Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

72 alerts match the current filters. tactic: TA0009 ✕

Show ATT&CK heatmap
  • A Google Workspace identity used the security investigation tool Informational Identity Threat Module 1 variation

    A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Email Collection (T1114)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Access sensitive data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Determine what data was accessed using the security investigation tool.

    Variations

    A suspicious Google Workspace identity used the security investigation tool

    Low overridden

    A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data. overridden

  • A mail forwarding rule was configured in Google Workspace Medium Identity Threat Module 1 variation

    A rule was set up to forward emails outside the Google Workspace domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.
    Investigative actions: Check if the identity intended to preform this action, and look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Follow further actions done by the account.

    Variations

    A mail forwarding rule was configured in Google Workspace to an uncommon domain

    High overridden

    A rule was set up to forward emails outside the Google Workspace domain. overridden

  • A rare FTP user has been detected on an existing FTP server Low 1 variation

    A rare or new FTP user has been detected on an existing FTP server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.
    Investigative actions: Verify that the new username is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application. Check the logs on the FTP server for a new user creation.

    Variations

    Possible FTP User Scanning Detected

    Low overridden

    A rare or new FTP user has been detected on an existing FTP server. overridden

  • A user accessed an abnormal number of remote shared folders Informational Identity Threat Module 1 variation

    A user accessed an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Network Shared Drive (T1039)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect valuable data about the organization for exfiltration purposes.
    Investigative actions: Check for other suspicious activity made by the user at the time of the event. Inspect the shared folder and verify if the user should have accessed to that folder. Go over the list of files and check if such user should have access to those files.

    Variations

    A user accessed an abnormal number of remote shared folders for the first time

    Low overridden

    A user accessed for the first time to an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration. overridden

  • A user connected a USB storage device for the first time Informational Identity Threat Module

    A user connected a USB storage device for the first time in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • A user connected a new USB storage device to a host Informational Identity Threat Module

    A user connected a new USB storage device that was not seen for this user and host in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device-related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • A user connected a new USB storage device to multiple hosts Low Identity Threat Module

    A user connected a new USB storage device to multiple endpoints.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • A user created an abnormal password-protected archive Informational Identity Threat Module

    A user created an abnormal password-protected archive using an archive program.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the command line executed is normal for the process and user performing it. Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for password-protected archive file creation.
  • A user performed suspiciously massive file activity Informational Identity Threat Module 1 variation

    A user generated massive file activity by size or distinct file count.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001) Data Staged: Remote Data Staging (T1074.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.

    Variations

    A user performed suspiciously large file activities over 1 GB in a short period of time

    Low overridden

    A user generated massive file activity by size or distinct file count. overridden

  • A user took numerous screenshots Informational Identity Threat Module

    A user took numerous screenshots. A valuable organization's information may have been collected in this way.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Screen Capture (T1113) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether this activity fits the user profile. Check for any other suspicious activity related to the host and the user involved in the alert. Check if there was a suspicious file upload following the massive screenshot activity. Check whether other users in the organization used the same process for file activity.
  • An EBS snapshot block was downloaded Informational Cloud 2 variations

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data from the cloud environment.
    Investigative actions: Check the accessed snapshot and corresponding volume. Monitor additional snapshot blocks downloads from the snapshot. Verify that the identity did not download any sensitive information that it shouldn't.

    Variations

    An EBS snapshot block was downloaded from a snapshot with sensitive data

    Medium overridden

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The snapshot contains sensitive data. overridden

    An unusual download of EBS snapshot block

    Low overridden

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The operation was not performed by this identity in the last 30 days. overridden

  • An identity accessed a backup cloud storage Informational Cloud 1 variation

    An identity accessed a backup cloud storage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.

