Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0007 ✕ technique: T1078 ✕
Show ATT&CK heatmapA user accessed multiple unusual resources via SSO Informational Identity Threat Module 3 variations
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Cloud Service Dashboard (T1538) Cloud Service Discovery (T1526)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.Investigative actions: Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.Variations
A user accessed multiple resources via SSO using an anonymized proxy
Medium overridden
A user accessed multiple resources via SSO, using an anonymized proxy, that are unusual for this user. This may be indicative of a compromised account. overridden
Suspicious user access to multiple resources via SSO
Low overridden
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden
Multiple Resource Access from a New IP via SSO
Low overridden
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden
First SSO Resource Access in the Organization Informational Identity Analytics 1 variation
A resource was accessed for the first time via SSO.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Discovery (TA0007)ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Cloud Service Discovery (T1526)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Use a possibly compromised account to access privileged resources.Investigative actions: Confirm that the activity is benign (e.g. this is a newly approved resource). Follow further actions done by the user that attempted to access the resource.Variations
Abnormal first access to a resource via SSO in the organization
Low overridden
A resource was accessed for the first time via SSO with suspicious characteristics. overridden
Multiple failed AWS assume role attempts Informational Cloud 1 variation
An AWS identity performed an unusual high number of failed assume role attempts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Identify accessible roles and move laterally or escalate privileges within a cloud environment.Investigative actions: Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious. Evaluate if the source IP address or user agent associated with these attempts is known or suspicious. Verify if any successful assume role operations occurred from the same identity around the same time. Review any additional activity from the specific roles the identity assumed.Variations
Suspicious multiple failed AWS assume role attempts
Medium overridden
An AWS identity performed an unusual high number of failed assume role attempts. overridden