|
Abnormally High Number Of Cloud Infrastructure API Calls
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Compromised User Account, Suspicious Cloud User Activities
|
2025-02-10
|
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2025-02-10
|
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2025-02-10
|
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2025-02-10
|
|
Amazon EKS Kubernetes cluster scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2024-11-14
|
|
Amazon EKS Kubernetes Pod scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2024-11-14
|
|
ASL AWS Concurrent Sessions From Different Ips
|
ASL AWS CloudTrail
|
Browser Session Hijacking
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-11-14
|
|
ASL AWS Create Access Key
|
ASL AWS CloudTrail
|
Cloud Account
|
Hunting
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
ASL AWS Credential Access GetPasswordData
|
ASL AWS CloudTrail
|
Password Guessing
Cloud Accounts
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
ASL AWS Credential Access RDS Password reset
|
ASL AWS CloudTrail
|
Brute Force
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
ASL AWS Defense Evasion Delete Cloudtrail
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Defense Evasion Delete CloudWatch Log Group
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Defense Evasion Impair Security Services
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Logs
|
Hunting
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Defense Evasion PutBucketLifecycle
|
ASL AWS CloudTrail
|
Lifecycle-Triggered Deletion
Disable or Modify Cloud Logs
|
Hunting
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Defense Evasion Stop Logging Cloudtrail
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Defense Evasion Update Cloudtrail
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Detect Users creating keys with encrypt policy without MFA
|
ASL AWS CloudTrail
|
Data Encrypted for Impact
|
TTP
|
Ransomware Cloud
|
2024-12-16
|
|
ASL AWS Disable Bucket Versioning
|
ASL AWS CloudTrail
|
Inhibit System Recovery
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-12-16
|
|
ASL AWS EC2 Snapshot Shared Externally
|
ASL AWS CloudTrail
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-12-17
|
|
ASL AWS ECR Container Upload Outside Business Hours
|
ASL AWS CloudTrail
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
ASL AWS ECR Container Upload Unknown User
|
ASL AWS CloudTrail
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
ASL AWS IAM AccessDenied Discovery Events
|
ASL AWS CloudTrail
|
Cloud Infrastructure Discovery
|
Anomaly
|
Suspicious Cloud User Activities
|
2025-01-08
|
|
ASL AWS IAM Assume Role Policy Brute Force
|
ASL AWS CloudTrail
|
Cloud Infrastructure Discovery
Brute Force
|
TTP
|
AWS IAM Privilege Escalation
|
2025-01-08
|
|
ASL AWS IAM Delete Policy
|
ASL AWS CloudTrail
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-11-14
|
|
ASL AWS IAM Failure Group Deletion
|
ASL AWS CloudTrail
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-11-14
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
Cloud Groups
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
ASL AWS Network Access Control List Created with All Open Ports
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Firewall
|
TTP
|
AWS Network ACL Activity
|
2025-02-10
|
|
ASL AWS Network Access Control List Deleted
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Firewall
|
Anomaly
|
AWS Network ACL Activity
|
2025-02-10
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2025-01-09
|
|
ASL AWS UpdateLoginProfile
|
ASL AWS CloudTrail
|
Cloud Account
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS AMI Attribute Modification for Exfiltration
|
AWS CloudTrail ModifyImageAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-11-14
|
|
AWS Concurrent Sessions From Different Ips
|
AWS CloudTrail DescribeEventAggregates
|
Browser Session Hijacking
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-11-14
|
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2025-02-10
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS CreateAccessKey
|
AWS CloudTrail CreateAccessKey
|
Cloud Account
|
Hunting
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS CreateLoginProfile
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile
|
Cloud Account
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS Credential Access Failed Login
|
AWS CloudTrail ConsoleLogin
|
Password Guessing
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
Password Guessing
Cloud Accounts
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
Brute Force
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Defense Evasion Delete Cloudtrail
|
AWS CloudTrail DeleteTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Defense Evasion Delete CloudWatch Log Group
|
AWS CloudTrail DeleteLogGroup
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Defense Evasion Impair Security Services
|
AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteWebACL
|
Disable or Modify Cloud Logs
|
Hunting
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
Lifecycle-Triggered Deletion
Disable or Modify Cloud Logs
|
Hunting
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Defense Evasion Stop Logging Cloudtrail
|
AWS CloudTrail StopLogging
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Defense Evasion Update Cloudtrail
|
AWS CloudTrail UpdateTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy
|
Data Encrypted for Impact
|
TTP
|
Ransomware Cloud
|
2024-11-14
|
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
Data Encrypted for Impact
|
Anomaly
|
Ransomware Cloud
|
2024-11-14
|
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
Inhibit System Recovery
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-11-14
|
|
AWS EC2 Snapshot Shared Externally
|
AWS CloudTrail ModifySnapshotAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-11-14
|
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
|
TTP
|
Dev Sec Ops
|
2025-02-10
|
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
Cloud Service Discovery
|
TTP
|
AWS User Monitoring
|
2024-11-14
|
|
AWS Exfiltration via Anomalous GetObject API Activity
|
AWS CloudTrail GetObject
|
Automated Collection
|
Anomaly
|
Data Exfiltration
|
2024-11-14
|
|
AWS Exfiltration via Batch Service
|
AWS CloudTrail JobCreated
|
Automated Collection
|
TTP
|
Data Exfiltration
|
2024-11-14
|
|
AWS Exfiltration via Bucket Replication
|
AWS CloudTrail PutBucketReplication
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-11-14
|
|
AWS Exfiltration via DataSync Task
|
AWS CloudTrail CreateTask
|
Automated Collection
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-11-14
|
|
AWS Exfiltration via EC2 Snapshot
|
AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail ModifySnapshotAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-11-14
|
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
Password Policy Discovery
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-11-14
|
|
AWS High Number Of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
Password Spraying
Credential Stuffing
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2025-02-10
|
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-11-14
|
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
Brute Force
|
TTP
|
AWS IAM Privilege Escalation
|
2024-11-14
|
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-11-14
|
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-11-14
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
Cloud Groups
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
User Execution
|
Hunting
|
Suspicious Cloud User Activities
|
2024-11-14
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Multiple Users Failing To Authenticate From Ip
|
AWS CloudTrail ConsoleLogin
|
Password Spraying
Credential Stuffing
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2025-02-10
|
|
AWS Network Access Control List Created with All Open Ports
|
AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
Disable or Modify Cloud Firewall
|
TTP
|
AWS Network ACL Activity
|
2025-02-10
|
|
AWS Network Access Control List Deleted
|
AWS CloudTrail DeleteNetworkAclEntry
|
Disable or Modify Cloud Firewall
|
Anomaly
|
AWS Network ACL Activity
|
2025-02-10
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Password Policy Changes
|
AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy
|
Password Policy Discovery
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2024-11-14
|
|
AWS S3 Exfiltration Behavior Identified
|
|
Transfer Data to Cloud Account
|
Correlation
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-11-14
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2024-11-14
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Unused/Unsupported Cloud Regions
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2024-11-14
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Cloud Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS UpdateLoginProfile
|
AWS CloudTrail UpdateLoginProfile
|
Cloud Account
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
Azure Active Directory High Risk Sign-in
|
Azure Active Directory
|
Password Spraying
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2025-02-10
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD AzureHound UserAgent Detected
|
Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs
|
Cloud Account
Cloud Service Discovery
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2025-01-06
|
|
Azure AD Block User Consent For Risky Apps Disabled
|
Azure Active Directory Update authorization policy
|
Impair Defenses
|
TTP
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD Concurrent Sessions From Different Ips
|
Azure Active Directory
|
Browser Session Hijacking
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-11-14
|
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
Steal Application Access Token
Spearphishing Link
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD External Guest User Invited
|
Azure Active Directory Invite external user
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-11-14
|
|
Azure AD High Number Of Failed Authentications For User
|
Azure Active Directory
|
Password Guessing
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2025-02-10
|
|
Azure AD High Number Of Failed Authentications From Ip
|
Azure Active Directory
|
Password Guessing
Password Spraying
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group
|
2025-02-10
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Multi-Source Failed Authentications Spike
|
Azure Active Directory
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Hunting
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2025-02-10
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
Valid Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD Multiple Denied MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Multiple Service Principals Created by SP
