Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0042 ✕ technique: T1078 ✕

Show ATT&CK heatmap
  • A possible risky login to Azure Informational Identity Analytics 2 variations

    A risky sign-in attempt was observed in Azure.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)
    Required data: AzureAD
    Attacker's goals: An attacker is attempting to compromise an Azure account by exploiting weak or guessed passwords for initial access.
    Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

    Variations

    Azure Risky Login with Suspicious Characteristics

    Low overridden

    A risky sign-in attempt was observed in Azure. overridden

    Azure-Defined High-Risk Login Attempt

    Low overridden

    A risky sign-in attempt was observed in Azure. overridden

  • Possible Impossible Travel Pattern - SSO Informational Identity Analytics 2 variations

    A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker who compromises user credentials will leverage those credentials to gain initial access to the corporate network.To obfuscate their true origin, adversaries commonly route traffic through proxies or VPNs across multiple geographic locations.
    Investigative actions: Review the source IPs and AS organizations. Check if they are associated with known corporate VPNs, cloud hosting providers, or personal VPN services. Examine recent activity associated with the user in the relevant SSO provider, focusing on suspicious actions such as MFA changes or unusual data access.

    Variations

    Azure First-Seen Device - Impossible Traveler

    Low overridden

    A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden

    Rare Country Login - Impossible Traveler (SSO)

    Low overridden

    A user logged in from several countries in a short period, including at least one location that is rare for the user or organization.This suspicious activity may be a sign of credential theft. overridden