Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. technique: T1534 ✕

Show ATT&CK heatmap
  • Cloud email service activity Informational Cloud 2 variations

    A cloud Identity performed an email service operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Internal Spearphishing (T1534)
    Required data: AWS Audit Log Azure Audit Log
    Attacker's goals: Abuse the cloud email service for sending phishing emails.
    Investigative actions: Check for any following actions related to this activity. Verify that the identity did not abuse the email service to send phishing emails to victims.

    Variations

    Unusual cloud email service activity

    Low overridden

    A cloud Identity performed an email service operation for the first time in the tenant. overridden

    Cloud email service entity creation

    Low overridden

    A cloud Identity created a new cloud email identity. overridden

  • User sent messages in Microsoft Teams to multiple conversations via Graph API Informational Identity Threat Module 1 variation

    A user who rarely uses the Graph API for Microsoft Teams messaging sent multiple messages using it.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008)
    ATT&CK techniques: Internal Spearphishing (T1534)
    Required data: Microsoft Graph Logs
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage a compromised user account to send phishing or malicious messages via Graph API to multiple recipients, aiming to propagate the attack while evading detection.
    Investigative actions: Verify the user's role and typical usage of Microsoft Graph API. Check if the user's account has recently logged in from unusual locations or devices. Review recent email and chat activity to identify any phishing or suspicious messages sent. Examine the Graph API call logs to see what actions were performed and their timestamps. Correlate with endpoint logs to detect any malware or suspicious processes running on the user's device. Check for signs of account compromise, such as password changes or MFA bypass attempts. Follow further actions done by the account.

    Variations

    User sent messages in Microsoft Teams to several conversations via Graph API with suspicious characteristics

    Low overridden

    A user who rarely uses the Graph API for Microsoft Teams messaging sent multiple messages using it. overridden