    Variations

    An identity accessed a backup cloud storage which wasn't read recently

    Low overridden

    An identity accessed a backup cloud storage. overridden

  • An identity accessed a cloud storage for the first time Informational Cloud

    An identity accessed a cloud storage resource for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Review the identity that invoked the operation. Verify the accessed resource and ensure it does not contain sensitive data.
  • An identity accessed cloud storage containing sensitive data Informational Cloud

    An identity accessed cloud storage containing sensitive data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.
  • An identity initiated a download of multiple cloud objects Informational Cloud 2 variations

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operations. Check the accessed resource and verify it doesn't contain sensitive data.

    Variations

    An identity initiated a download of multiple cloud objects in large volume compared to the project's usual volume

    Medium overridden

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been in this project for the last 30 days. overridden

    An identity initiated a download of multiple cloud objects in large volume compared to the bucket's usual volume

    Low overridden

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been seen in this bucket for the last 30 days. overridden

  • An identity performed a suspicious download of multiple cloud storage objects Informational Cloud 4 variations

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data from the cloud environment.
    Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.

    Variations

    An identity performed a suspicious download of multiple cloud storage objects from an internal IP

    Informational overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden

    An identity performed a suspicious download of multiple cloud storage objects

    High overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen across all projects for the last 30 days. overridden

    An identity performed a suspicious download of multiple cloud storage objects

    Medium overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen in this project for the last 30 days. overridden

    An identity performed a suspicious download of multiple cloud storage objects from multiple buckets

    Medium overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects from several buckets had not been seen for the last 30 days. overridden

  • An unpopular process accessed the microphone on the host Low 1 variation

    An unpopular process accessed the microphone on the host, the process can abuse this device.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Audio Capture (T1123) Video Capture (T1125)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Surround recording or video capture in the workplace may leak corporate data. Surround recording or video capture of the user space can expose them to potential risks as worker extortion, sextortion, etc.
    Investigative actions: Check if the application that registered in the Microsoft privacy settings (ConsentStore in registry) is legitimate. Check if the user was aware of the use of the device.

    Variations

    An unpopular process accessed the webcam on the host

    Low overridden

    An unpopular process accessed the webcam on the host, the process can abuse this device. overridden

  • An unusual archive file creation by a user Informational Identity Threat Module 1 variation

    An archive file was created by a user who doesn't usually create such files. This might indicate an attempt to stage data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Stage data on an endpoint in the organization.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.

    Variations

    A user created an archive file for the first time

    Informational overridden

    A user created an archive file for the first time. This might indicate an attempt to stage data before exfiltration. overridden

  • An unusual read activity of cloud object Informational Cloud

    An identity accessed a cloud object filetype for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.
  • Azure mailbox rule creation Informational Cloud 1 variation

    A Mailbox rule in Azure was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009) Defense Evasion (TA0005)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Indicator Removal: Clear Mailbox Data (T1070.008)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Intercept or exfiltrate sensitive information.
    Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.

    Variations

    Unusual Azure mailbox rule creation

    Low overridden

    A Mailbox rule in Azure was created. overridden

  • Certutil pfx parsing Low

    Certutil was used to parse a pfx certificate file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Local System (T1005)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers want to check pfx details. If details suffice, the correct certificate can be used for authentication, persistence or NTLM extraction.
    Investigative actions: Check if the pfx parsing is legitimate for the user (Testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).
  • Cloud compute volume creation attempt Informational Cloud 1 variation

    An attempt was made to create an EBS volume.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive data stored on snapshots.
    Investigative actions: Review recent activity related to the identity, the created volume and the cloud snapshot.

    Variations

    Cloud compute volume creation attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to create an EBS volume. overridden

  • Cloud snapshot created or modified Informational Cloud 3 variations

    A cloud identity has created or modified a cloud snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the snapshot.
    Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.

    Variations

    Cloud snapshot was configured for public access

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Cloud snapshot was shared with an unusual AWS account(s)

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Previously unseen GCP principal was bound to cloud snapshot

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

  • Compressing data using python Low

    Usage of a Python module to compress files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Library (T1560.002)
    Required data: XDR Agent
    Attacker's goals: Collecting and staging data before exfiltration.
    Investigative actions: Investigate the process and command line for access to sensitive files.
  • DLP sensitive data exposed to external users Informational Identity Threat Module Email 1 variation

    A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to access sensitive information.
    Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.

