Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. technique: T1534 ✕
Show ATT&CK heatmapCloud email service activity Informational Cloud 2 variations
A cloud Identity performed an email service operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Internal Spearphishing (T1534)Required data: AWS Audit Log Azure Audit LogAttacker's goals: Abuse the cloud email service for sending phishing emails.Investigative actions: Check for any following actions related to this activity. Verify that the identity did not abuse the email service to send phishing emails to victims.Variations
Unusual cloud email service activity
Low overridden
A cloud Identity performed an email service operation for the first time in the tenant. overridden
Cloud email service entity creation
Low overridden
A cloud Identity created a new cloud email identity. overridden
User sent messages in Microsoft Teams to multiple conversations via Graph API Informational Identity Threat Module 1 variation
A user who rarely uses the Graph API for Microsoft Teams messaging sent multiple messages using it.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Internal Spearphishing (T1534)Required data: Microsoft Graph LogsDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage a compromised user account to send phishing or malicious messages via Graph API to multiple recipients, aiming to propagate the attack while evading detection.Investigative actions: Verify the user's role and typical usage of Microsoft Graph API. Check if the user's account has recently logged in from unusual locations or devices. Review recent email and chat activity to identify any phishing or suspicious messages sent. Examine the Graph API call logs to see what actions were performed and their timestamps. Correlate with endpoint logs to detect any malware or suspicious processes running on the user's device. Check for signs of account compromise, such as password changes or MFA bypass attempts. Follow further actions done by the account.Variations
User sent messages in Microsoft Teams to several conversations via Graph API with suspicious characteristics
Low overridden
A user who rarely uses the Graph API for Microsoft Teams messaging sent multiple messages using it. overridden