Analytics Alerts
Browse the Cortex analytics alert reference.
72 alerts match the current filters. tactic: TA0009 ✕
Show ATT&CK heatmapA Google Workspace identity used the security investigation tool Informational Identity Threat Module 1 variation
A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Email Collection (T1114)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Access sensitive data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Determine what data was accessed using the security investigation tool.Variations
A suspicious Google Workspace identity used the security investigation tool
Low overridden
A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data. overridden
A mail forwarding rule was configured in Google Workspace Medium Identity Threat Module 1 variation
A rule was set up to forward emails outside the Google Workspace domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.Investigative actions: Check if the identity intended to preform this action, and look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Follow further actions done by the account.Variations
A mail forwarding rule was configured in Google Workspace to an uncommon domain
High overridden
A rule was set up to forward emails outside the Google Workspace domain. overridden
A rare FTP user has been detected on an existing FTP server Low 1 variation
A rare or new FTP user has been detected on an existing FTP server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.Investigative actions: Verify that the new username is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application. Check the logs on the FTP server for a new user creation.Variations
Possible FTP User Scanning Detected
Low overridden
A rare or new FTP user has been detected on an existing FTP server. overridden
A user accessed an abnormal number of remote shared folders Informational Identity Threat Module 1 variation
A user accessed an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Network Shared Drive (T1039)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect valuable data about the organization for exfiltration purposes.Investigative actions: Check for other suspicious activity made by the user at the time of the event. Inspect the shared folder and verify if the user should have accessed to that folder. Go over the list of files and check if such user should have access to those files.Variations
A user accessed an abnormal number of remote shared folders for the first time
Low overridden
A user accessed for the first time to an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration. overridden
A user connected a USB storage device for the first time Informational Identity Threat Module
A user connected a USB storage device for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.A user connected a new USB storage device to a host Informational Identity Threat Module
A user connected a new USB storage device that was not seen for this user and host in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device-related process and file events to determine if it was used for legitimate purposes or malicious activity.A user connected a new USB storage device to multiple hosts Low Identity Threat Module
A user connected a new USB storage device to multiple endpoints.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.A user created an abnormal password-protected archive Informational Identity Threat Module
A user created an abnormal password-protected archive using an archive program.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the command line executed is normal for the process and user performing it. Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for password-protected archive file creation.A user performed suspiciously massive file activity Informational Identity Threat Module 1 variation
A user generated massive file activity by size or distinct file count.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001) Data Staged: Remote Data Staging (T1074.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.Variations
A user performed suspiciously large file activities over 1 GB in a short period of time
Low overridden
A user generated massive file activity by size or distinct file count. overridden
A user took numerous screenshots Informational Identity Threat Module
A user took numerous screenshots. A valuable organization's information may have been collected in this way.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Screen Capture (T1113) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether this activity fits the user profile. Check for any other suspicious activity related to the host and the user involved in the alert. Check if there was a suspicious file upload following the massive screenshot activity. Check whether other users in the organization used the same process for file activity.An EBS snapshot block was downloaded Informational Cloud 2 variations
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed snapshot and corresponding volume. Monitor additional snapshot blocks downloads from the snapshot. Verify that the identity did not download any sensitive information that it shouldn't.Variations
An EBS snapshot block was downloaded from a snapshot with sensitive data
Medium overridden
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The snapshot contains sensitive data. overridden
An unusual download of EBS snapshot block
Low overridden
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The operation was not performed by this identity in the last 30 days. overridden
An identity accessed a backup cloud storage Informational Cloud 1 variation
An identity accessed a backup cloud storage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.Variations
An identity accessed a backup cloud storage which wasn't read recently
Low overridden
An identity accessed a backup cloud storage. overridden
An identity accessed a cloud storage for the first time Informational Cloud
An identity accessed a cloud storage resource for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Review the identity that invoked the operation. Verify the accessed resource and ensure it does not contain sensitive data.An identity accessed cloud storage containing sensitive data Informational Cloud
An identity accessed cloud storage containing sensitive data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.An identity initiated a download of multiple cloud objects Informational Cloud 2 variations
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Transfer Data to Cloud Account (T1537)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operations. Check the accessed resource and verify it doesn't contain sensitive data.Variations
