Analytics Alerts
Browse the Cortex analytics alert reference.
49 alerts match the current filters. technique: T1110 ✕
Show ATT&CK heatmapA user connected from a new country Informational Identity Analytics 1 variation
A user connected from an unusual country that the user has not connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
A user connected from a new country - suspicious characteristics detected
Low overridden
The user connected from a country they have not accessed from previously, which may indicate potential account compromise due to unusual or suspicious characteristics. overridden
A user connected to a VPN from a new country Informational Identity Analytics 1 variation
A user connected to a VPN from an unusual country that the user has not connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.Variations
A user connected to a VPN from a suspicious country
Low overridden
A user connected to a VPN service from an unusual country. This may indicate the account was compromised. overridden
A user logged in from an abnormal country or ASN Informational Identity Analytics 1 variation
A user logged in from an unusual country or ASN. This may indicate that the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country. Check for any other suspicious activity related to the account. Check other ASNs and Countries that the user logged in from. Look for additional login attempts.Variations
A service account successfully logged in from a new country or ASN
Low overridden
A service account successfully logged in to an internet facing server from an unusual country or ASN. This may indicate that the account was compromised. overridden
A user rejected an SSO request from an unusual country Low Identity Analytics
A user rejected an SSO authentication request from an abnormal country.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: OktaAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Verify the reject cause of the MFA attempts. Check to see if the user has successfully authenticated around the time of the alert, and confirm it's a legitimate login. Verify the authentication attempt from the rare country is benign.Account probing Low Identity Analytics
A user failed to log in to multiple hosts it never accessed before in a short amount of time.This may indicate the account is compromised and an attacker is probing for a host it can access with those credentials.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Gain access to hosts by using stolen user-account credentials.Investigative actions: Check if the user account was compromised, and which resources it could access.Brute-force attempt on a local account Informational Identity Analytics 1 variation
A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the account.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
Brute force on a local account
Low overridden
A local user account failed to log in multiple times in a short time period. This may indicate a brute-force attack. overridden
Email contains URL delivering high-risk file type Informational Email 1 variation
Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: To bypass attachment-based blocking by delivering malware or exploiting payloads via URLs pointing to file types commonly blocked by email vendors.Investigative actions: Review the URLs and determine if they host executable or script-based content. Check threat intelligence sources for reputation or known associations with malware. Investigate whether any users clicked the URL or downloaded the file. Analyze the file content using sandbox or static analysis tools.Variations
External email with URL delivers blocked file types
Low overridden
Emails with URLs linking to file types commonly blocked by email vendors due to their use in malware delivery. overridden
Excessive user account lockouts Low Identity Analytics 2 variations
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Determine if any programs have stored outdated credentials, causing account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.Variations
Excessive user account lockouts from a suspicious source
Medium overridden
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden
Excessive account lockouts on suspicious users
Medium overridden
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden
External Login Password Spray Informational Identity Analytics 6 variations
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: XDR AgentAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Check the amount of time in between each login attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful login attempts and the ratio of login success versus login failures.Variations
External Login Password Spray Involving a Honey User
Medium overridden
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden
External Login Password Spray from Multiple Source Hosts
Informational overridden
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden
Successful External Login Password Spray on a Domain Controller
Medium overridden
An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden
Successful External Login Password Spray on a sensitive server
Medium overridden
An abnormally high amount of user account login attempts were seen on a sensitive server within a short period of time. overridden
Successful External Login Password Spray
Low overridden
An abnormally high amount of user account login attempts were seen on a host within a short period of time.This may have resulted from a login password spray attack. overridden
External Login Password Spray on a Domain Controller
Low overridden
An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time. overridden
External email with a single internal recipient hidden in BCC Informational Email 1 variation
External email with mailbox owner hidden in BCC as the only internal recipient.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsAttacker's goals: BCC enables sending the same email to multiple hidden recipients without revealing them to each other.Investigative actions: Review the headers and content for patterns or anomalies. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.Variations
External email with only a hidden internal BCC recipient
Informational overridden
