Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

16 alerts match the current filters. technique: T1556 ✕

Show ATT&CK heatmap
  • A user attempted to bypass Okta MFA Low Identity Threat Module 1 variation

    A user may have attempted to bypass Okta MFA.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process (T1556) Multi-Factor Authentication Request Generation (T1621)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Contact the user who attempted to bypass MFA and ensure the request was legitimate. Check if the user successfully authenticated after the event.

    Variations

    A successful bypass of Okta MFA

    Low overridden

    Suspicious MFA bypass attempt in Okta. overridden

  • A user modified an Okta MFA factor Informational Identity Threat Module 1 variation

    An Okta MFA factor was modified by a user, suggesting a potential compromise of the account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Contact the user and ensure the operation was legitimate. Check if the user modifies more factors. If the user activates a weak factor, check for abnormal successful sign-ins from different countries and times. If the user deactivates a strong factor, check if he authenticates with unusual factors and checks for abnormal successful sign-ins from different countries and times.

    Variations

    Abnormal Okta MFA Factor Authentication Modification

    Low overridden

    An OKTA MFA factor was modified by a user with suspicious conditions. overridden

  • A user modified an Okta policy rule Informational Identity Threat Module 1 variation

    An Okta policy rule was modified by a user, suggesting a potential compromise of the account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.

    Variations

    A user modified an Okta policy rule with suspicious characteristics

    Low overridden

    An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden

  • An AWS SAML provider was modified Informational Cloud

    An AWS SAML provider was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Trusted Relationship (T1199) Modify Authentication Process (T1556)
    Required data: AWS Audit Log
    Attacker's goals: Gain privileged access to AWS accounts.
    Investigative actions: Check what changes were made to the SAML provider.
  • An app was added to the Google Workspace trusted OAuth apps list Informational Identity Threat Module 2 variations

    An identity added an OAuth app to the Google Workspace trusted OAuth apps list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious OAuth apps can be used to request elevated permissions or to impersonate another user.
    Investigative actions: Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was added to the trusted apps list looks suspicious. Follow further actions done by the account.

    Variations

    An unusual app was added to the Google Workspace trusted OAuth apps list

    Low overridden

    An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden

    An app was added to the Google Workspace trusted OAuth apps list by a non-administrative identity

    Low overridden

    An identity added an OAuth app to the Google Workspace trusted OAuth apps list. overridden

  • An app was removed from a blocked list in Google Workspace Informational Identity Threat Module 3 variations

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Malicious OAuth Apps can be used to request elevated permissions or to impersonate another user.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the app that was removed from the trusted apps list looks suspicious. Follow further actions done by the account.

    Variations

    An app was removed from a blocked list in Google Workspace by a suspicious identity

    Low overridden

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden

    An app was removed from a blocked list in Google Workspace by a non Google Workspace administrative user

    Low overridden

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden

    An app was removed from a blocked list in Google Workspace from an unusual ASN

    Low overridden

    An identity removed an app from Google Workspace blocked OAuth or third-party apps list. overridden

  • Authentication method was added to Azure account Informational Cloud

    A new authentication method was added to an Azure AD user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Establish a backdoor for persistent access.
    Investigative actions: Review recent authentication attempts and access logs to detect any unauthorized activities or potential misuse of the newly added authentication method. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Google Workspace user authentication information changed Informational Identity Threat Module 2 variations

    Google Workspace authentication information was changed for a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006) Account Manipulation (T1098)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may manipulate user authentication information to obtain Persistence or Bypass Multi-Factor Authentication (MFA) controls.
    Investigative actions: Verify if the authentication information change was authorized. Follow further actions done by the user and IP address.

    Variations

    Google Workspace administrative user authentication information changed

    Low overridden

    Google Workspace authentication information was changed for a user. overridden

    Google Workspace user authentication information changed by another account

    Low overridden

    Google Workspace authentication information was changed for a user. overridden

  • Granting Access to an Account Informational Cloud

    Azure access has been granted to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)
    Required data: Azure Audit Log
    Attacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.
    Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.
  • Key credential attribute modification Informational Identity Analytics 2 variations

    A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker may be attempting to add shadow credentials to an account, gaining persistent unauthorized access.
    Investigative actions: Follow further PKINIT authentication activity by the modified identity. Verify if Windows Hello for Business is enabled, as this is a common benign cause for this activity. Check if the modified credential maps to an existing device ID in Entra ID. Examine recent activity from the user account, including logon patterns and privilege changes.

