Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

12 alerts match the current filters. technique: T1484 ✕

Show ATT&CK heatmap
  • A GCP service account was delegated domain-wide authority in Google Workspace Low Identity Threat Module 1 variation

    A Google Workspace admin has enabled domain-wide delegation to a GCP service account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious Apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    A Google Workspace admin has enabled domain-wide delegation to a GCP service account and granted him access to a sensitive scope

    Medium overridden

    A Google Workspace admin has enabled domain-wide delegation to a GCP service account. overridden

  • A Google Workspace service was configured as unrestricted Informational Identity Threat Module 3 variations

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    A Google Workspace service was configured as unrestricted by a suspicious identity

    Low overridden

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden

    A Google Workspace service was configured as unrestricted from an unusual ASN

    Low overridden

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden

    A Google Workspace service was configured as unrestricted by a non-administrative identity

    Informational overridden

    An identity configured a Google Workspace service as unrestricted Apps configured with a trusted or limited access setting can access data for unrestricted services. overridden

  • A domain was added to the trusted domains list Low Identity Threat Module 2 variations

    A domain was added to the Google Workspace trusted domains list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification: Trust Modification (T1484.002)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An adversary may add a trusted domain to collect and exfiltrate data from their target's organization with less restrictive security controls.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new domain in the trusted domains list. Follow further actions done by the account.

    Variations

    A domain was added to the trusted domains list by a non Google Workspace administrative user

    Low overridden

    A domain was added to the Google Workspace trusted domains list. overridden

    A domain was added to the trusted domains list from an unusual ASN

    Low overridden

    A domain was added to the Google Workspace trusted domains list. overridden

  • A user accessed Okta's admin application Informational Identity Threat Module 1 variation

    An attempt to access Okta's admin management application.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation (T1098) Domain or Tenant Policy Modification (T1484) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: Adversaries are attempting to infiltrate Okta's administrative application, a breach that could lead to the manipulation of authentication procedures, creation of persistent user accounts, and various activities aiding in the compromise of additional assets.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    Suspicious Okta Admin App Access Attempt

    Low overridden

    A user attempted to access the Okta Admin Application in a suspicious way. overridden

  • A user modified an Okta policy rule Informational Identity Threat Module 1 variation

    An Okta policy rule was modified by a user, suggesting a potential compromise of the account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.

    Variations

    A user modified an Okta policy rule with suspicious characteristics

    Low overridden

    An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden

  • Azure AD PIM alert disabled Medium Identity Threat Module

    An identity disabled an Azure AD PIM alert.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker might want to disable alerts associated with authentication requirements for privileged access. This may allow malicious activities to go unnoticed.
    Investigative actions: Check what alert was disabled. Check whether the user that disabled the alert is permitted to perform such actions.
  • Azure conditional access policy creation or modification Informational Cloud

    An Azure conditional access policy was created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Bypass authentication controls.
    Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Azure domain federation settings modification attempt Low Identity Threat Module 1 variation

    A user or application attempted to modify the federation settings of the domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Account Manipulation: Additional Cloud Credentials (T1098.001) Domain or Tenant Policy Modification (T1484)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker attempts to change Active Directory configuration for persistence or defense evasion.
    Investigative actions: Check what configuration has been changed. Check whether the user changing the configuration is permitted.

    Variations

    A successful Azure domain federation settings modification

    Medium overridden

    A user or application successfully modified the federation settings of the domain. overridden

  • Cloud Organizational policy was created or modified Informational Cloud 1 variation

    Cloud organizational policy was created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484)
    Required data: Gcp Audit Log
    Attacker's goals: Gain elevated privileges, disable security measures, misuse resources or cause disruption.
    Investigative actions: Check which services were affected by the policy creation. Check The cloud identity activity prior/after the policy creation.

    Variations

    Cloud Organizational policy was created or modified

    Low overridden

    Cloud organizational policy was created or modified. overridden

  • Gmail delegation was turned on for the organization Informational Identity Threat Module

    A Google Workspace admin turned on Gmail delegation for all the organization's users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Email Collection.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if any user in the organization granted other users access to their mail inbox. Follow further actions done by the account.
  • Google Marketplace restrictions were modified Informational Identity Threat Module 3 variations

    An identity modified Google Marketplace Restrictions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious Apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    Google Marketplace restrictions were modified by a suspicious identity

    Low overridden

    An identity modified Google Marketplace Restrictions. overridden

    Google Marketplace restrictions were modified from an unusual ASN

    Low overridden

    An identity modified Google Marketplace Restrictions. overridden

    Google Marketplace restrictions were modified by a non Google Workspace administrative user

    Informational overridden

    An identity modified Google Marketplace Restrictions. overridden

  • Google Workspace third-party application's security settings were changed Informational Identity Threat Module 3 variations

    An identity changed Google Workspace third-party application's security settings.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Domain or Tenant Policy Modification (T1484)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious apps can be used to access the organization's Google data.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new settings look suspicious. Follow further actions done by the account.

    Variations

    Google Workspace third-party application's security settings were changed by a suspicious identity

    Low overridden

    An identity changed Google Workspace third-party application's security settings. overridden

    Google Workspace third-party application's security settings were changed from an unusual ASN

    Low overridden

    An identity changed Google Workspace third-party application's security settings. overridden

    Google Workspace third-party application's security settings were changed by a non Google Workspace administrative user

    Informational overridden

    An identity changed Google Workspace third-party application's security settings. overridden