External email with no visible recipients, mailbox owner is hidden in BCC. overridden
FTP Connection Using an Anonymous Login or Default Credentials Low
An FTP connection using an anonymous login was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.Investigative actions: Examine the legitimacy of the application that produced this FTP. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.First VPN access attempt from a country in organization Informational Identity Analytics 1 variation
A user attempted to connect from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Use an account that was possibly compromised to gain access to the network.Investigative actions: See whether the service authentication was successful. Confirm that the activity is benign (e.g. the user has switched locations and providers). Verify if the country is an approved country to connect from. Follow further actions done by the user.Variations
First successful VPN access from a country in organization
Low overridden
A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden
First connection from a country in organization Informational Identity Analytics 1 variation
A user connected to an SSO service from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
First successful SSO connection from a country in organization
Informational overridden
A user successfully connected from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised. overridden
Granting Access to an Account Informational Cloud
Azure access has been granted to an account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)Required data: Azure Audit LogAttacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.Hydra Password Brute-Force Tool Execution High 1 variation
Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: The attacker attempts to gain access to the account or host.Investigative actions: Verify that the commands are executed from a trusted source. Audit the victim account or host and verify that they haven't been compromised.Variations
Hydra Password Brute-Force Tool Execution from a Kubernetes pod
High overridden
Attackers may use brute-force techniques to gain access to accounts when usernames and/or passwords are unknown. overridden
IP Rotation Pattern in SSO Spray Informational Identity Analytics 2 variations
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker may be attempting to compromise user accounts through unauthorized access attempts.Investigative actions: Determine if the activity was performed by a legitimate user. Check for any successful logins that occurred following a series of failed attempts. Investigate the AS organization and evaluate the ASN's reputation for malicious activity. Review historical login behavior from the same IP addresses or ASN. Validate whether MFA was triggered or bypassed during the authentication attempts.Variations
Potential Targeted SSO Password Spray Activity Detected
Medium overridden
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden
Suspicious SSO Login Attempts from Multiple IPs
Low overridden
A high volume of SSO authentication attempts was observed in a short time window.This behavior may indicate a password spray attack targeting multiple accounts. overridden
Impossible traveler - SSO Low Identity Analytics 3 variations
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 6 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.Variations
Impossible traveler - non-interactive SSO authentication
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
Possible Impossible traveler via SSO
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
SSO impossible traveler from a VPN or proxy
Informational overridden
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.This may indicate the account is compromised. overridden
Impossible traveler - VPN Low Identity Analytics 3 variations
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 7 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user routed their traffic via a proxy, or shared their credentials with a remote employee.Variations
Possible Impossible traveler via VPN
Informational overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
VPN impossible traveler from a VPN or proxy
Informational overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
VPN impossible traveler with an unusual parameter
Medium overridden
A user connected to a VPN service from multiple remote countries in a short period of time, which should normally be impossible.This may indicate the account is compromised. overridden
Intense SSO failures Informational Identity Analytics 1 variation
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)ATT&CK techniques: Valid Accounts (T1078) Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check whether a successful login was made after unsuccessful attempts.Variations
Intense SSO failures with suspicious characteristics
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt. overridden
Interactive local account enumeration Low Identity Analytics
Multiple non-existing accounts attempted interactive local logins to a host within a short period.This may indicate that an attacker has physical access to the host and is trying to enumerate accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Discover valid accounts to gain credentials.Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.Internal Login Password Spray Informational Identity Analytics 5 variations
An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: XDR AgentAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Check the amount of time in between each authentication attempt. Investigate the reason behind the login failures and if any accounts were locked out. Look for any successful authentication attempts and the ratio of login success versus login failures. Monitor for potential abuse of MFA on users who have successfully logged in.Variations
Suspicious intensive and short internal Login Password Spray
Medium overridden
An abnormally high number of login attempts within a very short period of time and suspicious automated behavior. overridden
High-Volume Internal Password Spray Attack
Medium overridden
Over 500 user accounts failed to login within a short period of time. overridden