    Variations

    Possible shadow credentials addition

    Medium overridden

    A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden

    Key credential attribute addition

    Low overridden

    A user modified the msDS-KeyCredentialLink attribute for an account, which may indicate a shadow credentials attack. overridden

  • MFA Disabled for Google Workspace Low Identity Threat Module 1 variation

    An administrator has disabled Multi-Factor Authentication for Google Workspace users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process (T1556) Modify Authentication Process: Multi-Factor Authentication (T1556.006)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to Google Workspace accounts with disabled MFA. Exploit Google Workspace accounts with weaker security. Steal sensitive data from Google Workspace accounts.
    Investigative actions: Check the MFA settings for the Google Workspace users. Identify the users who have MFA disabled and investigate the reason for it. Check the security log to see if there have been any suspicious activities in the account.

    Variations

    MFA Disabled for Google Workspace from an unusual caller IP ASN

    Low overridden

    An administrator has disabled Multi-Factor Authentication for Google Workspace users. overridden

  • MFA was disabled for a Google Workspace user Informational Identity Threat Module 2 variations

    Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Authentication Process: Multi-Factor Authentication (T1556.006)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may impair defenses by disabling Multi-Factor Authentication (MFA) to maintain persistence and evade detection.
    Investigative actions: Verify if the MFA disablement was authorized. Investigate the source IP and User Agent for previous malicious activity or anomalies. Follow further actions done by the user and IP address.

    Variations

    MFA was disabled for a Google Workspace administrative user

    Medium overridden

    Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden

    MFA was disabled for a Google Workspace user by a different account for the first time

    Low overridden

    Multi-Factor Authentication (MFA) has been disabled for a Google Workspace user. overridden

  • MFA was disabled for an Azure identity Low Identity Threat Module 2 variations

    MFA was disabled for the user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process (T1556)
    Required data: AzureAD Audit Log
    Attacker's goals: This allows the attacker to connect using this account without the need for the additional layer of authentication.
    Investigative actions: Follow further actions by the initiator. Check the login activity from this account. Follow further actions done by this account.

    Variations

    Suspicious MFA was disabled for an Azure identity

    Medium overridden

    MFA was disabled for the user. overridden

    MFA was disabled for an Azure identity regularly by the user

    Informational overridden

    MFA was disabled for the user. overridden

  • Modification of PAM Informational 1 variation

    Modification of PAM configuration files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005) Credential Access (TA0006)
    ATT&CK techniques: Modify Authentication Process: Pluggable Authentication Modules (T1556.003)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Credential access, defense evasion or persistence.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Modification of PAM from a Kubernetes pod

    Informational overridden

    Modification of PAM configuration files. overridden

  • Suspicious authentication with Azure Password Hash Sync user Medium Identity Analytics

    Authentication to an unusual authentication target was performed by the Azure AD Password Hash Sync user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Defense Evasion (TA0005)
    ATT&CK techniques: Valid Accounts (T1078) Modify Authentication Process: Hybrid Identity (T1556.007)
    Required data: AzureAD
    Attacker's goals: The attacker may be attempting to exploit a PHS user, the attacker wants to escalate and abuse this user, to get access to all the user's hashes.
    Investigative actions: Follow further actions done by the account.
  • Weakly-Encrypted Kerberos TGT Response Informational 1 variation

    A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Modify Authentication Process: Domain Controller Authentication (T1556.001)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Manipulate the domain controller authentication process to bypass standard authentication and gain access to hosts and resources in environments relying on single-factor authentication.
    Investigative actions: Identify the user or entity that requested the TGT during the alert timeframe. Determine whether a legitimate service or application requested weak Kerberos encryption. Verify whether the domain controller is patched against the Skeleton Key vulnerability (CVE-2016-1567).

    Variations

    Abnormal Weakly-Encrypted Kerberos TGT Response

    Low overridden

    A weakly encrypted Kerberos TGT was issued by a domain controller. The encryption type is abnormal for this DC and results in a TGT that is easier to crack. This behavior may indicate a Skeleton Key attack. overridden