An identity initiated a download of multiple cloud objects in large volume compared to the project's usual volume
Medium overridden
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been in this project for the last 30 days. overridden
An identity initiated a download of multiple cloud objects in large volume compared to the bucket's usual volume
Low overridden
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been seen in this bucket for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects Informational Cloud 4 variations
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.Variations
An identity performed a suspicious download of multiple cloud storage objects from an internal IP
Informational overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
An identity performed a suspicious download of multiple cloud storage objects
High overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen across all projects for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects
Medium overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen in this project for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects from multiple buckets
Medium overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects from several buckets had not been seen for the last 30 days. overridden
An unpopular process accessed the microphone on the host Low 1 variation
An unpopular process accessed the microphone on the host, the process can abuse this device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Audio Capture (T1123) Video Capture (T1125)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Surround recording or video capture in the workplace may leak corporate data. Surround recording or video capture of the user space can expose them to potential risks as worker extortion, sextortion, etc.Investigative actions: Check if the application that registered in the Microsoft privacy settings (ConsentStore in registry) is legitimate. Check if the user was aware of the use of the device.Variations
An unpopular process accessed the webcam on the host
Low overridden
An unpopular process accessed the webcam on the host, the process can abuse this device. overridden
An unusual archive file creation by a user Informational Identity Threat Module 1 variation
An archive file was created by a user who doesn't usually create such files. This might indicate an attempt to stage data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Stage data on an endpoint in the organization.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Variations
A user created an archive file for the first time
Informational overridden
A user created an archive file for the first time. This might indicate an attempt to stage data before exfiltration. overridden
An unusual read activity of cloud object Informational Cloud
An identity accessed a cloud object filetype for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.Azure mailbox rule creation Informational Cloud 1 variation
A Mailbox rule in Azure was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Defense Evasion (TA0005)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Indicator Removal: Clear Mailbox Data (T1070.008)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Intercept or exfiltrate sensitive information.Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Variations
Unusual Azure mailbox rule creation
Low overridden
A Mailbox rule in Azure was created. overridden
Certutil pfx parsing Low
Certutil was used to parse a pfx certificate file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Local System (T1005)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers want to check pfx details. If details suffice, the correct certificate can be used for authentication, persistence or NTLM extraction.Investigative actions: Check if the pfx parsing is legitimate for the user (Testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).Cloud compute volume creation attempt Informational Cloud 1 variation
An attempt was made to create an EBS volume.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive data stored on snapshots.Investigative actions: Review recent activity related to the identity, the created volume and the cloud snapshot.Variations
Cloud compute volume creation attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to create an EBS volume. overridden
Cloud snapshot created or modified Informational Cloud 3 variations
A cloud identity has created or modified a cloud snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.Variations
Cloud snapshot was configured for public access
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Cloud snapshot was shared with an unusual AWS account(s)
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Previously unseen GCP principal was bound to cloud snapshot
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Compressing data using python Low
Usage of a Python module to compress files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Library (T1560.002)Required data: XDR AgentAttacker's goals: Collecting and staging data before exfiltration.Investigative actions: Investigate the process and command line for access to sensitive files.DLP sensitive data exposed to external users Informational Identity Threat Module Email 1 variation
A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to access sensitive information.Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.Variations
High-severity DLP sensitive data exposed to external users
Low overridden
A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information. overridden
Data exfiltration from cloud database Low Cloud 2 variations
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation.Variations
Data exfiltration from cloud database containing sensitive data from a production account toa foreign account
High overridden
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden
Suspicious data exfiltration from cloud database
High overridden
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden
EBS snapshots were created from an EC2 instance Informational Cloud 2 variations
One or more EBS snapshots were created from an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: AWS Audit LogAttacker's goals: Clone existing compute volumes for exfiltration purposes. This action may be a preliminary action before downloading snapshot blocks or creating volumes from the snapshots.Investigative actions: Confirm that the identity intended to create the described snapshots. Monitor the source instance for additional suspicious activities. Follow further actions done by the identity.Variations
EBS snapshots were created from an EC2 instance attached one or more volumes with sensitive data
Informational overridden
