Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

28 alerts match the current filters. technique: T1526 ✕

Show ATT&CK heatmap
  • A user accessed multiple unusual resources via SSO Informational Identity Threat Module 3 variations

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Cloud Service Dashboard (T1538) Cloud Service Discovery (T1526)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.
    Investigative actions: Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.

    Variations

    A user accessed multiple resources via SSO using an anonymized proxy

    Medium overridden

    A user accessed multiple resources via SSO, using an anonymized proxy, that are unusual for this user. This may be indicative of a compromised account. overridden

    Suspicious user access to multiple resources via SSO

    Low overridden

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden

    Multiple Resource Access from a New IP via SSO

    Low overridden

    A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account. overridden

  • AI model discovery Low Cloud

    A cloud identity listed available AI models. This behavior often suggests reconnaissance on AI models and potential misuse.MITRE ATLAS Technique: AML.T0007 - Discover ML Artifacts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Gather information about AI models in the environment.
    Investigative actions: Determine which AI models were enumerated. Monitor the usage of affected AI models to detect potential misuse, such as unusual or excessive access attempts. Investigate any unusual activity originating from the suspected identity.
  • AWS EBS enumeration activity Informational Cloud

    EBS volume and snapshot enumeration activity, potentially indicating block storage reconnaissance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Identify existing EBS volumes and snapshots to understand what storage resources are available and in use. Assess if snapshots are shared with other accounts or publicly accessible. Identify potential data exfiltration paths or targets.
    Investigative actions: Review which EBS API calls were executed and their frequency. Analyze the identity performing the actions. Inspect sharing or access configurations of enumerated snapshots.
  • AWS EC2 discovery operation Informational Cloud 3 variations

    AWS EC2 discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Gather information about instances to identify targets and understand the environment. Plan lateral movement or privilege escalation.
    Investigative actions: Verify if the identity is authorized to perform EC2 queries and whether this activity aligns with its normal behavior. Check if there were related API calls before or after this event. Determine if the activity is part of a scheduled task or an unexpected manual request. Investigate whether this was followed by any actions that could indicate lateral movement.

    Variations

    AWS VPC discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

    AWS Site-to-Site VPN discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

    AWS PrivateLink discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

  • AWS Lambda discovery operation Informational Cloud

    AWS Lambda discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate functions, gather configuration and trigger details, and identify attached roles or permissions. Assess potential entry points, understand execution context, and plan privilege escalation or function tampering.
    Investigative actions: Verify if the identity is expected to access Lambda configuration or code metadata. Check if this API call was part of a broader enumeration pattern. Determine whether the activity aligns with typical deployment or monitoring behavior, or if it appears manual or anomalous. Investigate whether this was followed by any actions that could indicate lateral movement.
  • AWS SSM parameters discovery Informational Cloud 1 variation

    An attempt was made to list parameters stored in AWS SSM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in SSM parameter store.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS SSM parameters discovery

    Informational overridden

    An attempt was made to list parameters stored in AWS SSM. overridden

  • AWS Secrets Manager discovery Informational Cloud 1 variation

    An attempt was made to list secrets from AWS Secrets Manager.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS Secrets Manager discovery

    Informational overridden

    An attempt was made to list secrets from AWS Secrets Manager. overridden

  • AWS Storage Gateway enumeration Informational Cloud

    An AWS Storage Gateway was enumerated.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate the organizational structure to plan lateral movement.
    Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.
  • AWS Storage Gateway file share enumeration Informational Cloud

    AWS Storage Gateway file shares were enumerated.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate the organizational structure to plan lateral movement.
    Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.
  • An Azure application reached a throttling API rate Informational Cloud 2 variations

    An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Enumerate cloud services in an Azure tenant.
    Investigative actions: Check the application's role designation in the organization. Look for any unusual behavior originated from the suspected application.

    Variations

    An Azure application reached an unusual throttling API rate

    Informational overridden

    An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error. overridden

    An Azure application reached an unusual throttling API rate

    Low overridden

    An Azure application has executed a high volume of Microsoft Graph API calls, causing a throttling error. overridden

  • An internal Cloud resource performed port scan on external networks Medium Cloud

    An internal cloud resource attempted to connect to the same destination port of multiple external IP addresses.This may be a result of the cloud resource being hijacked by an attacker.Attackers perform port scans on a specific destination port for reconnaissance purposes, to detect known vulnerable services that accept connections in the specific port, and perform targeted attacks against them.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Impact (TA0040)
    ATT&CK techniques: Network Service Discovery (T1046) Resource Hijacking (T1496) Cloud Service Discovery (T1526)
    Required data: AWS Flow Log AWS OCSF Flow Logs Azure Flow Log Gcp Flow Log XDR Agent
    Attacker's goals: Detect vulnerable services, which listen on known ports and are opened to the Internet.
    Investigative actions: Check if similar activity was performed on additional cloud resources. Check if similar activity was performed against additional ports and external ip addresses from the same cloud resource. Check which process triggered the port scanning activity and for what purpose.
  • Azure enumeration activity using Microsoft Graph API Informational Cloud 1 variation

    The Microsoft Graph API was used to enumerate an Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Map the Azure tenant and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.

    Variations

    Azure sensitive resources enumeration activity using Microsoft Graph API

    Informational overridden

    Microsoft Graph API was used to enumerate sensitive resources in Azure tenant. overridden

  • Cloud email infrastructure enumeration activity Informational Cloud

    A cloud identity attempted to discover available email sending resources within the cloud environment.This may indicate an adversary attempting to map the organization's email sending environment and discover cloud resources that may assist to send phishing emails or spam.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log
    Attacker's goals: Map the cloud email environment and detect potential email resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available email resources were discovered. Investigate if the discovered email resources were used to send phishing emails or spam, or perform other attacks in the cloud environment.
  • Cloud infrastructure enumeration activity Informational Cloud 1 variation

    A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Map the cloud environment and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.