Internal Login Password Spray with many wrong password attempts
Low overridden
An abnormally high amount of user account login attempts with wrong password were seen with a wrong password within a short period of time. overridden
Internal Login Password Spray attempt on local user
Low overridden
An abnormally high number of login attempts with the same username to different domains or local machines within a short period of time. overridden
Internal Login Password Spray on many users
Low overridden
An abnormally high amount of user account login attempts were seen from a host within a short period of time.This may have resulted from a login password spray attack. overridden
Kerberos Pre-Auth Failures by Host Low
The endpoint failed an unusual number of Kerberos pre-authentications (TGT requests) from at least three users when compared to its baseline.This can indicate a password-spraying attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.Investigative actions: Verify whether the host that generated the alert is normally used by many users (for example, a terminal server). Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.Kerberos Pre-Auth Failures by User and Host Informational
The user account on this host failed Kerberos pre-authentications (TGT requests) an unusual number of times.This can indicate a Kerberos brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker is attempting to guess the credentials for the user account.Investigative actions: Verify that the password for the account has not been changed recently, without updating the user or the program using it. Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.Moniker link detected in URL(s) Informational Email 2 variations
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Malicious URLsAttacker's goals: Trick the user on clicking the link, while avoiding detection.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before and if it is recognizable. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
A suspicious Moniker link, SMB and suspicious extension detected
Medium overridden
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden
A suspicious Moniker link pointing to SMB detected
Low overridden
A Moniker link was detected within the email's body.The link has the convention of a Moniker link (CVE-2024-21413) correlated to a suspicious URL scheme. overridden
Multiple Suspicious FTP Login Attempts Low
Multiple suspicious FTP sessions were detected, which may indicate a brute-force attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.Investigative actions: Examine the legitimacy of the application that produced this uncommon FTP connection. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.Multiple user accounts failed login due to account lockouts Low Identity Analytics 1 variation
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)Required data: XDR AgentAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if any programs were cached with old credentials, resulting in account lockouts. Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.Variations
Excessive user account login failure due to lockout from a suspicious source
Medium overridden
A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack. overridden
NTLM Brute Force Informational Identity Analytics 2 variations
This may indicate an NTLM brute force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
NTLM brute force on a sensitive user
Medium overridden
This may indicate an NTLM brute force attack. overridden
High-frequency NTLM brute force attempts detected
Low overridden
This may indicate an NTLM brute force attack. overridden
NTLM Brute Force on a Service Account Low Identity Analytics
This may indicate a NTLM brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the service accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.NTLM Brute Force on an Administrator Account Low Identity Analytics
This may indicate an NTLM brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the administrator accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.NTLM Password Spray Informational Identity Analytics 1 variation
A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time. This may be indicative of a NTLM password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: The attacker may attempt to guess user credential by password spray attack over multiple machines.Investigative actions: Verify any successful authentication made by one of the user accounts referenced by the alert, as these may indicate the attacker managed to guess the credentials.Variations
NTLM password spray on a sensitive entity
Low overridden
A single host tried to perform an unusual amount of login attempts using NTLM in a short period of time on a sensitive entity. This may be indicative of a NTLM password spray attack. overridden
Outbound email contains file-sharing service link sent to external recipient Informational Email 2 variations
Identifies outbound emails that include links to file-sharing services sent externally.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Exfiltrate data by sharing a link to a file-sharing service with external recipients, bypassing attachment inspection and potentially evading visibility controls.Investigative actions: Review the shared URL to determine if the file is publicly accessible or shared outside the organization. Check if the file-sharing domain has been previously used by this sender or others in the organization. Investigate recent outbound emails for similar use of file-sharing services or unusual external recipients.Variations
Outbound email to external recipient(s) uses first-seen for organization file-sharing service
Informational overridden
Identifies outbound emails that include links to file-sharing services sent externally. overridden
Outbound email to external recipient(s) uses first-seen for sender file-sharing service
Informational overridden
Identifies outbound emails that include links to file-sharing services sent externally. overridden
Outbound email includes an external BCC recipient observed for the first time Informational Email 1 variation
