Analytics Alerts
Browse the Cortex analytics alert reference.
14 alerts match the current filters. technique: T1069 ✕
Show ATT&CK heatmapA user executed multiple LDAP enumeration queries Informational Identity Analytics 1 variation
A user executed multiple LDAP enumeration queries.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Server)Attacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.Variations
A user executed suspicious LDAP enumeration queries
Low overridden
A user executed multiple LDAP enumeration queries. overridden
AWS IAM permission groups discovery operation Informational Cloud 1 variation
AWS IAM permission groups discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Cloud Groups (T1069.003)Required data: AWS Audit LogAttacker's goals: Understand the IAM structure and relationships between users, groups, and roles. Identify high-privilege identities or misconfigurations for privilege escalation.Investigative actions: Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address. Check if the operation is followed by or correlated with other enumeration actions.Variations
Unusual AWS IAM permission groups discovery operation
Informational overridden
First execution of an AWS IAM permission groups discovery operation by a non-user identity. overridden
An Azure identity performed multiple actions that were denied Informational Cloud 3 variations
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Execute various of commands to explore the cloud environment.Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.Variations
An Azure application attempted multiple actions on resources that were denied
Medium overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
An Azure identity attempted multiple actions on resources that were denied
Low overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
An Azure application performed multiple actions that were denied
Low overridden
An identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused. overridden
Cloud user performed multiple actions that were denied Informational Cloud 1 variation
An identity performed multiple actions that were denied, which may indicate it is being misused.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Execute various commands to explore the cloud environment.Investigative actions: Check if the API calls were made by the identity.Check if there are additional calls executed by the identity.Variations
Cloud non-user identity performed multiple actions that were denied
Low overridden
An identity performed multiple actions that were denied, which may indicate it is being misused. overridden
IAM Enumeration sequence Informational Cloud 1 variation
An identity has executed a sequence of events which may be related to an IAM recon enumeration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Gather information about the cloud environment, including IAM users, groups, roles, and policies.Investigative actions: Verify whether the API calls were made by the identity and check for any additional related calls.Variations
IAM Enumeration sequence executed from a cloud Internet facing instance
Low overridden
A cloud Internet facing instance performed an unusual IAM enumeration. overridden
Local group enumeration Informational Identity Analytics 2 variations
A user performed an enumeration on local groups to retrieve their details.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 5 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.Variations
Local group enumeration for the first time
Low overridden
A user performed an enumeration on local groups to retrieve their details. overridden
Local group enumeration using a builtin Windows binary
Informational overridden
A user performed an enumeration on local groups to retrieve their details. overridden
Local group enumeration via RPC Informational 1 variation
A user enumerated local groups via RPC.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery (T1069)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may leverage local groups discovery to identify privileged groups and escalate privileges.Investigative actions: Determine the user, hostname, and process that performed the group enumeration. Inspect process, command-line arguments or scripts used. Check for any privilege escalation or lateral movement attempts from the source system. Check if the tool used to enumerate the local groups is a known or an approved tool. Review the logs for suspicious activity from the same host or user.Variations
Remote local group enumeration via RPC
Informational overridden
A user enumerated local groups via RPC. overridden
Permission Groups discovery commands Informational 1 variation
Permission group discovery command execution.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery: Local Groups (T1069.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Collect information about the host.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Permission Groups discovery commands in a Kubernetes pod
Informational overridden
Permission group discovery command execution. overridden
Possible LDAP Enumeration Tool Usage Informational Identity Analytics 3 variations
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.Variations
Possible admin enumeration via LDAP
Informational overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
A user executed an LDAP enumeration query with suspicious characteristics
Medium overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
Rare LDAP enumeration query executed by a user
Low overridden
A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden
Uncommon net group command execution Informational 7 variations
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to find domain-level group permissions settings or modify domain-level memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon unsigned net group administrators command execution
High overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon unsigned net group administrators command execution - fixed localization issues
High overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon remote net group administrators command execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net group administrators command execution
Medium overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net group execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon remote net group execution
Low overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon administrator net group execution by scripting engine or command prompt
Medium overridden
Uncommon net group command execution which may be used for groups and users enumeration and unauthorized user creation. overridden
Uncommon net localgroup command execution Informational 7 variations
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Persistence (TA0003)ATT&CK techniques: Permission Groups Discovery (T1069) Create Account (T1136)Required data: XDR AgentAttacker's goals: Attackers may attempt to use the command to find local groups permissions settings or modify local memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon net localgroup administrators command execution by a web server process or CGO
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. When executed from a web server, it might be executed from an installed Webshell. overridden
Uncommon unsigned net localgroup administrators command execution
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon unsigned net localgroup administrators command execution - fixed localization issues
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup administrators command execution
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup execution
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon remote net localgroup execution
Medium overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon administrator net localgroup execution by scripting engine or command prompt
Low overridden
Uncommon net localgroup command execution which may be used for group and user enumeration and unauthorized user creation. overridden
Uncommon net localgroup execution Informational 1 variation
The 'net localgroup' command is used to add, display, or modify groups local to the host. Adversaries may attempt to use the command to find host groups and permissions settings or modify local group memberships.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Permission Groups Discovery (T1069)Required data: XDR AgentAttacker's goals: Attackers can attempt to use the command to find endpoint groups and permissions settings or modify local group memberships.Investigative actions: Check if the queried group is a sensitive one (e.g. administrators). Check whether the initiating process has executed additional discovery commands.Variations
Uncommon net localgroup execution by an untrusted CGO
Low overridden
The 'net localgroup' command is used to add, display, or modify groups local to the host by an untrusted CGO. Adversaries may attempt to use the command to find host groups and permissions settings or modify local group memberships. overridden
Unusual IAM enumeration activity by a non-user Identity Informational Cloud
An unusual command which may be related to an IAM recon enumeration was executed by a non-user identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)Required data: Gcp Audit LogAttacker's goals: Collect information on the cloud environment, including IAM users, groups, roles, and policies.Investigative actions: Check if the API call was made by the identity.Check if there are additional unusual API calls from the identity.User and Group Enumeration via SAMR Informational
The endpoint performed unfamiliar SAMR querying activity to a domain controller.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may enumerate users and groups to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC-based services to multiple hosts. Check if there are any other suspicious activities originating from the same machine.