Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. technique: T1134 ✕

Show ATT&CK heatmap
  • Execution of command from within a Kubernetes pod using kubelet credentials Low 1 variation

    A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Access Token Manipulation (T1134)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Unusual execution of command from within a Kubernetes pod using kubelet credentials

    Medium overridden

    A command was executed from within a Kubernetes pod using Kubelet credentials. This activity allows an attacker to impersonate the node and perform privileged operations against the cluster API. overridden

  • Okta API Token Created Informational Identity Threat Module 1 variation

    A user created a new API token in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.
    Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.

    Variations

    An Okta API token was generated with suspicious characteristics

    Low overridden

    A user created a new API token in Okta with suspicious conditions. overridden

  • User added SID History to an account Informational Identity Analytics 1 variation

    A user added SID history to an account. This may be indicative of a user's migration between domains or a SID injection attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Access Token Manipulation: SID-History Injection (T1134.005)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversaries may use SID history to escalate privileges and bypass access controls.
    Investigative actions: Verify if migration between domains was involved. Search for suspicious actions by the user, such as forged Kerberos tickets.

    Variations

    Suspicious SID History Addition

    Medium overridden

    A user added SID history to an account. The account was not migrated between domains, which may indicate a SID injection attack. overridden