Internal sender BCC'd an external recipient whose address has not been observed in prior communications.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Use BCC to covertly exfiltrate data to an unusual external recipient without visibility to other recipients or monitoring systems.Investigative actions: Review headers and content for anomalies or potential exposure of sensitive data. Assess the email's context and attack techniques to determine the potential risk. Investigate if similar patterns have occurred recently across the organization.Variations
Outbound email sent to an unknown external BCC recipient with no To or CC addresses
Low overridden
Internal sender BCC'd an external recipient whose address has not been observed in prior communications. overridden
Outbound email to an address hosted by a public email service provider Informational Email 1 variation
Internal sender emailed to an address hosted by a public email service provider.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Exfiltration, Account TakeoverAttacker's goals: Extracting valuable information outside the company.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Outbound email to a single address hosted by a public email service provider
Informational overridden
Internal sender emailed to a single recipient with public email service provider. overridden
Possible Brute-Force attempt Informational Identity Analytics 2 variations
This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Brute Force (T1110) Remote Services (T1021)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
Possible Brute-Force attempt on a Honey User Account
Medium overridden
This may indicate a brute-force attack. overridden
Possible Brute-Force attempt with a successful login and suspicious characteristics
Low overridden
This may indicate a brute-force attack. overridden
Possible brute force on sudo user Informational 1 variation
A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: The attacker may gain full privileges to the host.Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.Variations
Possible brute force on sudo user
Low overridden
A user executed an unusual amount of sudo commands in a short time period.This may indicate an attempt to guess the sudo password. overridden
Possible brute force or configuration change attempt on cytool High
An unusual amount of cytool commands were executed in a short period from a user who doesn't usually run these commands.This may indicate an attempt to guess the Administrator password.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: The attacker may disable the agent to perform malicious activities.Investigative actions: Verify which user ran these commands and if it is a legitimate behavior on this host.Possible external RDP Brute-Force Low Identity Analytics 2 variations
Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Guessing (T1110.001)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts.Investigative actions: If the source IP is an internal IP, adjust network IP ranges. Identify the user performing RDP and check that it is authorized. Check whether this IP has a malicious reputation. Reset the user's password. Follow further actions done by the user.Variations
Possible external RDP Brute-Force on a Honey User Account
Medium overridden
Multiple failed remote logins originated from an external IP with at least one successful login.This may indicate a successful brute-force attack. overridden
Potential External Brute-Force via RDP on Sensitive User
Medium overridden
Multiple failed remote logins from an external IP with a sensitive user and at least one successful login.This may indicate a successful brute-force attack. overridden
Remote account enumeration Informational Identity Analytics 2 variations
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)Required data: XDR AgentAttacker's goals: Discover valid accounts to gain credentials.Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.Variations
Suspicious Remote domain account enumeration
Medium overridden
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden
Remote account enumeration on domain accounts
Low overridden
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden
SSH authentication brute force attempts Informational Identity Analytics 2 variations
A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 3 Hours
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110)Required data: XDR AgentAttacker's goals: Attackers attempt to log in to a remote host.Investigative actions: Verify any successful authentication by the user account referenced by the alert, as these can indicate the attacker managed to guess the credentials.Variations
Successful SSH Brute Force
Low overridden
A user successfully authenticated via SSH after an excessive number of failures in a short period. overridden
Possible SSH Brute Force
Low overridden
A user attempted to authenticate via SSH an excessive number of times in a short period. This may indicate a brute force attack. overridden
SSO Brute Force Informational Identity Analytics 3 variations
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker is attempting to gain access to an account secured with MFA.Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.Variations
SSO Brute Force on a Honey User Account
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Brute Force Threat Detected
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Brute Force Activity Observed
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a brute-force attack. overridden
SSO Password Spray Informational Identity Analytics 3 variations
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: See whether this was a legitimate action. Check if the user usually logs in from this country. Check whether a successful login was made after unsuccessful attempts.Variations
SSO Password Spray Involving a Honey User
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
SSO Password Spray Threat Detected
Medium overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
SSO Password Spray Activity Observed
Low overridden
An abnormally high amount of SSO authentication attempts were seen within a short period of time.This may have resulted from a login password spray attack. overridden
Single account excessively locked out Informational Identity Analytics 1 variation