    Variations

    High-severity DLP sensitive data exposed to external users

    Low overridden

    A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information. overridden

  • Data exfiltration from cloud database Low Cloud 2 variations

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation.

    Variations

    Data exfiltration from cloud database containing sensitive data from a production account toa foreign account

    High overridden

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden

    Suspicious data exfiltration from cloud database

    High overridden

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden

  • EBS snapshots were created from an EC2 instance Informational Cloud 2 variations

    One or more EBS snapshots were created from an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Clone existing compute volumes for exfiltration purposes. This action may be a preliminary action before downloading snapshot blocks or creating volumes from the snapshots.
    Investigative actions: Confirm that the identity intended to create the described snapshots. Monitor the source instance for additional suspicious activities. Follow further actions done by the identity.

    Variations

    EBS snapshots were created from an EC2 instance attached one or more volumes with sensitive data

    Informational overridden

    One or more EBS snapshots were created from an EC2 instance.The instance has one or more volumes attached containing sensitive data. overridden

    An unusual creation of EBS snapshots from an EC2 instances

    Low overridden

    One or more EBS snapshots were created from an EC2 instance.The operation was not performed by this identity in the last 30 days. overridden

  • Exchange compliance search created Informational Identity Threat Module Email 2 variations

    A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is searching mailboxes to access sensitive information.
    Investigative actions: Follow further actions done by the account. Check to see if the search contained sensitive information. Check if any data was exfiltrated after the search. Look for suspicious search terms.

    Variations

    Suspicious Exchange compliance search created

    Low overridden

    A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization. The query contains potentially suspicious keywords, which could indicate an attempt of sensitive data collection. overridden

    Exchange compliance search created for the first time

    Low overridden

    A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization. overridden

  • Exchange inbox forwarding rule configured Informational Identity Threat Module Email 3 variations

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Create an inbox rule using a compromised user account to automatically forward emails containing specific conditions to an external recipient.
    Investigative actions: Check what conditions are met in the inbox rule (e.g. specific keywords in the subject or body). Determine if any of the conditions and keywords look suspicious. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.

    Variations

    Exchange inbox forwarding rule configured by a delegate user

    Informational overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange inbox forwarding rule configured

    Medium overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. overridden

    External Exchange inbox forwarding rule configured

    Low overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The rule forwards emails to a public domain, which may be a sign of compromise. overridden

  • Exchange transport forwarding rule configured Low Identity Threat Module Email 2 variations

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.
    Investigative actions: Check what mailboxes are affected by the transport rule. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.

    Variations

    Exchange transport forwarding rule configured by a delegate user

    Informational overridden

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange transport forwarding rule configured

    Medium overridden

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. overridden

  • Exchange user mailbox forwarding Low Identity Threat Module Email 2 variations

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Leverage a compromised user account to modify a mailbox's settings to forward emails to an external recipient and collect sensitive information.
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain. Investigate the IP address associated with the rule. Follow further actions done by the account.

    Variations

    Exchange user mailbox forwarding by a delegate user

    Informational overridden

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange user mailbox forwarding

    Medium overridden

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. overridden

  • External SaaS file-sharing activity Informational Identity Threat Module 1 variation

    A user shared files from within a SaaS service to an external domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker may share files from a SaaS service to exfiltrate sensitive data.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Determine if the files are shared with users outside the organization and if the recipients are familiar. Review the files that were shared to determine if they contain sensitive data. Analyze the file types that were shared. Monitor the account for any further suspicious actions.

    Variations

    SaaS external file sharing to an abnormal domain

    Low overridden

    A user shared files to an external domain, which the organization does not typically share files with. overridden

  • Gmail routing settings changed Informational Identity Threat Module 1 variation

    Gmail routing settings were modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged (T1074) Email Collection (T1114)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Email Collection.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new routing settings look suspicious. Investigate the IP address associated with the routing settings. Follow further actions done by the account.