One or more EBS snapshots were created from an EC2 instance.The instance has one or more volumes attached containing sensitive data. overridden
An unusual creation of EBS snapshots from an EC2 instances
Low overridden
One or more EBS snapshots were created from an EC2 instance.The operation was not performed by this identity in the last 30 days. overridden
Exchange compliance search created Informational Identity Threat Module Email 2 variations
A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: An attacker is searching mailboxes to access sensitive information.Investigative actions: Follow further actions done by the account. Check to see if the search contained sensitive information. Check if any data was exfiltrated after the search. Look for suspicious search terms.Variations
Suspicious Exchange compliance search created
Low overridden
A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization. The query contains potentially suspicious keywords, which could indicate an attempt of sensitive data collection. overridden
Exchange compliance search created for the first time
Low overridden
A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization. overridden
Exchange inbox forwarding rule configured Informational Identity Threat Module Email 3 variations
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Create an inbox rule using a compromised user account to automatically forward emails containing specific conditions to an external recipient.Investigative actions: Check what conditions are met in the inbox rule (e.g. specific keywords in the subject or body). Determine if any of the conditions and keywords look suspicious. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.Variations
Exchange inbox forwarding rule configured by a delegate user
Informational overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange inbox forwarding rule configured
Medium overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. overridden
External Exchange inbox forwarding rule configured
Low overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The rule forwards emails to a public domain, which may be a sign of compromise. overridden
Exchange transport forwarding rule configured Low Identity Threat Module Email 2 variations
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.Investigative actions: Check what mailboxes are affected by the transport rule. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.Variations
Exchange transport forwarding rule configured by a delegate user
Informational overridden
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange transport forwarding rule configured
Medium overridden
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. overridden
Exchange user mailbox forwarding Low Identity Threat Module Email 2 variations
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Leverage a compromised user account to modify a mailbox's settings to forward emails to an external recipient and collect sensitive information.Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain. Investigate the IP address associated with the rule. Follow further actions done by the account.Variations
Exchange user mailbox forwarding by a delegate user
Informational overridden
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange user mailbox forwarding
Medium overridden
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. overridden
External SaaS file-sharing activity Informational Identity Threat Module 1 variation
A user shared files from within a SaaS service to an external domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker may share files from a SaaS service to exfiltrate sensitive data.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Determine if the files are shared with users outside the organization and if the recipients are familiar. Review the files that were shared to determine if they contain sensitive data. Analyze the file types that were shared. Monitor the account for any further suspicious actions.Variations
SaaS external file sharing to an abnormal domain
Low overridden
A user shared files to an external domain, which the organization does not typically share files with. overridden
Gmail routing settings changed Informational Identity Threat Module 1 variation
Gmail routing settings were modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged (T1074) Email Collection (T1114)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Email Collection.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new routing settings look suspicious. Investigate the IP address associated with the routing settings. Follow further actions done by the account.Variations
Gmail routing settings changed by a non-administrative Google Workspace identity
Low overridden
Gmail routing settings were modified. overridden
Keylogging using system commands Low 1 variation
Usage of a Linux system utility to capture input.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Input Capture: Keylogging (T1056.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may capture keystrokes to intercept user credentials.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Keylogging using system commands in a Kubernetes pod
Low overridden
Usage of a Linux system utility to capture input. overridden
Large volume of files potentially containing credentials accessed in Google Drive Informational Identity Threat Module 1 variation
A user accessed a large volume of files potentially containing credentials in Google Drive.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Credential Access (TA0006)ATT&CK techniques: Data from Cloud Storage (T1530) Unsecured Credentials (T1552)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An attacker may attempt to gain unauthorized access by leveraging valid credentials found in Google Drive.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Verify if the user account that accessed the files is authorized to access them. Review the files accessed and whether it was part of a breach or a legitimate activity. Monitor the account for any further suspicious actions.Variations
Possible credential files harvesting in Google Drive
Low overridden
A user accessed a large volume of files potentially containing credentials in Google Drive. overridden
Mailbox Client Access Setting (CAS) changed Medium
An attacker may use PowerShell to change the Client Access Settings (CAS) for a mailbox, hence gaining access to the data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Local Data Staging (T1074.001)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain access to the data in the compromised mailbox.Investigative actions: Examine the PowerShell command to identify which mailbox's access setting has been modified. Verify that the change in the client access setting was executed by a trusted source.Massive file activity abnormal to process Informational Identity Threat Module 1 variation
