Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

14 alerts match the current filters. technique: T1199 ✕

Show ATT&CK heatmap
  • AWS STS temporary credentials were generated Informational Cloud

    AWS STS temporary credentials were generated for an AWS identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Trusted Relationship (T1199) Forge Web Credentials (T1606)
    Required data: AWS Audit Log
    Attacker's goals: Gain access and persistence to AWS account.
    Investigative actions: Check which operation executed with the new credentials.
  • An AWS SAML provider was modified Informational Cloud

    An AWS SAML provider was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Trusted Relationship (T1199) Modify Authentication Process (T1556)
    Required data: AWS Audit Log
    Attacker's goals: Gain privileged access to AWS accounts.
    Investigative actions: Check what changes were made to the SAML provider.
  • Attempted Azure application access from unknown tenant Informational Cloud 2 variations

    A Microsoft Graph API was unsuccessfully executed by an Azure application from an unknown tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Abuse serverless services to execute code in cloud environments.
    Investigative actions: Validate the legitimacy of the tenant in question. Investigate any unusual activity originating from the application.

    Variations

    Attempted Azure application access from an unusual tenant

    Medium overridden

    A Microsoft Graph API was unsuccessfully executed by an Azure application from an unknown tenant. overridden

    Azure application access from unknown tenant

    Low overridden

    A Microsoft Graph API was executed by an Azure application from an unknown tenant. overridden

  • Azure application consent Informational Identity Threat Module 1 variation

    An identity consented permissions to an application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Phishing (T1566) Phishing: Spearphishing Link (T1566.002) Steal Application Access Token (T1528) Trusted Relationship (T1199)
    Required data: AzureAD Audit Log
    Attacker's goals: Get access to credentials, data or an organization via applications with sufficient permissions.
    Investigative actions: Follow further actions by the consenting user. Check for new resource creations by the new user. Check how the consenting user got to the application. Verify the application creators. Check what permissions the application requested. Check for possible phishing in the organization.

    Variations

    First seen Azure admin consent to an application

    Low overridden

    An administrative identity consented permissions to an application. overridden

  • Cloud impersonation attempt by unusual identity type Informational Cloud 2 variations

    A suspicious identity type has attempted to impersonate another identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges to bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform sensitive operation on behalf of the impersonated identity.

    Variations

    Cloud impersonation attempt of a management role by unusual identity type

    Informational overridden

    An unusual cloud identity type attempted to impersonate a management role. overridden

    Successful cloud impersonation by an unusual identity type

    Medium overridden

    A suspicious identity type has successfully impersonated another identity. overridden

  • Download pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.
  • Email mimics replies or forwards without an actual ongoing conversation Informational Email

    An email with a subject line or body that includes signs of a reply or forward without an actual ongoing conversation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Phishing (T1566) Trusted Relationship (T1199)
    Required data: Microsoft 365 Emails
    Detector tags: Spoofing
    Attacker's goals: Create the illusion of being part of an existing email conversation to build trust and reduce the target's suspicion, mislead recipients by concealing harmful intents such as phishing or malware distribution.
    Investigative actions: Analyze the full set of email headers to confirm the absence of legitimate References and In-Reply-To headers and verify if the email was altered or forged. Investigate if the sender's domain is known, flagged, or associated with suspicious activity to detect possible impersonation. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • GCP service account impersonation attempt Informational Cloud

    An attempt to impersonate the GCP service account failed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: Gcp Audit Log
    Attacker's goals: Escalate privileges to gain elevated access to cloud resources.
    Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.
  • Multiple failed logins from a single IP Informational Cloud 2 variations

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Gain initial access to the cloud console.
    Investigative actions: Check if the IP is a known IP. Check if a successful login from the same IP occurred after the failed login attempts.

    Variations

    Multiple failed logins from an unknown IP

    Medium overridden

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider.The IP is not a known IP in the organization.This could indicate on an active brute force attempt. overridden

    Multiple failed logins from a single IP by a compromised AWS access key

    High overridden

    Multiple failed logins were observed in a short period of time from a single external IP.The IP is not a known identity provider. overridden

  • Okta User Session Impersonation Informational Identity Threat Module 1 variation

    A user has initiated a session impersonation in Okta.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker's goal is to gain unauthorized access to sensitive information or perform malicious actions on behalf of the impersonated user.
    Investigative actions: Ensure the user is authorized to impersonate a user session. Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.

    Variations

    Okta User Session Impersonation with suspicious characteristics

    Low overridden

    A user has initiated a session impersonation with suspicious characteristics in Okta. overridden

  • Rare MS-Update Server was detected Informational 1 variation

    The endpoint requested an MS-Update operation from a rare update server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server. Attackers may use the MS-Update protocol to execute unauthorized code through Microsoft binaries.
    Investigative actions: Inspect the legitimacy of the server as a WSUS functioning server. Verify that your MS-Update network routine is HTTPS enforced Verify that this MS-Update server is not a newly deployed server as part of a legitimate IT activity.

    Variations

    Rare MS-Update Server was detected

    Informational overridden

    The endpoint requested an MS-Update operation from a rare update server. overridden

  • Unusual cloud identity impersonation Informational Cloud 3 variations

    A cloud identity attempted to impersonate another identity for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

    Variations

    Unusual cloud identity impersonation of a management role

    Informational overridden

    A cloud identity attempted to impersonate a management role for the first time. overridden

    Suspicious cloud identity impersonation was succeeded

    Medium overridden

    A cloud identity has impersonated another identity for the first time. overridden

    Suspicious cloud identity impersonation was failed

    Informational overridden

    A cloud identity has failed to impersonate another identity. overridden

  • Unusual cross projects activity Low Cloud 1 variation

    A suspicious activity between different cloud projects.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Trusted Relationship (T1199)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse an existing connection and pivot through multiple projects to find their target.
    Investigative actions: Check if the identity intended to perform actions on the project. Check the operations that were performed on the project {caller_project}. Check if the identity performed additional operations in the cloud environment that might be malicious.

    Variations

    Suspicious cross projects activity

    Medium overridden

    A suspicious activity between different cloud projects. overridden

  • Upload pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.