    Variations

    Gmail routing settings changed by a non-administrative Google Workspace identity

    Low overridden

    Gmail routing settings were modified. overridden

  • Keylogging using system commands Low 1 variation

    Usage of a Linux system utility to capture input.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Input Capture: Keylogging (T1056.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may capture keystrokes to intercept user credentials.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Keylogging using system commands in a Kubernetes pod

    Low overridden

    Usage of a Linux system utility to capture input. overridden

  • Large volume of files potentially containing credentials accessed in Google Drive Informational Identity Threat Module 1 variation

    A user accessed a large volume of files potentially containing credentials in Google Drive.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Credential Access (TA0006)
    ATT&CK techniques: Data from Cloud Storage (T1530) Unsecured Credentials (T1552)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An attacker may attempt to gain unauthorized access by leveraging valid credentials found in Google Drive.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Verify if the user account that accessed the files is authorized to access them. Review the files accessed and whether it was part of a breach or a legitimate activity. Monitor the account for any further suspicious actions.

    Variations

    Possible credential files harvesting in Google Drive

    Low overridden

    A user accessed a large volume of files potentially containing credentials in Google Drive. overridden

  • Mailbox Client Access Setting (CAS) changed Medium

    An attacker may use PowerShell to change the Client Access Settings (CAS) for a mailbox, hence gaining access to the data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged: Local Data Staging (T1074.001)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain access to the data in the compromised mailbox.
    Investigative actions: Examine the PowerShell command to identify which mailbox's access setting has been modified. Verify that the change in the client access setting was executed by a trusted source.
  • Massive file activity abnormal to process Informational Identity Threat Module 1 variation

    A user generated massive file activity by size or distinct file count.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.

    Variations

    Massive file activity over 500 MB abnormal to process

    Low overridden

    A user generated massive file activity by size or distinct file count. overridden

  • Massive file compression by user Informational Identity Threat Module

    Multiple archive files were created by a user. This might indicate an attempt to stage data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Stage data on an endpoint in the organization.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.
  • Massive file downloads from SaaS service Informational Identity Threat Module Email 3 variations

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker may download files from a SaaS service to exfiltrate sensitive data.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were downloaded to determine if they contain sensitive data. Verify if the user account that downloaded the files is authorized to access them. Analyze the file types that were downloaded. Monitor the account for any further suspicious actions.

    Variations

    Suspicious SaaS service file downloads

    Low overridden

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. The user connected from an unknown IP and displayed suspicious characteristics. overridden

    Massive file downloads from SaaS service by terminated user

    Low overridden

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. overridden

    Massive code file downloads from SaaS service

    Low overridden

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. overridden

  • Massive upload to SaaS service Informational Identity Threat Module 1 variation

    A user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Data Staged: Remote Data Staging (T1074.002)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker may upload files to a SaaS service to stage and exfiltrate data from the organization.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were uploaded to determine if they contain sensitive data. Verify if the user account that uploaded the files is authorized to access them. Analyze the file types that were uploaded. Monitor the account for any further suspicious actions.

    Variations

    Massive upload to SaaS service by suspicious user

    Low overridden

    A suspicious user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged. overridden

  • Microsoft 365 storage services exfiltration activity Low Cloud

    The Microsoft Graph API was used to download Microsoft OneDrive and SharePoint files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft 365 storage services.
    Investigative actions: Determine which items were downloaded and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft Teams messages were exported from conversation Informational Identity Threat Module 1 variation

    Microsoft Teams messages were exported from conversation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage message extraction from Microsoft Teams to obtain valuable information.
    Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.

    Variations

    Microsoft Teams messages were exported from conversation by a privileged user for the first time

    Low overridden

    Microsoft Teams messages were exported from conversation. overridden

  • New FTP Server Low 2 variations

    A new FTP server has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.
    Investigative actions: Verify that the new service is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application.