    Variations

    Suspicious cloud infrastructure enumeration activity

    Low overridden

    A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment. overridden

  • First SSO Resource Access in the Organization Informational Identity Analytics 1 variation

    A resource was accessed for the first time via SSO.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Discovery (TA0007)
    ATT&CK techniques: Valid Accounts: Domain Accounts (T1078.002) Cloud Service Discovery (T1526)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Use a possibly compromised account to access privileged resources.
    Investigative actions: Confirm that the activity is benign (e.g. this is a newly approved resource). Follow further actions done by the user that attempted to access the resource.

    Variations

    Abnormal first access to a resource via SSO in the organization

    Low overridden

    A resource was accessed for the first time via SSO with suspicious characteristics. overridden

  • IAM Enumeration sequence Informational Cloud 1 variation

    An identity has executed a sequence of events which may be related to an IAM recon enumeration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    7 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Gather information about the cloud environment, including IAM users, groups, roles, and policies.
    Investigative actions: Verify whether the API calls were made by the identity and check for any additional related calls.

    Variations

    IAM Enumeration sequence executed from a cloud Internet facing instance

    Low overridden

    A cloud Internet facing instance performed an unusual IAM enumeration. overridden

  • Kubernetes enumeration activity Informational Cloud 1 variation

    An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    7 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Map the cluster environment and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.

    Variations

    Suspicious Kubernetes enumeration activity

    Informational overridden

    An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden

  • Mailbox enumeration activity by Azure application Informational Cloud 1 variation

    Microsoft Graph API was used to enumerate mailboxes in Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in mailboxes.
    Investigative actions: Determine which mailboxes were enumerated and whether they contained any sensitive information. Investigate the identity following actions.

    Variations

    Mailbox enumeration activity by Azure user

    Informational overridden

    Microsoft Graph API was used by a user to enumerate mailboxes. overridden

  • Microsoft OneDrive enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft OneDrive items.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft OneDrive.
    Investigative actions: Determine which OneDrive files were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft OneNote enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft OneNote items.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft OneNote.
    Investigative actions: Determine which OneNote items were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft SharePoint enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft SharePoint sites in an Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft SharePoint.
    Investigative actions: Determine which SharePoint sites were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Microsoft Teams enumeration activity Informational Cloud

    The Microsoft Graph API was used to enumerate Microsoft Teams channels in an Azure tenant.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs, Microsoft Teams
    Attacker's goals: To extract sensitive information stored in Microsoft Teams.
    Investigative actions: Determine which Teams channels were enumerated and whether they contained any sensitive information. Investigate the identity following actions.
  • Multi region enumeration activity Informational Cloud

    An internal identity performed an operation on multiple regions, considerably more than usual.This may indicate an attacker's attempt to identify all available resources in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Defense Evasion (TA0005)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Unused/Unsupported Cloud Regions (T1535) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Discover cloud resources that are available within the environment and leverage them to perform additional attacks against the organization. Detect unused geographic regions and leverage them to evade detection of malicious operations.
    Investigative actions: Check the identity designation. Verify that the identity did not perform any operation in a region that it shouldn't.
  • Suspicious Azure enumeration activity Medium Cloud

    An Azure identity performed resource enumeration across multiple services using Microsoft Graph.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Map the Azure tenant and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.
  • Unusual AWS systems manager activity Informational Cloud

    A cloud identity performed an SSM operation for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Lateral Movement (TA0008)
    ATT&CK techniques: Cloud Service Discovery (T1526) Remote Services: Cloud Services (T1021.007)
    Required data: AWS Audit Log
    Attacker's goals: Manipulate SSM operations to take control over EC2 instances and strengthen the foothold in the cloud environment of the organization, by running critical operating system commands, manipulating the parameters store, and patch management configuration.
    Investigative actions: Check the identity's role designation in the organization. Verify that the identity did not perform any sensitive SSM operation that it shouldn't.
  • Unusual IAM enumeration activity by a non-user Identity Informational Cloud

    An unusual command which may be related to an IAM recon enumeration was executed by a non-user identity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery (T1069) Cloud Service Discovery (T1526)
    Required data: Gcp Audit Log
    Attacker's goals: Collect information on the cloud environment, including IAM users, groups, roles, and policies.
    Investigative actions: Check if the API call was made by the identity.Check if there are additional unusual API calls from the identity.
  • Unusual access to Microsoft 365 storage services Informational Cloud 1 variation

    Unusual access was detected to a Microsoft 365 storage service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Extract sensitive information stored in Microsoft 365 storage services.
    Investigative actions: Determine which items were accessed. Identify whether they contained any sensitive information. Check for signs of a compromised identity, such as abnormal login activity or unusual behavior. Verify if the identity is authorized to access these drives. Monitor the identity for any further suspicious actions.

    Variations

    Unusual access to Microsoft 365 storage services from an uncommon IP

    Low overridden

    Unusual access was detected to a Microsoft 365 storage service. overridden

  • Unusual resource access by Azure application Informational Cloud 1 variation

    An Azure application had interacted with an unusual resource using the Microsoft Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Service Discovery (T1526)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Abuse applications to gain access to the Azure tenant.
    Investigative actions: Verify whether the application is intended to use the resource in question. Investigate any unusual activity originating from the application.

    Variations

    Suspicious resource access by Azure application

    Low overridden

    An Azure application had interacted with an unusual resource using the Microsoft Graph API. overridden