A user generated massive file activity by size or distinct file count.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.Variations
Massive file activity over 500 MB abnormal to process
Low overridden
A user generated massive file activity by size or distinct file count. overridden
Massive file compression by user Informational Identity Threat Module
Multiple archive files were created by a user. This might indicate an attempt to stage data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Stage data on an endpoint in the organization.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Massive file downloads from SaaS service Informational Identity Threat Module Email 3 variations
A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker may download files from a SaaS service to exfiltrate sensitive data.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were downloaded to determine if they contain sensitive data. Verify if the user account that downloaded the files is authorized to access them. Analyze the file types that were downloaded. Monitor the account for any further suspicious actions.Variations
Suspicious SaaS service file downloads
Low overridden
A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. The user connected from an unknown IP and displayed suspicious characteristics. overridden
Massive file downloads from SaaS service by terminated user
Low overridden
A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. overridden
Massive code file downloads from SaaS service
Low overridden
A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. overridden
Massive upload to SaaS service Informational Identity Threat Module 1 variation
A user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Data Staged: Remote Data Staging (T1074.002)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker may upload files to a SaaS service to stage and exfiltrate data from the organization.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were uploaded to determine if they contain sensitive data. Verify if the user account that uploaded the files is authorized to access them. Analyze the file types that were uploaded. Monitor the account for any further suspicious actions.Variations
Massive upload to SaaS service by suspicious user
Low overridden
A suspicious user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged. overridden
Microsoft 365 storage services exfiltration activity Low Cloud
The Microsoft Graph API was used to download Microsoft OneDrive and SharePoint files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To extract sensitive information stored in Microsoft 365 storage services.Investigative actions: Determine which items were downloaded and whether they contained any sensitive information. Investigate the identity following actions.Microsoft Teams messages were exported from conversation Informational Identity Threat Module 1 variation
Microsoft Teams messages were exported from conversation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage message extraction from Microsoft Teams to obtain valuable information.Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.Variations
Microsoft Teams messages were exported from conversation by a privileged user for the first time
Low overridden
Microsoft Teams messages were exported from conversation. overridden
New FTP Server Low 2 variations
A new FTP server has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.Investigative actions: Verify that the new service is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application.Variations
New FTP Server Accessed Via a Port Scan
Informational overridden
A new FTP server has been detected. overridden
New FTP Server from an external source
Low overridden
A new FTP server has been detected. overridden
OneDrive file download Informational Cloud
A file was downloaded from OneDrive using the Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Exfiltrate sensitive data by downloading files from OneDrive.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.OneDrive folder creation Informational Cloud
A folder was created in OneDrive using Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Remote Data Staging (T1074.002)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Establish persistence or prepare for data exfiltration by creating a storage location in OneDrive via the Microsoft Graph API, enabling them to later upload or manipulate files undetected.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Outlook files accessed by an unsigned process Low
An attacker may use an uncommon and unsigned process to access Outlook data files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Local Data Staging (T1074.001) Email Collection: Local Email Collection (T1114.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain access to the data in the compromised mailbox.Investigative actions: Examine the process command and file activity to identify the mailbox. Check if the process performed any other suspicious file activity. Check if the process generated network connections.Possible Email collection using Outlook RPC Informational
Outlook was executed using RPC by an uncommon parent process, this may be an indication of email collection activities.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Email Collection: Local Email Collection (T1114.001)Required data: XDR AgentAttacker's goals: An attacker is trying to perform email collection or manipulation using Outlook.Investigative actions: Investigate the endpoint to determine if it's a legitimate process that is supposed to use Outlook in its operation to send or extract emails.Possible collection of screen captures with Windows Problem Steps Recorder Medium
Windows Problem Steps Recorder (psr.exe), can record screen and clicks. Adversaries may abuse psr.exe to create screen captures and collect them afterward.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Screen Capture (T1113)Required data: XDR AgentAttacker's goals: Evading security controls and collecting screen captures of the desktop.Investigative actions: Check the causality of execution and if the TSS script was executed (Microsoft Troubleshooting Script). If output parameters in the command line are executed by the user. If the parent process is known in the organization as a support tool.Possible data exfiltration over a USB storage device Informational Identity Threat Module
A process generated massive file creation, renaming and write activity to a USB storage device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.Possible internal data exfiltration over a USB storage device Informational Identity Threat Module 1 variation
