Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0010 ✕ technique: T1078 ✕

Show ATT&CK heatmap
  • User signed in to an application via Power Automate for the first time Informational Identity Threat Module 1 variation

    A user signed in to an application via Power Automate for the first time. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)
    ATT&CK techniques: Valid Accounts (T1078) Automated Exfiltration (T1020)
    Required data: AzureAD
    Attacker's goals: Use automation flows to automate data exfiltration, C2 communication, lateral movement and evade DLP solutions.
    Investigative actions: Check if this was a desired behavior as part of the automation flow. Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Look for signs of different data exfiltration via email, shared links or uploads to online storage.

    Variations

    User signed in to an uncommon application via Power Automate for the first time

    Low overridden

    A user signed in to an uncommon application via Power Automate for the first time. This may be indicative of a compromised account. overridden