    Variations

    New FTP Server Accessed Via a Port Scan

    Informational overridden

    A new FTP server has been detected. overridden

    New FTP Server from an external source

    Low overridden

    A new FTP server has been detected. overridden

  • OneDrive file download Informational Cloud

    A file was downloaded from OneDrive using the Microsoft Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Exfiltrate sensitive data by downloading files from OneDrive.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • OneDrive folder creation Informational Cloud

    A folder was created in OneDrive using Microsoft Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged: Remote Data Staging (T1074.002)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Establish persistence or prepare for data exfiltration by creating a storage location in OneDrive via the Microsoft Graph API, enabling them to later upload or manipulate files undetected.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Outlook files accessed by an unsigned process Low

    An attacker may use an uncommon and unsigned process to access Outlook data files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged: Local Data Staging (T1074.001) Email Collection: Local Email Collection (T1114.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain access to the data in the compromised mailbox.
    Investigative actions: Examine the process command and file activity to identify the mailbox. Check if the process performed any other suspicious file activity. Check if the process generated network connections.
  • Possible Email collection using Outlook RPC Informational

    Outlook was executed using RPC by an uncommon parent process, this may be an indication of email collection activities.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Email Collection: Local Email Collection (T1114.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is trying to perform email collection or manipulation using Outlook.
    Investigative actions: Investigate the endpoint to determine if it's a legitimate process that is supposed to use Outlook in its operation to send or extract emails.
  • Possible collection of screen captures with Windows Problem Steps Recorder Medium

    Windows Problem Steps Recorder (psr.exe), can record screen and clicks. Adversaries may abuse psr.exe to create screen captures and collect them afterward.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Screen Capture (T1113)
    Required data: XDR Agent
    Attacker's goals: Evading security controls and collecting screen captures of the desktop.
    Investigative actions: Check the causality of execution and if the TSS script was executed (Microsoft Troubleshooting Script). If output parameters in the command line are executed by the user. If the parent process is known in the organization as a support tool.
  • Possible data exfiltration over a USB storage device Informational Identity Threat Module

    A process generated massive file creation, renaming and write activity to a USB storage device.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.
  • Possible internal data exfiltration over a USB storage device Informational Identity Threat Module 1 variation

    A user generated abnormal massive file activity to a connected USB storage device.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.

    Variations

    Possible internal data exfiltration of over 500 MB via USB storage device

    Low overridden

    A user generated abnormal massive file activity to a connected USB storage device. overridden

  • Potential Okta access limit breach Informational Identity Threat Module 1 variation

    A user surpassed Okta's rate limit, leading to an access limit violation. This could suggest a potential account takeover attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Initial Access (TA0001)
    ATT&CK techniques: Automated Collection (T1119) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    A breach in access limits within Okta, accompanied by suspicious characteristics

    Low overridden

    The user exceeded the access threshold in Okta, triggering a violation alert. overridden

  • PowerShell used to export mailbox contents Medium

    An attacker may use PowerShell to export the contents of a mailbox as part of the data staging before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged: Local Data Staging (T1074.001)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Export the content of a mailbox, preparing for data exfiltration.
    Investigative actions: Examine the PowerShell command to identify which mailbox has been exported. Verify that this command was executed by a trusted source.
  • Rare DLP rule match by user Informational Identity Threat Module Email 1 variation

    A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to access sensitive information.
    Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.

    Variations

    DLP rule match by user for the first time

    Low overridden

    A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information. overridden

  • Retrieval of cloud compute EC2 instance user data Informational Cloud 1 variation

    A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Automated Collection (T1119)
    Required data: AWS Audit Log
    Attacker's goals: Access sensitive instance metadata or startup scripts.
    Investigative actions: Verify whether this action is expected. Inspect the user data script for sensitive data.

