Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

158 alerts match the current filters. technique: T1078 ✕

Show ATT&CK heatmap
  • A Command Line Interface (CLI) command was executed from a GCP serverless compute service Low Cloud 4 variations

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: Gcp Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    Suspicious Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Suspicious Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Informational overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    A Command Line Interface (CLI) command was executed from a GCP Cloud Build service

    Low overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

    Unusual Command Line Interface (CLI) command was executed from a GCP serverless compute service

    Medium overridden

    A GCP serverless compute service token was used to execute a Command Line Interface (CLI) command. overridden

  • A Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)
    Required data: AWS Audit Log
    Detector tags: Cloud Serverless Function Credentials Theft Analytics
    Attacker's goals: Exfiltrate serverless token and abuse it.
    Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.

    Variations

    A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service

    Informational overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

    Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service

    Low overridden

    AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden

  • A Google Workspace identity created, assigned or modified a role Informational Identity Threat Module 3 variations

    A Google Workspace identity created, assigned or modified a delegated admin role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An adversary may create, assign or modify a role to elevate the permissions of other user accounts and persist in their target's environment.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the identity's role designation in the organization. Follow further actions done by the account.

    Variations

    A non-administrative Google Workspace identity created, assigned or modified a role from an unusual ASN

    Low overridden

    A Google Workspace identity created, assigned or modified a delegated admin role. overridden

    A non-administrative Google Workspace identity created, assigned or modified a role

    Low overridden

    A Google Workspace identity created, assigned or modified a delegated admin role. overridden

    A Google Workspace identity created, assigned or modified a role from an unusual ASN

    Low overridden

    A Google Workspace identity created, assigned or modified a delegated admin role. overridden

  • A Google Workspace identity performed an unusual admin console activity Informational Identity Threat Module 1 variation

    A Google Workspace identity performed an admin console activity for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: To do.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the changes that were made look suspicious. Follow further actions done by the account.

    Variations

    A non-administrative Google Workspace identity performed an unusual admin console activity

    Informational overridden

    A Google Workspace identity performed an admin console activity for the first time. overridden

  • A Kubernetes API operation was successfully invoked by an anonymous user Medium Cloud 1 variation

    An unauthenticated user successfully invoked API calls within the Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain initial access to a Kubernetes cluster.
    Investigative actions: Determine which resources were accessed anonymously. Verify whether the affected resource should be accessed by unauthenticated users.

    Variations

    A Kubernetes API operation was successfully invoked by an anonymous user outside the cluster

    High overridden

    An unauthenticated user successfully invoked API calls within the Kubernetes cluster. overridden

  • A Kubernetes ConfigMap was created or deleted Informational Cloud

    A Kubernetes ConfigMap was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Maintain persistence using valid credentials.
    Investigative actions: Check which changes were made to the Kubernetes ConfigMap.
  • A Kubernetes node service account activity from external IP Informational Cloud 1 variation

    A Kubernetes node service account was seen operating from an external IP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the Kubernetes cluster.
    Investigative actions: Determine which resources were accessed by the node service account. Investigate other actions made by the node service account.

    Variations

    A Kubernetes node service account was used outside the cluster

    Low overridden

    A Kubernetes node service account was seen operating from an external IP. overridden

  • A Kubernetes service account was created or deleted Informational Cloud 1 variation

    A Kubernetes service account was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Maintain persistence using a valid service account.
    Investigative actions: Check which changes were made to the Kubernetes service account.

    Variations

    A Kubernetes service account was created or deleted in a default namespace

    Informational overridden

    A Kubernetes service account was created or deleted. overridden

  • A Service Principal was created in Azure Informational Cloud

    A Service Principal was created in Azure. This could indicate a malicious actor attempting to gain access to a resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Access user data. Gain control of the Azure environment.
    Investigative actions: Check the Service Principal to ensure it has the correct access rights. Review the Azure Activity Log to determine the source of the Service Principal creation.
  • A Successful VPN connection from TOR High Identity Analytics 1 variation

    A successful VPN connection from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Gain initial access to organization and hiding itself.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.

    Variations

    A Successful VPN connection from TOR via Mobile Device

    Medium overridden

    A successful VPN connection from a TOR exit node. overridden

  • A Successful login from TOR High Identity Analytics

    A successful login from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Gain initial access to the organization while anonymizing the source of the activity.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.
  • A cloud identity executed an API call from an unusual country Informational Cloud 7 variations

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access sensitive resources and gain high privileges.
    Investigative actions: Check if the identity routed their traffic via a VPN or shared their credentials with a remote employee.

    Variations

    A suspicious cloud identity executed an API call from an unusual country

    Medium overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A Kubernetes identity executed an API call from a country that was not seen in the organization

    Medium overridden

    A Kubernetes identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud identity executed an API call from a country that was not seen in the organization

    Medium overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud identity executed an API call from an unusual country

    Informational overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A Kubernetes API call was executed from an unusual country

    Low overridden

    A Kubernetes identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud API call was executed from an unusual country

    Low overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

    A cloud identity executed an API call from an unusual country using a compromised AWS access key

    High overridden

    A cloud identity that normally connects from a limited set of countries connected from a new country for the first time. overridden

  • A cloud identity had escalated its permissions Informational Cloud 4 variations

    A cloud identity had updated its permissions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation (T1098)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges.
    Investigative actions: Verify which permissions were granted to the identity.

    Variations

    A cloud identity with high administrative activity had escalated its permissions

    Informational overridden

    A cloud identity with high administrative activity had updated its permissions. overridden

    A cloud compute service had escalated its permissions

    Medium overridden

    A cloud compute service had updated its permissions. overridden

    A cloud non-human identity had escalated its permissions

    Low overridden

    A cloud non-human identity had updated its permissions. overridden

    A cloud identity escalated its permissions to a high privilege role/policy

    Low overridden

    A cloud identity escalated its permissions by adding itself to a high privileged policy/role/group. overridden

  • A cloud identity invoked IAM related persistence operations Informational Cloud 2 variations

    A cloud identity invoked IAM related persistence operations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Account Manipulation (T1098) Create Account: Cloud Account (T1136.003) Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Maintain persistence in cloud environments.
    Investigative actions: Check what API calls were executed by the identity. Check what cloud resources were affected. Look for signs that the identity is compromised.

    Variations

    A cloud identity invoked compute instance related persistence operations

    Informational overridden

    A cloud identity invoked compute instance related persistence operations. overridden

    A cloud identity invoked compute function related persistence operations

    Informational overridden

    A cloud identity invoked compute function related persistence operations. overridden

  • A compute-attached identity executed API calls outside the instance's region Informational Cloud 6 variations

    A compute-attached identity performed actions outside the compute instance region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate token and abuse it remotely.
    Investigative actions: Verify whether the compute-attached identity's credentials were intentionally used remotely. Check what API calls were executed using instance's attached role. Check if the suspected instance is compromised.

    Variations

    A compute-attached identity executed API calls outside the Lambda function's region

    Informational overridden

    A compute-attached identity performed actions outside the Lambda function region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN

    High overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual geolocation

    Medium overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region from an unusual ASN

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity executed API calls outside the instance's region

    Low overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

    A compute-attached identity failed to execute API calls outside the instance's region

    Informational overridden

    A compute-attached identity performed actions outside the compute instance region. overridden

  • A computer account was promoted to DC Low Identity Analytics

    A computer account was promoted to a domain controller via a User Account Control (UAC) change.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain domain administrator privileges.
    Investigative actions: Verify if the domain controller promotion is expected. Check if the computer account is a new account. Confirm this action with the user who performed the change. Follow actions by the account and if it performed a DCSync.
  • A disabled user attempted to authenticate via SSO Informational Identity Analytics

    A disabled user attempted to authenticate via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.
  • A disabled user attempted to log in Informational Identity Analytics 1 variation

    A disabled user attempted to log in.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user was recently enabled by an authorized entity). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory. Monitor services that may be running with a disabled user's credentials.

    Variations

    Cached interactive login attempt by a disabled user

    Informational overridden

    A disabled user attempted to log in. overridden

  • A disabled user attempted to log in to a VPN Low Identity Analytics 1 variation

    A disabled user attempted to log in suspiciously to a VPN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised in the past to gain access to the network.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. a contractor user). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.

    Variations

    Possible VPN login attempt by disabled user

    Informational overridden

    A disabled user attempted to log in suspiciously to a VPN. overridden

  • A machine certificate was issued with a mismatch Medium Identity Analytics

    A machine certificate was issued with a mismatch between the requester and the subject.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker may attempt to exploit the Active Directory Certificate Services to escalate privileges to a domain controller machine account.
    Investigative actions: Check who owns the certificate requester account. Check if the requester DNS name attribute was changed recently. Investigate actions done by the requester and its owner. Check for possible DCSync alerts.
  • A possible risky login to Azure Informational Identity Analytics 2 variations

    A risky sign-in attempt was observed in Azure.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Resource Development (TA0042)
    ATT&CK techniques: Compromise Accounts (T1586) Valid Accounts (T1078)
    Required data: AzureAD
    Attacker's goals: An attacker is attempting to compromise an Azure account by exploiting weak or guessed passwords for initial access.
    Investigative actions: Monitor the user account for indications of compromise, such as irregular login patterns or atypical activities. Reach out to the user to confirm the legitimacy of the recent password reset activity. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.

    Variations

    Azure Risky Login with Suspicious Characteristics

    Low overridden

    A risky sign-in attempt was observed in Azure. overridden

    Azure-Defined High-Risk Login Attempt

    Low overridden

    A risky sign-in attempt was observed in Azure. overridden

  • A rare FTP user has been detected on an existing FTP server Low 1 variation

    A rare or new FTP user has been detected on an existing FTP server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.
    Investigative actions: Verify that the new username is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application. Check the logs on the FTP server for a new user creation.

    Variations

    Possible FTP User Scanning Detected

    Low overridden

    A rare or new FTP user has been detected on an existing FTP server. overridden

  • A rare local administrator login Informational Identity Analytics 1 variation

    A rare local administrator login was observed. This may indicate an attempt to change sensitive settings on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: The attacker attempts to change sensitive settings on the host.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.

    Variations

    Suspicious local administrator login

    Low overridden

    A rare local administrator login was observed. This may indicate an attempt to change sensitive settings on the host. overridden

  • A successful SSO sign-in from TOR High Identity Analytics 1 variation

    A successful sign-in from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain initial access to organization and hiding itself.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.

    Variations

    A successful SSO sign-in from TOR via Mobile Device

    Medium overridden

    A successful sign-in from a TOR exit node. overridden

  • A third-party application was authorized to access the Google Workspace APIs Informational Identity Threat Module

    A domain administrator authorized a third-party application to access the Google Workspace APIs. This allows the application to interact with the domain user's data within the authorized scope, as specified in the API call.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to Google Workspace data and services. Collect confidential information from Google Workspace. Compromise user accounts and data.
    Investigative actions: Check which account was granted access to the Domain API. Identify the source IP address of the request. Verify the legitimacy of the request.
  • A user accessed Okta's admin application Informational Identity Threat Module 1 variation

    An attempt to access Okta's admin management application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    Suspicious Okta Admin App Access Attempt

    Low overridden

    A user attempted to access the Okta Admin Application in a suspicious way. overridden

  • A user accessed multiple unusual resources via SSO Informational Identity Threat Module 3 variations

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Cloud Service Dashboard (T1538) Cloud Service Discovery (T1526)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.

    Variations

    A user accessed multiple resources via SSO using an anonymized proxy

    Medium overridden

    A user accessed multiple resources via SSO, using an anonymized proxy, that are unusual for this user. This may be indicative of a compromised account. overridden

    Suspicious user access to multiple resources via SSO

    Low overridden

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden

    Multiple Resource Access from a New IP via SSO

    Low overridden

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden

  • A user account was modified to password never expires Informational Identity Analytics 1 variation

    A user account was modified to password never expires.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain access to the account.
    Investigative actions: Confirm that the account is not a temporary account that could be exploited by an attacker. Verify this action with the user who performed the change. Ensure the organization has a strong password aging policy.

    Variations

    A sensitive account was modified to password never expires

    Low overridden

    A sensitive user account was modified to password never expires. This account is a sensitive account as part of a sensitive built-in Active Directory group. overridden

  • A user certificate was issued with a mismatch Informational Identity Analytics 1 variation

    A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.
    Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.

    Variations

    Suspicious certificate issuance with a mismatch

    Low overridden

    A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden

  • A user enabled a default local account Informational Identity Analytics 2 variations

    A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001) Account Manipulation (T1098)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain access to the account and escalate privileges.
    Investigative actions: Check what rights and permissions were granted to the user. Verify this action with the user who performed the change. Follow actions and activities of the newly enabled default account.

    Variations

    A user enabled the Windows DefaultAccount

    Low overridden

    A user enabled the Windows DefaultAccount. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden

    A user enabled the Windows default Guest account

    Low overridden

    A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden

  • A user logged in at an unusual time via SSO Informational Identity Analytics 1 variation

    A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check the login of the user. Check further actions done by the account (e.g. creating files in suspicious locations, creating users, elevating permissions, etc.). Check if the user accessing remote resources or connecting to other services. Check if the user is logging in from an unusual time zone while traveling. Check if the user usually logs in from this country.

    Variations

    Google Workspace - A user logged in at an unusual time via SSO

    Informational overridden

    A user connected via SSO on a day and hour that is unusual for this user. This may indicate that the account was compromised. overridden

  • A user logged in at an unusual time via VPN Informational Identity Analytics

    A user connected to a VPN on a day and hour, which is unusual for this user. This may indicate that the account was compromised.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check the amount of traffic and how long it continues. Follow further actions done by the user.
  • A user logged in to the AWS console for the first time Informational Cloud 1 variation

    A user logged in to the AWS console for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.
    Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.

    Variations

    A non-user identity logged in to the AWS console for the first time

    Medium overridden

    A non-user identity logged in to the AWS console for the first time. overridden

  • A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations

    A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)
    Required data: XDR Agent
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: Elevate permissions and establish persistence.
    Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.

    Variations

    Rare user authentication with a certificate via Schannel

    Low overridden

    A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

    Abnormal authentication with a certificate via Schannel

    Informational overridden

    An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden

  • A user observed and reported unusual activity in Okta Informational Identity Threat Module 2 variations

    A user observed and reported unusual activity in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker tries infiltrating an Okta account to gain unauthorized access to valuable resources.
    Investigative actions: Investigate the original event that was reported as suspicious. Contact the user and understand why he reported the activity as suspicious. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.

    Variations

    Multiple users have reported the same suspicious activity

    Medium overridden

    Unusual activity in Okta reported about an IP not linked to an EDR agent, the operation is rare and flagged by multiple users. overridden

    Unusual activity in Okta was reported by a user along with suspicious characteristics

    Low overridden

    A user observed and reported unusual activity in Okta. overridden

  • A user was added to a Windows security group Informational Identity Analytics 4 variations

    A user was added to a Windows security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added a member to a Windows privileged group for the first time

    Medium overridden

    A user was added to a Windows security privileged group. overridden

    User added to a Windows privileged group

    Low overridden

    A user was added to a Windows security privileged group. overridden

    User removed from a Windows privileged group

    Informational overridden

    A user was removed from a Windows security privileged group. overridden

    A user was removed from a Windows security group

    Informational overridden

    A user was removed from a Windows security group. overridden

  • AWS SES account sending settings modified Informational Cloud

    AWS SES account sending settings were modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to confidential emails of an organization. Compromise the organization's cloud Email infrastructure.
    Investigative actions: Check whether the SES Email sending setting modification was intentional.
  • AWS STS temporary credentials were generated Informational Cloud

    AWS STS temporary credentials were generated for an AWS identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Trusted Relationship (T1199) Forge Web Credentials (T1606)
    Required data: AWS Audit Log
    Attacker's goals: Gain access and persistence to AWS account.
    Investigative actions: Check which operation executed with the new credentials.
  • AWS console login without MFA Informational Cloud

    An identity logged in to the AWS console without MFA.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)
    Required data: AWS Audit Log
    Attacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.
    Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.
  • AWS root account activity Informational Cloud

    The AWS root account has successfully performed an operation in the project.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Attacker's goals: Use legitimate credentials of a cloud account to access resources.
    Investigative actions: Look for any signs the Root user is compromised. Determine if the Root credentials need to be changed.
  • Abnormal Allocation of compute resources in multiple regions Informational Cloud 4 variations

    An identity allocated an unusual compute resource pool, suspected as mining activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)
    ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Leverage cloud compute resources to generate virtual currency.
    Investigative actions: Verify that the identity creating the resources is legitimate. Check for unusual behavior from this identity, including potential compromise (e.g., exposed access keys or service accounts).

    Variations

    Abnormal Unusual allocation of compute resources in multiple regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Suspicious allocation of compute resources in multiple regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Allocation of compute resources in a high number of regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Allocation of compute resources in multiple regions by an unusual identity

    Low overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

  • Abnormal File Activity in SCCMContentLib Shared Folder by user Informational Identity Analytics 1 variation

    A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Attackers aim to exploit misconfigurations in Microsoft Configuration Manager to access sensitive data, such as credentials and certificates, stored within the SCCMContentLib. This access can facilitate lateral movement and further compromise within the network.
    Investigative actions: Verify the activity with the performing user. Check if SCCM admin credentials were accessed or exfiltrated. Review SCCM logs to identify unauthorized queries or modifications. Investigate recent access to the extracted files and their contents. Check other security logs (e.g., Windows Event Logs, SIEM alerts) for suspicious behavior. Identify the originating system and assess if it has been compromised. Monitor for any further lateral movement or privilege escalation attempts.

    Variations

    Suspicious File Activity in SCCMContentLib Shared Folder by user

    Low overridden

    A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers. overridden

  • Abnormal User Login to Domain Controller Informational Identity Analytics 4 variations

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078) Use Alternate Authentication Material (T1550)
    Required data: XDR Agent
    Attacker's goals: A malicious user may attempt to access a domain controller to access and control Active Directory.
    Investigative actions: Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller. Check if the user is a service account that accesses a domain controller as part of its normal behavior. Verify that the user is not authenticating to group policy.

    Variations

    Rare RDP User Login to Domain Controller by an Abnormal Department

    Medium overridden

    A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    Abnormal RDP User Login to Domain Controller

    Low overridden

    A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    RDP User Login to Domain Controller

    Informational overridden

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

    Abnormal User Login to Domain Controller by an Abnormal Department

    Informational overridden

    A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise. overridden

  • Account probing Low Identity Analytics

    A user failed to log in to multiple hosts it never accessed before in a short amount of time.This may indicate the account is compromised and an attacker is probing for a host it can access with those credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Gain access to hosts by using stolen user-account credentials.
    Investigative actions: Check if the user account was compromised, and which resources it could access.
  • Admin privileges were granted to a Google Workspace user Informational Identity Threat Module

    Admin privileges were granted to a Google Workspace user. This user now has access to additional administrative functions and settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to sensitive data stored in Google Workspace. Manipulate or delete data stored in Google Workspace. Gain access to privileged features in Google Workspace.
    Investigative actions: Check which Google Workspace user was granted the admin privileges. Check if the user is authorized to be granted such privileges. Review the audit logs to determine the actions taken by the user.
  • Allocation of multiple cloud compute resources Informational Cloud 5 variations

    An identity allocated multiple compute resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)
    ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage cloud compute resources to earn virtual currency.
    Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, service account, etc.

    Variations

    Unusual allocation of multiple cloud compute resources

    High overridden

    An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen across all the projects during the past 30 days. overridden

    Unusual allocation of multiple cloud compute resources

    Medium overridden

    An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden

    Unusual allocation of multiple cloud compute resources

    Medium overridden

    An identity allocated multiple compute resources.The allocated instances contains GPU accelerators, such pattern is related to a crypto mining activity. overridden

    Allocation of multiple cloud compute resources with accelerator gear

    Low overridden

    An identity allocated multiple compute resources.his activity is unusual for this identity in past 30 days. overridden

    Unusual allocation attempt of multiple cloud compute resources

    Low overridden

    An identity attempted to allocate multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden

  • An AWS EKS cluster was created or deleted Informational Cloud

    An AWS EKS cluster has been created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485) Valid Accounts (T1078)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to the cluster and its resources.Gain access to sensitive data stored in the cluster.
    Investigative actions: Check whether the identity is authorized to perform changes to AWS EKS clusters.
  • An AWS database service master user password was changed Informational Cloud 2 variations

    An AWS database service master user password was changed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Gain access and control of the database.
    Investigative actions: Confirm the identity intended to perform this action. Follow further actions done by the identity. Check what other changes were made to the AWS Database instance or cluster.

    Variations

    An AWS Database Service master user password was changed from an unusual country

    Low overridden

    An AWS database service master user password was changed. overridden

    An AWS Database Service master user password was changed by a non-DevOps identity

    Low overridden

    An AWS database service master user password was changed. overridden

  • An Azure Kubernetes Role or Cluster-Role was modified Informational Cloud

    An Azure Kubernetes Role or Cluster-Role was modified or deleted. This could indicate malicious activity and should be investigated.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Escalate privileges to gain access to restricted resources in Azure Kubernetes cluster.
    Investigative actions: Review the role or ClusterRole changes made by the identity. Determine whether the identity is authorized to perform these actions.
  • An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted Informational Cloud

    An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted. This could indicate a security breach or malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Escalate privileges to gain access to restricted resources in Azure Kubernetes cluster.
    Investigative actions: Investigate which actions were made by the identity and identify any suspicious activity. Review the Kubernetes configuration to identify any other changes.
  • An Email address was added to AWS SES Informational Cloud

    An Email address was added to AWS SES.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to SES account. Abuse the new identity as a spambot.
    Investigative actions: Check which identity was added to the service.
  • An identity attached an administrative policy to an IAM user or role Informational Cloud 3 variations

    An identity attached an administrative policy to an IAM user or role.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges in cloud environments.
    Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.

    Variations

    An identity attached an administrative policy to itself

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    An identity failed to attach an administrative policy to an IAM user or role

    Medium overridden

    An identity attached an administrative policy to an IAM user or role. overridden

    A suspicious identity attached an administrative policy to an IAM user/role

    Low overridden

    An identity attached an administrative policy to an IAM user or role. overridden

  • An identity created or updated password for an IAM user Informational Cloud 1 variation

    An identity created or updated an AWS console password for an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: AWS Audit Log
    Attacker's goals: Escalate privileges, maintain persistence in cloud environments.
    Investigative actions: Verify whether the identity should be making this action. Examine what additional API calls were made by the identity.

    Variations

    A suspicious identity created or updated password for an IAM user

    Low overridden

    An identity created or updated an AWS console password for an IAM user. overridden

  • An identity was granted permissions to manage user access to Azure resources Informational Cloud

    An identity was granted the User Access Administrator permission at the tenant scope.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005)
    Required data: Azure Audit Log
    Attacker's goals: Elevate permission to gain access to all Azure Subscriptions.
    Investigative actions: Verify whether the identity should be making this action. Check what additional API calls were made by the identity.
  • Authentication Attempt From a Dormant Account Informational 1 variation

    A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    31 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Use a compromised user account that has not been used in a long time and therefore less likely to be noticed.
    Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user returned from a long leave of absence). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.

    Variations

    Authentication Attempt From a Dormant Account to a sensitive server

    Low overridden

    A dormant user account tried to authenticate to a service using a TGS after having been unused for a year or more. This may indicate the account is misused by an attacker on a sensitive server. overridden

  • Authentication attempt by a honey user Low Identity Analytics 1 variation

    An authentication attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Okta OneLogin PingOne
    Detector tags: Honey User Analytics
    Attacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.
    Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other authentication attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the authentication attempt. Follow further actions performed by the user.

    Variations

    Abnormal authentication by a honey user

    Medium overridden

    An authentication attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials. overridden

  • Authentication method added to an Azure account Informational Identity Threat Module 2 variations

    An identity attempted to add an Azure authentication method.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker can add an authentication method to an account, so they can have later access to the tenant and resources.
    Investigative actions: Check if the authentication method is legitimate in the organization. Check whether the identity is permitted to perform such actions. Follow the account for possible suspicious or unusual logins.

    Variations

    Suspicious authentication method addition to privileged Azure account

    Medium overridden

    A privileged user added an Azure authentication method. overridden

    Suspicious authentication method addition to Azure account

    Low overridden

    An identity added an Azure authentication method. overridden

  • Azure AD PIM elevation request Informational Identity Threat Module

    An Azure AD PIM elevation request was denied/approved.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: Getting elevated permissions to perform malicious actions.
    Investigative actions: Check if the elevation is authorized. Follow further actions or suspicious logins from the elevated account.
  • Azure AD PIM role settings change Low Identity Threat Module 1 variation

    An identity changed the PIM role settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Abuse Elevation Control Mechanism (T1548) Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker can modify the PIM role settings to make it easier to acquire a privileged account.
    Investigative actions: Check what role settings have been updated. Check whether the user changing the settings is permitted to perform such actions.

    Variations

    Suspicious Azure AD PIM role settings change

    Medium overridden

    An identity modified the PIM role settings to a less secure configuration for a privileged role. overridden

  • Azure AD account unlock/password reset attempt Informational Identity Threat Module 1 variation

    An attempt to unlock an Azure AD identity or reset its password has occurred.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may switch a valid account's password for persistence.
    Investigative actions: Check if the password reset is authorized. Check whether the user who reset the password is permitted to perform such actions. Check if the account is in the password reset group or is acting out of scope. Check whether the user has not completed the password reset and cancelled before successfully passing authentication methods. Follow further actions or suspicious logins from the target account.

    Variations

    Azure AD account unlock/successful password reset

    Low overridden

    An identity successfully reset or changed Azure AD password. overridden

  • Azure Automation Account Creation Informational Cloud

    Azure Automation account was created. An attacker might create an account for persistence.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the identity that created the account and verify its activity.
  • Azure Automation Runbook Creation/Modification Informational Cloud

    An Azure Automation Runbook was being modified or created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Azure Audit Log
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the identity and its actions after the modify/create action.
  • Azure Temporary Access Pass (TAP) registered to an account Informational Identity Threat Module 2 variations

    An identity registered an Azure Temporary Access Pass (TAP) to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: A TAP can allow setting of other authentication methods and can be used as an initial replacement of a multifactor authentication.
    Investigative actions: Check if the account that got the TAP should get it. Check whether the account that registered the TAP is supposed to perform such actions. Check if the TAP was registered to a privileged account. Follow further actions done by the initiator and the account with the TAP.

    Variations

    Azure Temporary Access Pass (TAP) registered to a privileged account

    Medium overridden

    An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden

    Abnormal Azure Temporary Access Pass (TAP) account registration

    Low overridden

    An identity registered an Azure Temporary Access Pass (TAP) to an account. overridden

  • Azure group creation/deletion Informational Cloud

    A group in Azure was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain persistence to the environment.
    Investigative actions: Check group's assigned roles. Check which members were added to the group.
  • Azure service principal assigned app role Informational Identity Threat Module

    An identity assigned an app role (permissions) to a service principal.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may add roles to service principals that will allow them to access sensitive information and perform other actions.
    Investigative actions: Check if the added service principle is new to the organization. Check whether the account that added the app role is supposed to perform such actions. Check for possible logins and actions from the service principle with the role. Follow further actions done by the application and the assigner.
  • Azure storage account blob anonymous access is enabled Informational Cloud

    It is possible to configure anonymous access to blobs within the storage account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the blobs within the storage account should be accessed from all networks. Disable public network access or disable blob anonymous access to storage account if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.
  • Azure user creation/deletion Informational Cloud

    A user in Azure was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Gain persistence into the account.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Azure user password reset Informational Cloud

    The password of an Azure AD user was reset.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: An attacker may attempt to gain access to the account.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Cloud activity from a high-risk IP address Informational Cloud 1 variation

    An identity executed a cloud API from a high-risk IP address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Gain initial access using a compromised identity while obfuscating origin.
    Investigative actions: Verify if the user is authorized to use anonymizing services. Review subsequent actions by the user for suspicious activity. Check for other users accessing from the same IP or tunnel operator.

    Variations

    Cloud activity from an unusual high-risk IP

    Low overridden

    An identity executed a cloud API from a high-risk IP address. overridden

  • Cloud impersonation attempt by unusual identity type Informational Cloud 2 variations

    A suspicious identity type has attempted to impersonate another identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges to bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform sensitive operation on behalf of the impersonated identity.

    Variations

    Cloud impersonation attempt of a management role by unusual identity type

    Informational overridden

    An unusual cloud identity type attempted to impersonate a management role. overridden

    Successful cloud impersonation by an unusual identity type

    Medium overridden

    A suspicious identity type has successfully impersonated another identity. overridden

  • FTP Connection Using an Anonymous Login or Default Credentials Low

    An FTP connection using an anonymous login was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this FTP. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.
  • Failed Login For Locked-Out Account Informational

    A locked-out user account (event ID 4725 or 4740) was used in a Kerberos TGT pre-authentication attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Authenticate using the principal in the TGT, not knowing that it has been revoked.
    Investigative actions: Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory. Check whether the attempt to use the principals (user accounts) specified in the alert are legitimate. For example, a user or a script that was not updated that the account has been revoked. The lockout can be temporary, for example, in the case of too many login attempts, and may not be visible after the account was released. Search for Windows Event Log 4740 to ascertain whether the account was locked out during the time of the alert.
  • First Azure AD PowerShell operation for a user Low Identity Threat Module

    A user performed an Azure AD operation using a PowerShell user-agent for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: Achieve initial access to a company's resources.
    Investigative actions: Follow the actions the user performed using PowerShell. Confirm with the user that the action was intended.
  • First SSO Resource Access in the Organization Informational Identity Analytics 1 variation

    A resource was accessed for the first time via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Discovery (TA0007)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Cloud Service Discovery (T1526)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use a possibly compromised account to access privileged resources.
    Investigative actions: Confirm that the activity is benign (e.g. this is a newly approved resource). Follow further actions done by the user that attempted to access the resource.

    Variations

    Abnormal first access to a resource via SSO in the organization

    Low overridden

    A resource was accessed for the first time via SSO with suspicious characteristics. overridden

  • First SSO access from ASN for user Informational Identity Analytics 2 variations

    A user successfully authenticated via SSO with a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOne
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.

    Variations

    First SSO access from ASN for user - suspicious characteristics detected

    Low overridden

    First SSO access from ASN for user that shows suspicious characteristics. overridden

    Google Workspace - First SSO access from ASN for user

    Informational overridden

    A user successfully authenticated via SSO with a new ASN. overridden

  • First SSO access from ASN in organization Informational Identity Analytics 2 variations

    An SSO authentication was made with a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: AzureAD Azure SignIn Log Idira Duo Google Workspace Authentication Okta OneLogin PingOne
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the provider or location is allowed or a new user). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.

    Variations

    First successful SSO access from ASN in the organization

    Low overridden

    An SSO authentication was made with a new ASN. overridden

    Google Workspace - First SSO access from ASN in organization

    Informational overridden

    An SSO authentication was made with a new ASN. overridden

  • First VPN access from ASN for user Informational Identity Analytics 1 variation

    A user logged in to a VPN with a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.

    Variations

    Unusual VPN access from ASN

    Low overridden

    An unusual VPN login was made by a user. overridden

  • First VPN access from ASN in organization Informational Identity Analytics

    A VPN connection was attempted from a new ASN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Use an account that was possibly compromised to gain access to the network.
    Investigative actions: See whether the connection was successful. Confirm that the activity is benign (e.g. the provider or location is allowed or a new user). Verify if the ASN is an approved ASN to authenticate from. Follow further actions done by the user.
  • First-time directory sync of an on-premises domain user to an existing cloud account Informational Identity Threat Module

    First-time synchronization of an on-premises domain user with an existing cloud account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: AzureAD Audit Log
    Attacker's goals: Attackers may leverage DirectorySync to move laterally from a compromised on-premise environment into the cloud tenant, allowing them to bypass the cloud's security boundaries and take over high-value cloud identities.
    Investigative actions: Check if the cloud account was an administrator (Global Admin, etc.) before this sync. Determine if the on-premise user was recently created or if its 'proxyAddress' attribute was recently modified. Confirm if the organization intended to transition this account from Cloud-Only to Hybrid. Verify the consistency between the on-premises 'ObjectGUID' and the newly assigned 'ImmutableID' in Azure AD.
  • GCP service account impersonation attempt Informational Cloud

    An attempt to impersonate the GCP service account failed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: Gcp Audit Log
    Attacker's goals: Escalate privileges to gain elevated access to cloud resources.
    Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.
  • Granting Access to an Account Informational Cloud

    Azure access has been granted to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)
    Required data: Azure Audit Log
    Attacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.
    Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.
  • IAM User added to an IAM group Informational Cloud

    An IAM user was added to an IAM group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
    Required data: AWS Audit Log
    Attacker's goals: Add a user to a group to establish persistence or escalate privileges within a cloud account.
    Investigative actions: Identify the identity that executed the API call. Determine which IAM user was added to the group. Evaluate the group's permissions to determine their applicability to the IAM user.
  • Intense SSO failures Informational Identity Analytics 1 variation

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check whether a successful login was made after unsuccessful attempts.

    Variations

    Intense SSO failures with suspicious characteristics

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt. overridden

  • Interactive login by a machine account Informational Identity Analytics 1 variation

    A machine account performed an interactive or remote interactive login.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.
    Investigative actions: See whether the login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Successful interactive login by a machine account

    Low overridden

    A machine account performed a successful interactive or remote interactive login. overridden

  • Interactive login by a service account Low Identity Analytics 2 variations

    A service account performed an interactive or remote interactive login.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use an account that has access to resources to move laterally in the network and access privileged resources.
    Investigative actions: See whether the login was successful. Check whether the account has done any administrative actions it should not usually do. Look for more logins and authentications by the account throughout the network.

    Variations

    Interactive login by a service account to a sensitive server

    Medium overridden

    Interactive login by a service account to a sensitive server. overridden

    Failed interactive login by a service account

    Informational overridden

    A service account performed an interactive or remote interactive login. overridden

  • Interactive login from a shared user account Informational Identity Analytics

    A user account has been seen active on multiple hosts.Shared accounts are often considered 'bad practice' and may present multiple security risks to the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Gaining access to a shared account and multiple hosts and systems throughout the organization.
    Investigative actions: Ensure that the shared account is legitimate and has a justified role in the organization.
  • Kubernetes admission controller activity Informational Cloud 4 variations

    A Kubernetes admission controller has been created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials: Container API (T1552.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Intercept the requests to the Kubernetes API sever, records secrets, and other sensitive information. Modify requests to the Kubernetes API sever.
    Investigative actions: Verify whether the identity should use Kubernetes admission controllers. Examine the role of the Kubernetes admission controller and its intended function. Investigate other operations that were performed by the identity within the cluster.

    Variations

    Kubernetes validating admission controller was used in the organization for the first time

    Low overridden

    A validating Kubernetes admission controller has been created or modified. overridden

    Kubernetes mutating admission controller was used in the organization for the first time

    Medium overridden

    A mutating Kubernetes admission controller has been created or modified. overridden

    Kubernetes validating admission controller was used in the cluster for the first time

    Low overridden

    A validating Kubernetes admission controller has been created or modified. overridden

    Kubernetes mutating admission controller was used in the cluster for the first time

    Medium overridden

    A mutating Kubernetes admission controller has been created or modified. overridden

  • Kubernetes service account activity outside the cluster Informational Cloud 2 variations

    A service account user successfully invoked API calls outside the Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the Kubernetes cluster.
    Investigative actions: Determine which Kubernetes resources were accessed using the service account. Verify whether the service account token was exposed.

    Variations

    Unusual Kubernetes service account activity outside the cluster

    Low overridden

    A service account user successfully invoked API calls outside the Kubernetes cluster. overridden

    Kubernetes service account activity outside the cluster from non-cloud IP

    Low overridden

    A service account user successfully invoked API calls outside the Kubernetes cluster. overridden

  • Linux local user account creation Informational Identity Analytics 1 variation

    A user executed a process associated with user account creation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts (T1078) Valid Accounts: Local Accounts (T1078.003)
    Required data: XDR Agent
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who created the account and verify its activity. Investigate whether the same account was created on different hosts as part of an installation process.

    Variations

    Linux local user account creation by non-root user

    Low overridden

    A non-root user executed a process associated with user account creation. This user does not regularly create accounts. overridden

  • Local user account creation Informational Identity Analytics 1 variation

    A user was observed creating a rare local user account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Local Accounts (T1078.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who created the account and verify its activity. Investigate whether the same account was created on different hosts as part of an installation process.

    Variations

    Suspicious local user account creation

    Low overridden

    A user was observed creating a rare local user account. This user has not been seen creating user accounts in the past 30 days. overridden

  • Local user account creation by a machine account Informational Identity Analytics

    A machine account was observed creating a rare local user account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Valid Accounts: Local Accounts (T1078.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the machine that created the user account and verify its activity. Check if the machine account is supposed to create user accounts. Investigate whether the same account was created on different hosts as part of an installation process.
  • Login attempt by a honey user Low Identity Analytics 1 variation

    A login attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078)
    Required data: XDR Agent
    Detector tags: Honey User Analytics
    Attacker's goals: An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.
    Investigative actions: Confirm that the alert was triggered by a honey user account. Check for other login attempts on different accounts from the same source IP. Analyze any subsequent actions performed by the user after the login attempt. Follow further actions performed by the user.

    Variations

    Successful login by a honey user

    Medium overridden

    A login attempt was made by a honey user, a decoy account created to detect unauthorized access. This may indicate potential attacker activity attempting to use valid or stolen credentials. overridden

  • Login by a dormant user Informational Identity Analytics 1 variation

    A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: XDR Agent
    Attacker's goals: Use a compromised user account that has not been used for a long time and is therefore less likely to be noticed.
    Investigative actions: Confirm that the activity is benign (e.g. the user returned from a long leave of absence). See whether there are other abnormal actions done by the user (e.g. files\commands\other logins). Check whether you have issues with your Cloud Identity Engine failing to sync data from Active Directory.

    Variations

    Cached interactive login by a dormant user

    Informational overridden

    A dormant user logged on after having been unused for a month or longer.This may indicate the account is misused by an attacker. overridden

  • Machine account was added to a domain admins group Medium Identity Analytics

    A machine account was added to a domain admins group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.
  • Masquerading as a default local account Low Identity Analytics 3 variations

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Hide Artifacts: Hidden Users (T1564.002) Valid Accounts: Default Accounts (T1078.001) Masquerading (T1036)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Check what rights and permissions were granted to the new user. Verify the action with the user who created the new account. Follow actions and activities of the newly created default account. Monitor the addition of the user to different groups.

    Variations

    Masquerading as a default local account for the first time

    Medium overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

    Potential masquerading as a power user account

    Low overridden

    A user created a new local account with the name of a privileged local account.This user does not regularly create accounts.An attacker may create a user with these known names to evade detection. overridden

    Masquerading as a default Administrator account

    Informational overridden

    A user created a new local account with the name of a default local account, such as Guest and DefaultAccount.An attacker may create a user with these known names to evade detection. overridden

  • Member added to a Windows local security group Informational Identity Analytics 2 variations

    A member was added to a Windows local security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Privilege escalation using a valid account.
    Investigative actions: Check the user who added the account to the group and verify its activity.

    Variations

    User added to the Windows local Administrator group

    Low overridden

    A member was added to a Windows local security group. overridden

    Member added to the Windows local Administrator group

    Informational overridden

    A member was added to a Windows local security group. overridden

  • Microsoft Configuration Manager device registration and policy request Informational Identity Analytics 1 variation

    A user registered a device and requested a Microsoft Configuration Manager policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Unsecured Credentials (T1552)
    Required data: XDR Agent
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker aims to extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment, enabling unauthorized access to resources and lateral movement within the network.
    Investigative actions: Verify the activity with the performing user. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns. Looking for signs of credential extraction, such as tools or scripts.

    Variations

    Suspicious Microsoft Configuration Manager device registration and policy request

    Low overridden

    A suspicious process registered a new device and requested policies from Microsoft Configuration Manager, triggering a suspicious activity alert due to unusual characteristics. overridden

  • Multiple Suspicious FTP Login Attempts Low

    Multiple suspicious FTP sessions were detected, which may indicate a brute-force attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this uncommon FTP connection. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.
  • Multiple failed AWS assume role attempts Informational Cloud 1 variation

    An AWS identity performed an unusual high number of failed assume role attempts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Identify accessible roles and move laterally or escalate privileges within a cloud environment.
    Investigative actions: Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious. Evaluate if the source IP address or user agent associated with these attempts is known or suspicious. Verify if any successful assume role operations occurred from the same identity around the same time. Review any additional activity from the specific roles the identity assumed.

    Variations

    Suspicious multiple failed AWS assume role attempts

    Medium overridden

    An AWS identity performed an unusual high number of failed assume role attempts. overridden

  • Multiple failed logins from a single IP Informational Cloud 2 variations

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Gain initial access to the cloud console.
    Investigative actions: Check if the IP is a known IP. Check if a successful login from the same IP occurred after the failed login attempts.

    Variations

    Multiple failed logins from an unknown IP

    Medium overridden

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.The IP is not a known IP in the organization.This could indicate on an active brute force attempt. overridden

    Multiple failed logins from a single IP by a compromised AWS access key

    High overridden

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider. overridden