A user generated abnormal massive file activity to a connected USB storage device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.Variations
Possible internal data exfiltration of over 500 MB via USB storage device
Low overridden
A user generated abnormal massive file activity to a connected USB storage device. overridden
Potential Okta access limit breach Informational Identity Threat Module 1 variation
A user surpassed Okta's rate limit, leading to an access limit violation. This could suggest a potential account takeover attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Initial Access (TA0001)ATT&CK techniques: Automated Collection (T1119) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).Variations
A breach in access limits within Okta, accompanied by suspicious characteristics
Low overridden
The user exceeded the access threshold in Okta, triggering a violation alert. overridden
PowerShell used to export mailbox contents Medium
An attacker may use PowerShell to export the contents of a mailbox as part of the data staging before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Local Data Staging (T1074.001)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Export the content of a mailbox, preparing for data exfiltration.Investigative actions: Examine the PowerShell command to identify which mailbox has been exported. Verify that this command was executed by a trusted source.Rare DLP rule match by user Informational Identity Threat Module Email 1 variation
A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to access sensitive information.Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.Variations
DLP rule match by user for the first time
Low overridden
A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information. overridden
Retrieval of cloud compute EC2 instance user data Informational Cloud 1 variation
A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Automated Collection (T1119)Required data: AWS Audit LogAttacker's goals: Access sensitive instance metadata or startup scripts.Investigative actions: Verify whether this action is expected. Inspect the user data script for sensitive data.Variations
Unusual Retrieval of cloud compute instance user data
Low overridden
A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance. overridden
SAAS - Email was reported by the user or administrator as a phishing attempt Informational Email 2 variations
An email reported by the user or administrator as a phishing attempt has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Trick the user into interacting with a malicious email by disguising it as legitimate, potentially leading to credential theft, malware infection, or data exfiltration.Investigative actions: Analyze the sender's IP address and domain reputation. Check if the sender has appeared in other logs or alerts across the organization. Review any URLs or attachments for signs of phishing, malware, or command-and-control communication. Correlate user actions (e.g., link clicks, file downloads) to assess potential compromise. Determine whether similar emails were sent to other users to identify a broader campaign.Variations
SAAS - Phishing report with suspicious verdict on an internal user's email
Low overridden
An email sent by an internal user was reported by a recipient or administrator as a phishing attempt.This may indicate a compromised account. overridden
SAAS - Phishing report with with suspicious verdict
Low overridden
An email with a Malware/Block verdict reported by the user or administrator has been detected. overridden
Sensitive Exchange mail sent to external users Informational Identity Threat Module Email 2 variations
A user sent sensitive email messages to external users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection (T1114) Exfiltration Over Alternative Protocol (T1048)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to collect sensitive email information.Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.Variations
Exchange mail to external account matching high severity DLP rules
Low overridden
A user sent sensitive email messages to external users. overridden
Sensitive Exchange mail sent to an external user
Low overridden
A user sent sensitive email messages to external users. overridden
Suspicious AWS SSM parameters retrieval activity Informational Cloud 1 variation
An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530)Required data: AWS Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed parameters' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
A non admin identity extracted multiple secrets within the organization across multiple regions
Low overridden
An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
Suspicious ML Model Download Informational Cloud 1 variation
A model artifact was accessed from cloud storage by an identity that typically doesn't interact with model files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Adversaries may collect ML artifacts for exfiltration or for use in ML Attack Staging.Investigative actions: Examine the bucket to determine which model was accessed. Verify that this command was executed by a trusted source.Variations
Suspicious First-Time AI Model Download by Identity
Medium overridden
A model artifact was accessed from cloud storage by an identity that did not interact with model files recently. overridden
Suspicious access to Kubernetes API with kubelet credentials Low Cloud 1 variation
A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Suspicious access to Kubernetes API with kubelet credentials from unusual pod
Medium overridden
A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster. overridden
Suspicious identity downloaded multiple objects from a bucket Low Cloud 3 variations
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.Variations
Suspicious identity with DevOps behavior downloaded multiple objects from a bucket
Informational overridden
An identity with DevOps behavior downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
Suspicious identity downloaded multiple objects from a bucket that contains sensitive files
Medium overridden
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. The bucket contains sensitive files. overridden
Suspicious identity downloaded multiple objects from a backup storage bucket
Medium overridden
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
Suspicious secrets dump activity Informational Cloud 2 variations
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
An identity extracted every secret within the organization across multiple regions
Medium overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
An identity extracted multiple secrets within the organization across multiple regions
