executed by the identity.

    Variations

    Cloud non-user identity performed multiple actions that were denied

    Low overridden

    An identity performed multiple actions that were denied, which may indicate it is being misused. overridden

  • IAM Enumeration sequence Informational Cloud 1 variation

    An identity has executed a sequence of events which may be related to an IAM recon enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    7 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Gather information about the cloud environment, including IAM users, groups, roles, and policies.
    Investigative actions: Verify whether the API calls were made by the identity and check for any additional related calls.

    Variations

    IAM Enumeration sequence executed from a cloud Internet facing instance

    Low overridden

    A cloud Internet facing instance performed an unusual IAM enumeration. overridden

  • Local group enumeration Informational Identity Analytics 2 variations

    A user performed an enumeration on local groups to retrieve their details.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.
    Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.

    Variations

    Local group enumeration for the first time

    Low overridden

    A user performed an enumeration on local groups to retrieve their details. overridden

    Local group enumeration using a builtin Windows binary

    Informational overridden

    A user performed an enumeration on local groups to retrieve their details. overridden

  • Local group enumeration via RPC Informational 1 variation

    A user enumerated local groups via RPC.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.
    Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.

    Variations

    Remote local group enumeration via RPC

    Informational overridden

    A user enumerated local groups via RPC. overridden

  • Permission Groups discovery commands Informational 1 variation

    Permission group discovery command execution.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Collect information about the host.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Permission Groups discovery commands in a Kubernetes pod

    Informational overridden

    Permission group discovery command execution. overridden

  • Possible LDAP Enumeration Tool Usage Informational Identity Analytics 3 variations

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Possible admin enumeration via LDAP

    Informational overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

    A user executed an LDAP enumeration query with suspicious characteristics

    Medium overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

    Rare LDAP enumeration query executed by a user

    Low overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

  • Uncommon net group command execution Informational 7 variations

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon unsigned net group administrators command execution

    High overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon unsigned net group administrators command execution - fixed localization issues

    High overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon remote net group administrators command execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon net group administrators command execution

    Medium overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon net group execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon remote net group execution

    Low overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

    Uncommon administrator net group execution by scripting engine or command prompt

    Medium overridden

    Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden

  • Uncommon net localgroup command execution Informational 7 variations

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)
    ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)
    Required data: XDR Agent
    Attacker's goals: Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon net localgroup administrators command execution by a web server process or CGO

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. When executed from a web server, it might be executed from an installed Webshell. overridden

    Uncommon unsigned net localgroup administrators command execution

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon unsigned net localgroup administrators command execution - fixed localization issues

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon net localgroup administrators command execution

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon net localgroup execution

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon remote net localgroup execution

    Medium overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

    Uncommon administrator net localgroup execution by scripting engine or command prompt

    Low overridden

    Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden

  • Uncommon net localgroup execution Informational 1 variation

    The 'net localgroup' command is used to add, display, or modify groups local to the host. Adversaries may attempt to use the command to find host groups and permissions settings or modify local group memberships.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Permission Groups Discovery (T1069)
    Required data: XDR Agent
    Attacker's goals: Attackers can attempt to use the command to find endpoint groups and permissions settings or modify local group memberships.
    Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.

    Variations

    Uncommon net localgroup execution by an untrusted CGO

    Low overridden

    The 'net localgroup' command is used to add, display, or modify groups local to the host by an untrusted CGO. Adversaries may attempt to use the command to find host groups and permissions settings or modify local group memberships. overridden

  • Unusual IAM enumeration activity by a non-user Identity Informational Cloud

    An unusual command which may be related to an IAM recon enumeration was executed by a non-user identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)
    Required data: Gcp Audit Log
    Attacker's goals: Collect information on the cloud environment, including IAM users, groups, roles, and policies.
    Investigative actions: Check if the API call was made by the identity.Check if there are additional unusual API calls from the identity.
  • User and Group Enumeration via SAMR Informational

    The endpoint performed unfamiliar SAMR querying activity to a domain controller.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may enumerate users and groups to gain information and plan its lateral movement over the network.
    Investigative actions: Check if the host is a newly deployed server that provides RPC-based services to multiple hosts. Check if there are any other suspicious activities originating from the same machine.