Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0007 ✕ technique: T1558 ✕
Show ATT&CK heatmapDiscovery of accounts with pre-authentication disabled via LDAP Low Identity Analytics 1 variation
A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server), LDAP Analytics (Client)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Correlate logs from the same host or user for related LDAP queries or other unusual activities. Audit accounts flagged as not requiring pre-authentication and verify compliance with security policies. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Suspicious discovery of accounts without pre-authentication required via LDAP
Medium overridden
A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden