Analytics Alerts
Browse the Cortex analytics alert reference.
89 alerts match the current filters. technique: T1098 ✕
Show ATT&CK heatmapA Google Workspace user was added to a group Informational Identity Threat Module
A user added another user to a Google Workspace group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may manipulate accounts and groups to maintain access to victim systems.Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the user was added to a sensitive group. Follow further actions done by the account.A Kubernetes cluster role binding was created or deleted Informational Cloud
A Kubernetes cluster role binding was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Escalate privileges to gain access to restricted resources in the Kubernetes cluster.Investigative actions: Check which changes were made to the Kubernetes cluster role binding.A Kubernetes role binding was created or deleted Informational Cloud
A Kubernetes role binding was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Container Cluster Roles (T1098.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Obtain Kubernetes secrets to access restricted information.Investigative actions: Check which changes were made to the Kubernetes secret.A cloud identity had escalated its permissions Informational Cloud 4 variations
A cloud identity had updated its permissions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation (T1098)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Escalate privileges.Investigative actions: Verify which permissions were granted to the identity.Variations
A cloud identity with high administrative activity had escalated its permissions
Informational overridden
A cloud identity with high administrative activity had updated its permissions. overridden
A cloud compute service had escalated its permissions
Medium overridden
A cloud compute service had updated its permissions. overridden
A cloud non-human identity had escalated its permissions
Low overridden
A cloud non-human identity had updated its permissions. overridden
A cloud identity escalated its permissions to a high privilege role/policy
Low overridden
A cloud identity escalated its permissions by adding itself to a high privileged policy/role/group. overridden
A cloud identity invoked IAM related persistence operations Informational Cloud 2 variations
A cloud identity invoked IAM related persistence operations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Create Account: Cloud Account (T1136.003) Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Maintain persistence in cloud environments.Investigative actions: Check what API calls were executed by the identity. Check what cloud resources were affected. Look for signs that the identity is compromised.Variations
A cloud identity invoked compute instance related persistence operations
Informational overridden
A cloud identity invoked compute instance related persistence operations. overridden
A cloud identity invoked compute function related persistence operations
Informational overridden
A cloud identity invoked compute function related persistence operations. overridden
A computer account was promoted to DC Low Identity Analytics
A computer account was promoted to a domain controller via a User Account Control (UAC) change.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain domain administrator privileges.Investigative actions: Verify if the domain controller promotion is expected. Check if the computer account is a new account. Confirm this action with the user who performed the change. Follow actions by the account and if it performed a DCSync.A process modified an SSH authorized_keys file Informational 3 variations
A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Containers, Generic Persistence AnalyticsAttacker's goals: Adversaries use this to ensure that they possess the corresponding private key and may log in as an existing user via SSH.Investigative actions: Check the file modification, try to understand the impact of the related processes and network connections.Variations
A process modified an SSH authorized_keys2 file
Low overridden
A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden
A process modified an SSH authorized_keys file from within a Kubernetes Pod
Low overridden
A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host. overridden
Unpopular process modified the SSH authorized_keys file
Low overridden
An unpopular process modified the SSH authorized_keys file. overridden
A user accessed Okta's admin application Informational Identity Threat Module 1 variation
An attempt to access Okta's admin management application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).Variations
Suspicious Okta Admin App Access Attempt
Low overridden
A user attempted to access the Okta Admin Application in a suspicious way. overridden
A user certificate was issued with a mismatch Informational Identity Analytics 1 variation
A certificate was issued to a user who was not the requester, this may indicate a certificate manipulation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers may try to obtain certificates for privileged accounts or systems they do not normally have access to, to gain elevated access and move laterally within the network.Investigative actions: Verify the activity with the performing user. Identify if the requester is a user or system that normally requests certificates on behalf of other entities (e.g., a Mobile Device Management system). Search for further indicators of potential compromise, including atypical login behaviors, unauthorized attempts at privilege escalation, or lateral movements within the network attributed to the requester. Examine whether the mismatch between the requester and the subject is consistent with known and anticipated practices, or if it represents an unusual deviation. Check for possible certificate authentications with the subject user.Variations
Suspicious certificate issuance with a mismatch
Low overridden
A user certificate was issued with a mismatch. This requester doesn't usually ask for a certificates on behalf of another subject. This may indicate a certificate manipulation. overridden
A user enabled a default local account Informational Identity Analytics 2 variations
A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Default Accounts (T1078.001) Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain access to the account and escalate privileges.Investigative actions: Check what rights and permissions were granted to the user. Verify this action with the user who performed the change. Follow actions and activities of the newly enabled default account.Variations
A user enabled the Windows DefaultAccount
Low overridden
A user enabled the Windows DefaultAccount. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden
A user enabled the Windows default Guest account
Low overridden
A user enabled a default local account. Enabling a default account may pose a security risk, as they are often exploited by attackers. overridden
A user logged in to the AWS console for the first time Informational Cloud 1 variation
A user logged in to the AWS console for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Remote Services: Cloud Services (T1021.007)Required data: AWS Audit LogAttacker's goals: Evading detections by performing direct operations using the AWS console. Performing non-automatic operations easily.Investigative actions: Check if the identity is an AWS identity. Investigate which operations were performed by the identity.Variations
A non-user identity logged in to the AWS console for the first time
Medium overridden
A non-user identity logged in to the AWS console for the first time. overridden
A user logged on to multiple workstations via Schannel Informational Identity Analytics 2 variations
A user logged on to multiple workstations with a certificate via Schannel. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Credential Access (TA0006)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078) Steal or Forge Authentication Certificates (T1649)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Elevate permissions and establish persistence.Investigative actions: Verify the activity with the performing user. Check for possible certificate authentications with the subject user. Check if the user logged in to other endpoints via Schannel.Variations
Rare user authentication with a certificate via Schannel
Low overridden
A rare user authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
Abnormal authentication with a certificate via Schannel
Informational overridden
An abnormal authentication with a certificate via Schannel was observed. This may be indicative of a compromised account. overridden
A user was added to a Windows security group Informational Identity Analytics 4 variations
A user was added to a Windows security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Privilege escalation using a valid account.Investigative actions: Check the user who added the account to the group and verify its activity.Variations
User added a member to a Windows privileged group for the first time
Medium overridden
A user was added to a Windows security privileged group. overridden
User added to a Windows privileged group
Low overridden
A user was added to a Windows security privileged group. overridden
User removed from a Windows privileged group
Informational overridden
A user was removed from a Windows security privileged group. overridden
A user was removed from a Windows security group
Informational overridden
A user was removed from a Windows security group. overridden
AWS console login without MFA Informational Cloud
An identity logged in to the AWS console without MFA.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)Required data: AWS Audit LogAttacker's goals: Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.Investigative actions: Determine why MFA was not enforced and whether MFA was ever enabled. Track any subsequent activity performed by the identity after the login to identify potential misuse.AWS support case creation Informational Cloud
A cloud identity has created a new case in AWS support.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Manipulation (T1098)Required data: AWS Audit LogAttacker's goals: Obtaining a list of resources that could be targeted for lateral movement or convincing AWS's support to perform actions on their behalf.Investigative actions: Investigate any unusual activity originating from the suspected identity. View the contents of the newly created case {case_id} .An identity attached an administrative policy to an IAM user or role Informational Cloud 3 variations
An identity attached an administrative policy to an IAM user or role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Escalate privileges in cloud environments.Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.Variations
An identity attached an administrative policy to itself
Medium overridden
An identity attached an administrative policy to an IAM user or role. overridden
An identity failed to attach an administrative policy to an IAM user or role
Medium overridden
An identity attached an administrative policy to an IAM user or role. overridden
A suspicious identity attached an administrative policy to an IAM user/role
Low overridden
An identity attached an administrative policy to an IAM user or role. overridden
An identity created or updated password for an IAM user Informational Cloud 1 variation
An identity created or updated an AWS console password for an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit LogAttacker's goals: Escalate privileges, maintain persistence in cloud environments.Investigative actions: Verify whether the identity should be making this action. Examine what additional API calls were made by the identity.Variations
A suspicious identity created or updated password for an IAM user
Low overridden
An identity created or updated an AWS console password for an IAM user. overridden
An unknown account was invited to the AWS organization Informational Cloud
An unknown account was invited to your AWS organization.The target account was not seen in your tenant for the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: AWS Audit LogAttacker's goals: Establish persistent access to the compromised cloud account.Investigative actions: Identify the invited account ID and ownership. Review additional actions performed by the identity and role.Azure Automation Webhook creation Informational Cloud
Azure Automation Webhook can be used to pass a payload with specific attributes to run a malicious Runbook.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit LogAttacker's goals: Persistence using a valid account.Investigative actions: Check the identity actions prior/after the webhook creation. Find which Runbook was executed using the webhook.Azure Service principal/Application creation Informational Cloud
An Azure Service principal/Application was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: To gain persistent access and elevate privileges within the environment.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Azure account creation by a non-standard account Informational Identity Threat Module 1 variation
An Azure AD account creation was performed by a user that doesn't typically create users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Create Account (T1136)Required data: AzureAD Audit LogAttacker's goals: Create a backdoor account for later access to Azure AD or Azure resources, or delete evidence of such an account.Investigative actions: Follow further actions by the initiator. Check for new resource creations by the new user. Check if the new user was added to a privileged role. Follow further actions done by the new user.Variations
Unusual Azure account creation by a non-standard account
Low overridden
An Azure AD account creation was performed by a user that doesn't typically create users. overridden
Azure application URI modification Informational Identity Threat Module 1 variation
An identity added or updated an Azure application's URI.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: AzureAD Audit LogAttacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.Investigative actions: Check whether the account that modified the URI is supposed to perform such actions. Check for possible logins from the application modified. Check for possible account consents or credential changes regarding the application. Follow further actions done by the application.Variations
Suspicious Azure application URI modification
Low overridden
An identity added or updated an Azure application's URI. overridden
Azure application credentials added Informational Identity Threat Module 2 variations
An identity added credentials to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: AzureAD Audit LogAttacker's goals: An attacker may add certificates or modify authentication methods of an application to authenticate as the application.Investigative actions: Check if the modified application is new to the organization. Check whether the account that modified the credentials is supposed to perform such actions. Check for possible logins from the application modified. Follow further actions done by the application.Variations
Suspicious credential operation on an Azure application
Medium overridden
An identity added a certificate to an Azure application in a suspicious way. overridden
Unusual certificate operation on an Azure application
Low overridden
An identity added a certificate to an Azure application with some unusual parameters. overridden
Azure device code authentication flow used Informational Identity Analytics 3 variations
An Azure AD login was performed with device code flow.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Use Alternate Authentication Material (T1550)Required data: Azure Audit LogAttacker's goals: An attacker may use a device to access resources in the tenant using an access token from device code authentication flows.Investigative actions: Check what devices are listed with the logged-in user. Check if the account is authorized to use such devices to access resources. Check for possible logins from the device. Follow further actions done by the account and device.Variations
Suspicious Azure device code authentication flow used by an Azure AD privileged user
Medium overridden
An Azure AD login was performed with device code flow. overridden
Suspicious Azure device code authentication flow used
Low overridden
An Azure AD login was performed with device code flow. overridden
Azure device code authentication flow used by an Azure AD privileged user
Low overridden
An Azure AD login was performed with device code flow. overridden
Azure domain federation settings modification attempt Low Identity Threat Module 1 variation
A user or application attempted to modify the federation settings of the domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.Variations
A successful Azure domain federation settings modification
Medium overridden
A user or application successfully modified the federation settings of the domain. overridden
Azure group creation/deletion Informational Cloud
A group in Azure was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain persistence to the environment.Investigative actions: Check group's assigned roles. Check which members were added to the group.Azure permission delegation granted Informational Cloud 1 variation
An identity delegated permissions to access a certain resource or application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit LogAttacker's goals: Gain control over user accounts.Investigative actions: Check the user access logs for any suspicious activity. Review the permissions granted and the scope of the permissions.Variations
Azure permission delegation granted by an Azure AD privileged user
Low overridden
An identity delegated permissions to access a certain resource or application. overridden
Azure user creation/deletion Informational Cloud
A user in Azure was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain persistence into the account.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Azure user password reset Informational Cloud
The password of an Azure AD user was reset.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Valid Accounts (T1078) Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: An attacker may attempt to gain access to the account.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Cloud access key creation Informational Cloud 2 variations
Cloud access key creation by a cloud identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Persist in the environment.Investigative actions: investigate the identity who created the access keys. Check the access key activity in the organization.Variations
Successful access key creation by an unusual identity type
Informational overridden
Cloud access key creation by a cloud identity. overridden
Unusual successful cloud access key creation
Informational overridden
Cloud access key creation by a cloud identity. overridden
Credentials were added to Azure application Informational Cloud
Credentials were added to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: An attacker can establish a backdoor in the application by adding additional credentials to it, such as secrets or certificates.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Exchange mailbox delegation permissions added Informational Identity Threat Module Email 1 variation
A user added delegation permissions to an Exchange mailbox.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 4 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)Required data: Office 365 AuditAttacker's goals: Add delegation permissions to a mailbox for persistence reasons.Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents).Variations
Addition of Exchange mailbox delegation permissions with suspicious characteristics
Low overridden
A user added delegation permissions to an Exchange mailbox. overridden
Exchange mailbox folder permission modification Informational Identity Threat Module Email 1 variation
A user modified permissions to an Exchange mailbox folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Email Delegate Permissions (T1098.002)Required data: Office 365 AuditAttacker's goals: An attacker may add permissions to a mailbox folder for persistence reasons. For instance, an attacker may assign the Default or Anonymous user permissions. This will allow them to maintain persistent access to the mailbox folder, which may lead to exfiltration of the messages.Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Check for abnormal Azure AD non-interactive logins by the user. Monitor for changes that may indicate excessively broad permissions.Variations
Exchange mailbox folder permission modification for a default user
Low overridden
A user modified permissions to an Exchange mailbox folder. The user granted the permission is a default user, which effectively grants the permission to any user. overridden
External user invitation to Azure tenant Informational Cloud
An external user was invited to Azure tenant.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain unauthorized access to the tenant.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.GCP Service Account key creation Informational Cloud
A GCP service account key was created. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Gcp Audit LogAttacker's goals: Persistence using the created key.Investigative actions: Check what actions were taken using the newly created service account key. Check what other actions were taken by the identity that created the key.GCP administrative role granted to a cloud identity Informational Cloud
A cloud identity granted an administrative IAM role to another identity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.GCP sensitive Cloud Run role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Cloud Run IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within the cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Cloud Run role granted
Medium overridden
A cloud identity granted itself a sensitive Cloud Run IAM role. overridden
GCP sensitive Deployment Manager role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Deployment Manager IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within the cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Deployment Manager role granted
Medium overridden
A cloud identity granted itself a sensitive Deployment Manager IAM role. overridden
GCP sensitive Functions role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Functions IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Functions role granted
Medium overridden
A cloud identity granted itself a sensitive Functions IAM role. overridden
GCP sensitive IAM role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive IAM role granted
Medium overridden
A cloud identity granted itself a sensitive IAM role. overridden
GCP sensitive Secret Manager role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive Secret Manager IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive Secret Manager role granted
Medium overridden
A cloud identity granted itself a sensitive Secret Manager IAM role. overridden
GCP sensitive compute role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive compute IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive compute role granted
Medium overridden
A cloud identity granted itself a sensitive compute IAM role. overridden
GCP sensitive role granted to group Low Cloud 1 variation
A cloud identity granted a sensitive role to a group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the group.Variations
GCP sensitive role granted to group
Medium overridden
A cloud identity granted a sensitive role to a group. overridden
GCP sensitive storage role granted Informational Cloud 1 variation
A cloud identity granted itself a sensitive storage IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Variations
GCP sensitive storage role granted
Medium overridden
A cloud identity granted itself a sensitive storage IAM role. overridden
GCP set IAM policy activity Informational Cloud
A cloud identity had modified a resource policy bindings.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Gcp Audit LogAttacker's goals: Maintain persistent access or escalate privileges within cloud environment.Investigative actions: Verify which permissions were granted to the identity.Google Workspace organizational unit was modified Informational Identity Threat Module
A Google Workspace admin modified an organizational unit.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may change the organizational unit the user belongs to, so they could inherit permissions for applications and resources that were inaccessible before.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.Google Workspace user authentication information changed Informational Identity Threat Module 2 variations
Google Workspace authentication information was changed for a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006) Account Manipulation (T1098)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may manipulate user authentication information to obtain Persistence or Bypass Multi-Factor Authentication (MFA) controls.Investigative actions: Verify if the authentication information change was authorized. Follow further actions done by the user and IP address.Variations
Google Workspace administrative user authentication information changed
Low overridden
Google Workspace authentication information was changed for a user. overridden
Google Workspace user authentication information changed by another account
Low overridden
Google Workspace authentication information was changed for a user. overridden
IAM User added to an IAM group Informational Cloud
An IAM user was added to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add a user to a group to establish persistence or escalate privileges within a cloud account.Investigative actions: Identify the identity that executed the API call. Determine which IAM user was added to the group. Evaluate the group's permissions to determine their applicability to the IAM user.IAM inline policy was added to group Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM inline policy was added to role Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM inline policy was added to user Informational Cloud
A cloud identity added an AWS IAM inline policy to an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM instance profile was associated with EC2 instance Informational Cloud
An AWS IAM instance profile was associated with EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM instance profile was created Informational Cloud
An AWS IAM instance profile was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM instance profile was replaced for EC2 instance Informational Cloud
An AWS IAM instance profile was replaced for EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.IAM policy default version was changed Informational Cloud
A cloud identity set the specified version of an AWS IAM policy as the policy's default.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy version was created Informational Cloud
A cloud identity created an AWS-managed IAM policy version.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy was attached to group Informational Cloud
A cloud identity attached an AWS IAM policy to an IAM group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM policy was attached to role Informational Cloud 1 variation
An AWS IAM policy was attached to this role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate privileges.Investigative actions: Review affected role attributes and permissions. Investigate any suspicious activities related to the identity and the role.Variations
Administrative IAM policy was attached to role
Informational overridden
An AWS IAM policy was attached to this role. overridden
IAM role trust policy modification Informational Cloud
A cloud identity updated the trust policy of an AWS IAM role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity.IAM role was created Informational Cloud
An IAM role was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Add additional cloud roles or permissions to maintain persistent access or escalate permissions.Investigative actions: Investigate any unusual activity originating from the suspected identity or role.Identity assigned an Azure AD Administrator Role Informational Identity Threat Module 2 variations
An identity was assigned an Azure AD Administrator role.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: AzureAD Audit LogAttacker's goals: An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.Investigative actions: Check if the added account is new to the organization. Check whether the account that added the account to the role is permitted to perform such actions. Check what can be affected by the assigned role Follow further actions done by the account that was added to the role.Variations
Identity assigned an Azure AD Administrator Role by an Application
Medium overridden
An identity was assigned an Azure AD Administrator role by an application. overridden
Suspicious Azure AD Administrator Role assignment
Low overridden
An identity was assigned an Azure AD Administrator role. overridden
Member added to a Windows local security group Informational Identity Analytics 2 variations
A member was added to a Windows local security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Privilege escalation using a valid account.Investigative actions: Check the user who added the account to the group and verify its activity.Variations
User added to the Windows local Administrator group
Low overridden
A member was added to a Windows local security group. overridden
Member added to the Windows local Administrator group
Informational overridden
A member was added to a Windows local security group. overridden
New Teams application published to the organization catalog Informational Identity Threat Module 1 variation
A new Teams application was published to the organization catalog.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage Teams applications to maintain persistent access to compromised Teams accounts.Investigative actions: Confirm that the application was created by a certified and trusted entity. Evaluate the permissions requested by the application to determine if they are excessive or unusual. Determine if it is within the user's role to publish this type of application. Correlate the alert with the sign-in event to get additional information on the identity performing the action. Follow further actions done by the account.Variations
A Microsoft Teams application was published to the organization catalog by an unusual user
Low overridden
A new Teams application was published to the organization catalog. overridden
New cloud identity created with administrative policy Low Cloud 1 variation
New cloud identity was created and assigned administrative policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Create Account: Cloud Account (T1136.003) Create Account (T1136) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Escalate privileges in cloud environments.Investigative actions: Confirm whether this activity was intentional. Check for other API calls that were executed by the identity. Look for any suspicious behavior from the IAM user/role to whom the administrative policy was attached.Variations
Administrative IAM User Created with Credentials
Low overridden
New cloud identity was created and assigned administrative policy. overridden
Okta API Token Created Informational Identity Threat Module 1 variation
A user created a new API token in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.Variations
An Okta API token was generated with suspicious characteristics
Low overridden
A user created a new API token in Okta with suspicious conditions. overridden
Okta admin privilege assignment Informational Identity Threat Module 1 variation
A user assigned admin privileges to a new user or group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker is attempting to gain access to sensitive information or systems, while privilege escalation involves their attempt to increase control and access within the system or network.Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Analyze the actions carried out by the user responsible for granting permission.Variations
Abnormal Okta admin privilege assignment with suspicious characteristics
Low overridden
A suspicious user assignment of admin privileges to a new user or group. overridden
Owner was added to Azure application Informational Cloud
An Owner was added to an Azure application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Gain administrative control and manipulate the application's permissions and settings.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Possible Privilege Escalation using Delegated MSA account Informational Identity Analytics 1 variation
An attacker might abuse dMSA account to escalate its privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may leverage dMSA account migration process to escalate privileges.Investigative actions: Confirm that the user is authorized to create and modify dMSA accounts in the domain. Verify the user should have permissions on the OU under which the dMSA account was created. Validate that the dMSA account should be created under the OU that appeared in the log (use the GUID). Verify that the user superseded an account, with the dMSA account, that should have superseded. Check the GUID of the dMSA object to get the account itself (can be viewed also in computer account creation event). Check what is the superseded account in the attribute 'msDS-ManagedAccountPrecededByLink' of the dMSA object. Investigate the host that initiated the dMSA account migration process for malicious activity.Variations
Possible Privilege Escalation using Delegated MSA account attempt
Medium overridden
An attacker might abuse dMSA account to escalate its privileges. overridden
Potential creation of persistent cloud credentials Informational Cloud
A cloud identity invoked a credential-related persistence operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Forge Web Credentials (T1606) Use Alternate Authentication Material: Application Access Token (T1550.001)Required data: AWS Audit LogAttacker's goals: Maintain persistence in cloud environments.Investigative actions: Check what API calls were executed by the identity. Check what resources are affected by this change. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account.Privileged role used by Azure application Informational Cloud 1 variation
An Azure application with high-level API permissions invoked a request to the Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Leverage high-level permissions to gain persistence and access to sensitive information.Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.Variations
First-time privileged role is used by Azure application
Low overridden
An Azure application with high-level API permissions invoked a request to the Microsoft Graph API. overridden
SPNs cleared from a machine account Low Identity Analytics 1 variation
Service principal names were cleared from a machine account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Follow actions performed by the user. Look for associated sAMAccountName rename events.Variations
SPNs cleared from a machine account for the first time
Medium overridden
Service principal names were cleared from a machine account. overridden
Service ticket request with a spoofed sAMAccountName Medium Identity Analytics
A Kerberos service ticket (ST) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Follow actions by the account and if it performed a DCSync.SharePoint Site Collection admin group addition Informational Identity Threat Module 2 variations
A user made an addition to the site collection administrators group in SharePoint.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Roles (T1098.003)Required data: Office 365 AuditAttacker's goals: Elevate permissions and establish persistence.Investigative actions: Check the IP address from which the access originated. Verify the activity with the performing user. Follow further actions done by the account.Variations
SharePoint site collection admin added to personal site
Informational overridden
A user was added as a site collection admin to a personal site, indicating that the user has accessed the SharePoint service for the first time. overridden
Abnormal SharePoint Site Collection admin group addition
Low overridden
A user made an addition to the site collection administrators group in SharePoint. This user has not made any SharePoint site admin additions over the past 30 days. overridden
Suspicious account attribute modification that matches that of another account Low Identity Analytics 1 variation
Suspicious account attribute modification that matches that of another account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker might modify account attributes to elevate privileges and get access to strong accounts in the domain.Investigative actions: Check if any associated certificates were granted. Check if any login attempts were made by the impersonated accounts using certificates. Check if any Kerberos TGT tickets were generated by the impersonated accounts using certificates.Variations
Suspicious account attribute modification that matches that of a sensitive machine account
Medium overridden
Suspicious account attribute modification that matches that of another account. overridden
Suspicious cloud compute instance SSH keys modification attempt Informational Cloud 7 variations
An identity attempted to modify the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Account Manipulation: SSH Authorized Keys (T1098.004) Remote Services: Cloud Services (T1021.007) Remote Services: Direct Cloud VM Connections (T1021.008)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Lateral Movement AnalyticsAttacker's goals: Maintain persistence on a compromised compute instance. Escalate local privileges to gain root on compute instance.Investigative actions: Investigate if SSH keys were modified or added at the instance or project level. Investigate which permissions were obtained as a result of the SSH keys modification.Variations
Suspicious cloud compute instance SSH keys modification attempt by an identity with high administrative activity
Informational overridden
An identity attempted to modify the SSH keys of a single compute instance.The identity has high administrative activityThis may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Instance SSH keys were modified for the first time in the cloud provider
High overridden
An identity has modified the SSH keys of an instance for the first time in the cloud provider.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious cloud compute instance SSH keys modification by a service account
Medium overridden
A service account has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious cloud compute instance SSH keys modification
Informational overridden
An identity has modified the SSH keys of a single compute instance.This may indicate an attacker's attempt to maintain persistence on the cloud instance. overridden
Suspicious GCP project level metadata modification by a service account
Low overridden
A service account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious GCP project level metadata modification
Informational overridden
An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious GCP project level metadata modification attempt
Informational overridden
An identity account has modified the metadata of the entire instances in the project.This may indicate an attacker's attempt to perform lateral movement within the project. overridden
Suspicious dNSHostName attribute change to DC name Medium Identity Analytics
The dNSHostName attribute of a machine account was changed to a Domain Controller server name.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts: Domain Accounts (T1078.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.Suspicious modification of the AdminSDHolder's ACL Low Identity Analytics
A user modified the AdminSDHolder ACL, which may be an indication of a privilege escalation attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers attempt to obtain full control privileges and then move laterally.Investigative actions: Check if a new user was added to the AdminSDHolder object. Check if a suspicious user account was recently created. Check if a user was added to a privileged group (e.g. Domain Admins). Investigate any other potentially suspicious behavior from the compromised user. Search for actions that may trigger SDProp, such as modifying the registry or executing an LDAP query.Suspicious sAMAccountName change Low Identity Analytics 1 variation
The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Check if any associated TGTs or service tickets were granted. Follow actions by the account and if it performed a DCSync.Variations
Suspicious sAMAccountName change to DC hostname
Medium overridden
The name of a machine account was changed to a sAMAccountName with a missing trailing dollar sign. overridden
TGT request with a spoofed sAMAccountName - Event log Medium Identity Analytics
A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.TGT request with a spoofed sAMAccountName - Network Medium Identity Analytics
A Kerberos authentication ticket (TGT) was requested for an account with a spoofed sAMAccountName.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Elevate privileges from standard domain user to domain admin.Investigative actions: Check if the domain controller is patched or vulnerable to the attack. Look for associated sAMAccountName rename events. Check if any associated service tickets were granted. Follow actions by the account and if it performed a DCSync.Unusual AWS credentials creation Low
AWS utility was used to create an access key and a secret key.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: XDR AgentAttacker's goals: Maintain access to an AWS provider.Investigative actions: Check the machine timeline and look for abnormal activity. Investigate what other calls were made to the AWS account.Unusual AWS user added to group Low 1 variation
AWS user added to AWS group, possibly to elevate privileges and gain more access to resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Gain persistence and elevate privileges.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
Unusual AWS user added to group from a Kubernetes Pod
Low overridden
AWS user added to AWS group, possibly to elevate privileges and gain more access to resources. overridden
Unusual Identity and Access Management (IAM) activity Informational Cloud 2 variations
A cloud identity performed an unusual IAM operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.Using the modified accounts, the attacker may perform additional activities in an evasive manner.Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive IAM operation that it shouldn't.Variations
Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance
Medium overridden
A cloud Internet facing instance performed an unusual IAM operation. overridden
Unusual Identity and Access Management (IAM) activity
Low overridden
A cloud non-user identity performed an unusual IAM operation. overridden
Unusual user account enablement Informational Identity Analytics 1 variation
A user enabled an account. This user does not usually enable user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may enable a user account to gain persistence.Investigative actions: Investigate the associated enabling event. Check if the user is authorized to enable accounts. Confirm that the account enablement was expected. If the account enablement seems suspicious, address it accordingly by disabling the account again, forcing a password change, or monitoring its activity.Variations
Unusual sensitive user account enablement
Low overridden
A user enabled a sensitive account. This user does not usually enable user accounts. overridden
Unverified domain added to Azure AD Informational Identity Threat Module 1 variation
A new unverified domain was added to Azure AD.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: AzureAD Audit LogAttacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.Investigative actions: Check if the new domain is known for the organization. Check whether the user changing the configuration is permitted. Monitor network activity to and from the added domain.Variations
Rare unverified domain addition to Azure AD
Low overridden
A new unverified domain was added to Azure AD. overridden
User account delegation change Informational Identity Analytics 2 variations
A user account was modified with delegation to a service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to control an Active Directory environment.Investigative actions: Verify this action with the user who performed the change. Check if the account modified is a service account. Follow actions by the user, including TGT and TGS requests. Monitor for anomalous Kerberos activity.Variations
User account delegation to KRBTGT
High overridden
A user account was modified with delegation to the KRBTGT service. overridden
User account delegation to a DC
Low overridden
A user account was modified with delegation to a service on a domain controller. overridden
User added a new device to Okta Verify instance Informational Identity Threat Module 1 variation
The user has successfully registered a new device with the Okta Verify application.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: Attackers may exploit the device registration process in Okta by registering unauthorized devices, thereby gaining access to sensitive resources and user accounts within an organization.Investigative actions: Reach out to the user responsible for the device registration to confirm its legitimacy. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN). Make sure the IP address is not showing any abnormal activity. Monitor the activity from the new registered device and ensure that it matches the user's normal activity.Variations
Suspicious device enrollment to Okta
Low overridden
A new device was registered on Okta with suspicious characteristics, which increased the alert severity. overridden
User added to a group and removed Informational Identity Analytics 2 variations
A user was added to an Active Directory group and removed within a short period of time, which may be a sign of compromise.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Elevate permissions and establish persistence.Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Check for any suspicious actions performed by the added user. Check for a possible compromise of the initiating user.Variations
Rare privileged group addition and removal
Medium overridden
A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden
User added to a privileged group and removed
Low overridden
A user was added to an Active Directory privileged group and removed within a short period of time, which may be a sign of compromise. overridden
User added to the SMS Admins local group Low Identity Analytics 1 variation
A user was added to the SMS Admins local group. This may indicate a potential attack targeting the Microsoft Configuration Manager infrastructure.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Account Manipulation (T1098) Valid Accounts (T1078)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.Investigative actions: Verify the activity with the performing user. Confirm that the group addition was not accidental. Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts. Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.Variations
User added to the SMS Admins group and removed
Medium overridden
A user was added to the SMS Admins group and removed within a short period of time, which may be a sign of compromise. overridden