    Variations

    Unusual Retrieval of cloud compute instance user data

    Low overridden

    A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance. overridden

  • SAAS - Email was reported by the user or administrator as a phishing attempt Informational Email 2 variations

    An email reported by the user or administrator as a phishing attempt has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Trick the user into interacting with a malicious email by disguising it as legitimate, potentially leading to credential theft, malware infection, or data exfiltration.
    Investigative actions: Analyze the sender's IP address and domain reputation. Check if the sender has appeared in other logs or alerts across the organization. Review any URLs or attachments for signs of phishing, malware, or command-and-control communication. Correlate user actions (e.g., link clicks, file downloads) to assess potential compromise. Determine whether similar emails were sent to other users to identify a broader campaign.

    Variations

    SAAS - Phishing report with suspicious verdict on an internal user's email

    Low overridden

    An email sent by an internal user was reported by a recipient or administrator as a phishing attempt.This may indicate a compromised account. overridden

    SAAS - Phishing report with with suspicious verdict

    Low overridden

    An email with a Malware/Block verdict reported by the user or administrator has been detected. overridden

  • Sensitive Exchange mail sent to external users Informational Identity Threat Module Email 2 variations

    A user sent sensitive email messages to external users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection (T1114) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to collect sensitive email information.
    Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.

    Variations

    Exchange mail to external account matching high severity DLP rules

    Low overridden

    A user sent sensitive email messages to external users. overridden

    Sensitive Exchange mail sent to an external user

    Low overridden

    A user sent sensitive email messages to external users. overridden

  • Suspicious AWS SSM parameters retrieval activity Informational Cloud 1 variation

    An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed parameters' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    A non admin identity extracted multiple secrets within the organization across multiple regions

    Low overridden

    An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

  • Suspicious ML Model Download Informational Cloud 1 variation

    A model artifact was accessed from cloud storage by an identity that typically doesn't interact with model files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Adversaries may collect ML artifacts for exfiltration or for use in ML Attack Staging.
    Investigative actions: Examine the bucket to determine which model was accessed. Verify that this command was executed by a trusted source.

    Variations

    Suspicious First-Time AI Model Download by Identity

    Medium overridden

    A model artifact was accessed from cloud storage by an identity that did not interact with model files recently. overridden

  • Suspicious access to Kubernetes API with kubelet credentials Low Cloud 1 variation

    A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Suspicious access to Kubernetes API with kubelet credentials from unusual pod

    Medium overridden

    A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster. overridden

  • Suspicious identity downloaded multiple objects from a bucket Low Cloud 3 variations

    An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data from the cloud environment.
    Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.

    Variations

    Suspicious identity with DevOps behavior downloaded multiple objects from a bucket

    Informational overridden

    An identity with DevOps behavior downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden

    Suspicious identity downloaded multiple objects from a bucket that contains sensitive files

    Medium overridden

    An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. The bucket contains sensitive files. overridden

    Suspicious identity downloaded multiple objects from a backup storage bucket

    Medium overridden

    An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden

  • Suspicious secrets dump activity Informational Cloud 2 variations

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    An identity extracted every secret within the organization across multiple regions

    Medium overridden

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

    An identity extracted multiple secrets within the organization across multiple regions

    Low overridden

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

  • Uncommon GetClipboardData API function invocation of a possible information stealer Informational

    An unpopular process accessed clipboard content by calling the GetClipboardData API function. This behavior may indicate potential threats such as a keylogger or a RAT.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Clipboard Data (T1115)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers can monitor the clipboard as another way for credential gathering or to collect more user data over time for espionage purposes.
    Investigative actions: Check if the process has a user interface (a visible window). Check if the process is a known user application that was updated recently.
  • Uncommon SetWindowsHookEx API invocation of a possible keylogger Medium