A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force (T1110) Brute Force: Password Spraying (T1110.003)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events). Check if there were any successful authentications (event ID 4624). Determine if any programs have stored outdated credentials, causing account lockouts. Check recent user activity for unusual behavior, such as logins from unfamiliar locations or devices. Confirm whether the user's credentials have been compromised or leaked. Review if the account is enrolled in multifactor authentication (MFA). Find the computer responsible for the lockouts and verify if it exists on the domain. Monitor services that may be running with a user's credentials.Variations
Single suspicious account excessively locked out
Low overridden
A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account. overridden
Sudden spike in outbound email volume Informational Email 2 variations
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 2 Hours
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsAttacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Sudden spike in outbound emails sent to external recipients
Informational overridden
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden
Sudden spike in outbound emails sent to internal recipients
Informational overridden
Unusual amount of emails sent by an internal sender to one or more external recipients within a short timeframe. overridden
Suspicious Kerberos Pre-Auth Failures by Host Low Identity Analytics
An endpoint failed unusual number of Kerberos pre-authentications (TGT requests) which may indicate a password-spraying attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.Investigative actions: Identify the source host from which the failed logons originated, by making sure the IP is not a shared address. Review source host activity to detect any additional suspicious or lateral movement behavior. Correlate successful logons from the source host to identify potential account compromises following the failed attempts.Suspicious sshpass command execution Low 1 variation
The sshpass command was executed, This could be an attempt to check for credential stuffing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Credential Stuffing (T1110.004)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to check and reuse credentials on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Suspicious sshpass command execution in a Kubernetes pod
Low overridden
The sshpass command was executed, This could be an attempt to check for credential stuffing. overridden
Usage of homograph characters detected in an email attachment(s) name Informational Email 1 variation
Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: User Execution (T1204) Brute Force: Password Cracking (T1110.002)Required data: Microsoft 365 EmailsDetector tags: Evasion, PhishingAttacker's goals: Evade file scanner defenses, tricking recipients into running malicious attachments.Investigative actions: Examine the sender's IP address and reputation. Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable. Check the domain the email came from, and if this domain is recognized within the organization. Scrutinize the attachments related to the email message. Monitor file-related actions taken related to the attachment.Variations
Usage of homograph characters detected in an email attachment(s) extension
Low overridden
Detected non-latin characters within an email attachment's extension(s).Detected characters resembling Latin letters within an email attachment(s) name.This method could be used as a method to evade text or file scanners and analyzers. overridden
User attempted to connect from a suspicious country Informational Identity Analytics 1 variation
A user connected from an unusual country. This may indicate the account was compromised.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 30 Days
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain user-account credentials.Investigative actions: Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.Variations
User successfully connected from a suspicious country
Low overridden
A user successfully connected from an unusual country. This may indicate the account was compromised. overridden
VPN Login Password Spray Informational Identity Analytics 2 variations
An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: An attacker may be attempting to gain unauthorized access to user accounts.Investigative actions: Analyze the time intervals between login attempts to check for patterns indicative of a password spraying attack. Investigate the cause of the login failures (e.g. incorrect passwords, account lockouts, other factors). Review the geographic regions behind the failed login attempts. Investigate if a successful login was made after unsuccessful attempts. Cross-reference the IP address with threat intelligence sources to see if it is associated with known malicious activity.Variations
Successful VPN Password Spray Threat Detected with unusual characteristics
Medium overridden
An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden
VPN login password spray with unusual characteristics
Low overridden
An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack. overridden
VPN login Brute-Force attempt Informational Identity Analytics 2 variations
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Resource Development (TA0042)ATT&CK techniques: Brute Force (T1110) Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: An attacker attempts to gain access to the account.Investigative actions: Verify successful connections by the user account, as these can indicate the attacker managed to guess the credentials. Analyze login patterns for abnormal times, locations, or IPs for suspicious activity. Look for VPN login attempts from countries where the organization does not typically operate. Cross-reference the IP addresses with threat intelligence sources. Follow further actions taken by the account.Variations
Successful VPN Login Brute Force
Low overridden
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden
VPN login brute-force attempt with suspicious characteristics
Low overridden
A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack. overridden