Low overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
Uncommon GetClipboardData API function invocation of a possible information stealer Informational
An unpopular process accessed clipboard content by calling the GetClipboardData API function. This behavior may indicate potential threats such as a keylogger or a RAT.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Clipboard Data (T1115)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers can monitor the clipboard as another way for credential gathering or to collect more user data over time for espionage purposes.Investigative actions: Check if the process has a user interface (a visible window). Check if the process is a known user application that was updated recently.Uncommon SetWindowsHookEx API invocation of a possible keylogger Medium
A process installed a Windows desktop hook by calling the SetWindowsHookEx API function with an unpopular module. This behavior is commonly seen in keyloggers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Input Capture: Keylogging (T1056.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers can monitor keyboard events as another way for credential gathering or to collect more user data over time for espionage purposes.Investigative actions: Check if the process has a user interface (a visible window). Check if the process has an option to set or modify keyboard hot-keys. Check if the process is part of a remote control tool. Check if the process is a known user application that was updated recently. Check if the process is built with AutoHotkey and is known to the user. If the process is a scripting engine or a hosting executable, check the actor process command line. Investigate the endpoint if the process writes files to disk.Unusual compressed file password protection Low 1 variation
An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Exfiltrate or hide sensitive data.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
Unusual compressed file password protection in a Kubernetes pod
Low overridden
An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them. overridden
Unusual process accessed a crypto wallet's files Low
An unusual process has accessed files belonging to a cryptocurrency wallet.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Local System (T1005)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to cryptocurrency stored in the wallet.Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Audit the usage of the cryptocurrency stored in the wallet.Unusual process accessed a macOS notes DB file Informational 1 variation
An unusual process has accessed a user's notes DB file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to user's notes and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access user's notes. Analyze the process/application that accessed the DB file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above notes.Variations
Unusual unsigned process accessed a macOS notes DB file
Low overridden
An unusual process has accessed a user's notes DB file. overridden
Unusual process accessed a messaging app's files Low
An unusual process has accessed files belonging to a messaging app.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Reconnaissance (TA0043)ATT&CK techniques: Data from Local System (T1005) Gather Victim Host Information (T1592)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to the user's message history and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may have been associated with the above messaging app.Unusual process accessed a web browser history file Low 1 variation
An unusual process has accessed a web browser history file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Collection (TA0009)ATT&CK techniques: Browser Information Discovery (T1217) Data from Local System (T1005) Automated Collection (T1119)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to the user's browsing history and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access web browser history. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above file.Variations
Unusual process accessed a web browser history file on Linux
Low overridden
An unusual process has accessed a web browser history file. overridden
User accessed SaaS resource via anonymous link Informational Identity Threat Module 2 variations
A user accessed a SaaS resource via an anonymous link.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530)Required data: Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker is attempting to collect sensitive data.Investigative actions: Check the IP address from which the access originated. Examine the file that was accessed for any sensitive indicators. Follow further actions taken, such as downloading files.Variations
External user accessed a sensitive SaaS file via anonymous link
Low overridden
An external user accessed a sensitive SaaS file via an anonymous link. overridden
User accessed a public Google Drive document
Informational overridden
A user accessed a Google Drive document that is public on the web. overridden
User accessed multiple O365 AIP sensitive files Informational Identity Threat Module
A user accessed multiple O365 AIP sensitive files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Data from Local System (T1005)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to collect sensitive information.Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Check what sensitivity labels are detected and how suspicious they are. Examine the user's account history for suspicious behavior.User collected remote shared files in an archive Low Identity Threat Module
Multiple files from remote shares were archived in a local file. This may indicate collection of data and staging before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for remote archive file activity.User exported multiple messages in Microsoft Teams via Graph API Informational Identity Threat Module 3 variations
A user exported multiple messages in Microsoft Teams via Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage messages extraction from Microsoft Teams to collect sensitive data.Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.Variations
User exported multiple chats in Microsoft Teams via Graph API
Low overridden
A user exported multiple messages in Microsoft Teams via Graph API. overridden
User exported multiple messages in Microsoft Teams via Graph API by a privileged user for the first time
Low overridden
A user exported multiple messages in Microsoft Teams via Graph API. overridden
User exported multiple messages in Microsoft Teams via Graph API from a first seen ASN
Low overridden
A user exported multiple messages in Microsoft Teams via Graph API. overridden