    A process installed a Windows desktop hook by calling the SetWindowsHookEx API function with an unpopular module. This behavior is commonly seen in keyloggers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Input Capture: Keylogging (T1056.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers can monitor keyboard events as another way for credential gathering or to collect more user data over time for espionage purposes.
    Investigative actions: Check if the process has a user interface (a visible window). Check if the process has an option to set or modify keyboard hot-keys. Check if the process is part of a remote control tool. Check if the process is a known user application that was updated recently. Check if the process is built with AutoHotkey and is known to the user. If the process is a scripting engine or a hosting executable, check the actor process command line. Investigate the endpoint if the process writes files to disk.
  • Unusual compressed file password protection Low 1 variation

    An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Exfiltrate or hide sensitive data.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    Unusual compressed file password protection in a Kubernetes pod

    Low overridden

    An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them. overridden

  • Unusual process accessed a crypto wallet's files Low

    An unusual process has accessed files belonging to a cryptocurrency wallet.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Local System (T1005)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to cryptocurrency stored in the wallet.
    Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Audit the usage of the cryptocurrency stored in the wallet.
  • Unusual process accessed a macOS notes DB file Informational 1 variation

    An unusual process has accessed a user's notes DB file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to user's notes and steal their contents.
    Investigative actions: Determine whether it is legitimate for the process to access user's notes. Analyze the process/application that accessed the DB file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above notes.

    Variations

    Unusual unsigned process accessed a macOS notes DB file

    Low overridden

    An unusual process has accessed a user's notes DB file. overridden

  • Unusual process accessed a messaging app's files Low

    An unusual process has accessed files belonging to a messaging app.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Reconnaissance (TA0043)
    ATT&CK techniques: Data from Local System (T1005) Gather Victim Host Information (T1592)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to the user's message history and steal their contents.
    Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may have been associated with the above messaging app.
  • Unusual process accessed a web browser history file Low 1 variation

    An unusual process has accessed a web browser history file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Collection (TA0009)
    ATT&CK techniques: Browser Information Discovery (T1217) Data from Local System (T1005) Automated Collection (T1119)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to the user's browsing history and steal their contents.
    Investigative actions: Determine whether it is legitimate for the process to access web browser history. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above file.

    Variations

    Unusual process accessed a web browser history file on Linux

    Low overridden

    An unusual process has accessed a web browser history file. overridden

  • User accessed SaaS resource via anonymous link Informational Identity Threat Module 2 variations

    A user accessed a SaaS resource via an anonymous link.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker is attempting to collect sensitive data.
    Investigative actions: Check the IP address from which the access originated. Examine the file that was accessed for any sensitive indicators. Follow further actions taken, such as downloading files.

    Variations

    External user accessed a sensitive SaaS file via anonymous link

    Low overridden

    An external user accessed a sensitive SaaS file via an anonymous link. overridden

    User accessed a public Google Drive document

    Informational overridden

    A user accessed a Google Drive document that is public on the web. overridden

  • User accessed multiple O365 AIP sensitive files Informational Identity Threat Module

    A user accessed multiple O365 AIP sensitive files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Data from Local System (T1005)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to collect sensitive information.
    Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Check what sensitivity labels are detected and how suspicious they are. Examine the user's account history for suspicious behavior.
  • User collected remote shared files in an archive Low Identity Threat Module

    Multiple files from remote shares were archived in a local file. This may indicate collection of data and staging before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for remote archive file activity.
  • User exported multiple messages in Microsoft Teams via Graph API Informational Identity Threat Module 3 variations

    A user exported multiple messages in Microsoft Teams via Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage messages extraction from Microsoft Teams to collect sensitive data.
    Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.

    Variations

    User exported multiple chats in Microsoft Teams via Graph API

    Low overridden

    A user exported multiple messages in Microsoft Teams via Graph API. overridden

    User exported multiple messages in Microsoft Teams via Graph API by a privileged user for the first time

    Low overridden

    A user exported multiple messages in Microsoft Teams via Graph API. overridden

    User exported multiple messages in Microsoft Teams via Graph API from a first seen ASN

    Low overridden

    A user exported multiple messages in Microsoft Teams via Graph API. overridden