|
Azure Active Directory Add service principal
|
Cloud Account
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Multiple Service Principals Created by User
|
Azure Active Directory Add service principal
|
Cloud Account
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Multiple Users Failing To Authenticate From Ip
|
Azure Active Directory
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
Device Registration
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2025-02-10
|
|
Azure AD OAuth Application Consent Granted By User
|
Azure Active Directory Consent to application
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2025-02-10
|
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2025-02-10
|
|
Azure AD Privileged Authentication Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Security Account Manager
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-11-14
|
|
Azure AD Privileged Graph API Permission Assigned
|
Azure Active Directory Update application
|
Security Account Manager
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2025-02-10
|
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2025-02-10
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Service Principal Created
|
Azure Active Directory Add service principal
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Service Principal Enumeration
|
Azure Active Directory MicrosoftGraphActivityLogs
|
Cloud Account
Cloud Service Discovery
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2025-01-06
|
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
Additional Cloud Credentials
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2025-02-10
|
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Service Principal Privilege Escalation
|
Azure Active Directory Add app role assignment to service principal
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2025-02-10
|
|
Azure AD Successful Authentication From Different Ips
|
Azure Active Directory
|
Password Guessing
Password Spraying
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2025-02-10
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2025-02-10
|
|
Azure AD Unusual Number of Failed Authentications From Ip
|
Azure Active Directory
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD User Consent Blocked for Risky Application
|
Azure Active Directory Consent to application
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD User Consent Denied for OAuth Application
|
Azure Active Directory Sign-in activity
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
Azure Automation Account Created
|
Azure Audit Create or Update an Azure Automation account
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Azure Automation Runbook Created
|
Azure Audit Create or Update an Azure Automation Runbook
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
Cloud Accounts
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Circle CI Disable Security Job
|
CircleCI
|
Compromise Host Software Binary
|
Anomaly
|
Dev Sec Ops
|
2024-11-14
|
|
Circle CI Disable Security Step
|
CircleCI
|
Compromise Host Software Binary
|
Anomaly
|
Dev Sec Ops
|
2024-11-14
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-11-14
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Cloud Cryptomining
|
2025-02-10
|
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
Cloud Cryptomining
|
2024-11-14
|
|
Cloud Compute Instance Created With Previously Unseen Image
|
AWS CloudTrail
|
N/A
|
Anomaly
|
Cloud Cryptomining
|
2024-11-14
|
|
Cloud Compute Instance Created With Previously Unseen Instance Type
|
AWS CloudTrail
|
N/A
|
Anomaly
|
Cloud Cryptomining
|
2024-11-14
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2025-02-10
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
Cloud Security Groups Modifications by User
|
AWS CloudTrail
|
Modify Cloud Compute Configurations
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-11-14
|
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
Unsecured Credentials
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities
|
2025-02-10
|
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2025-02-10
|
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2025-02-10
|
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2025-02-10
|
|
Detect GCP Storage access from a new IP
|
|
Data from Cloud Storage
|
Anomaly
|
Suspicious GCP Storage Activities
|
2024-11-14
|
|
Detect New Open GCP Storage Buckets
|
|
Data from Cloud Storage
|
TTP
|
Suspicious GCP Storage Activities
|
2024-11-14
|
|
Detect New Open S3 buckets
|
AWS CloudTrail
|
Data from Cloud Storage
|
TTP
|
Suspicious AWS S3 Activities
|
2024-11-14
|
|
Detect New Open S3 Buckets over AWS CLI
|
AWS CloudTrail
|
Data from Cloud Storage
|
TTP
|
Suspicious AWS S3 Activities
|
2024-11-14
|
|
Detect S3 access from a new IP
|
|
Data from Cloud Storage
|
Anomaly
|
Suspicious AWS S3 Activities
|
2024-11-14
|
|
Detect Spike in AWS Security Hub Alerts for EC2 Instance
|
AWS Security Hub
|
N/A
|
Anomaly
|
AWS Security Hub Alerts, Critical Alerts
|
2024-11-14
|
|
Detect Spike in AWS Security Hub Alerts for User
|
AWS Security Hub
|
N/A
|
Anomaly
|
AWS Security Hub Alerts, Critical Alerts
|
2024-11-14
|
|
Detect Spike in blocked Outbound Traffic from your AWS
|
|
N/A
|
Anomaly
|
AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic
|
2024-11-14
|
|
Detect Spike in S3 Bucket deletion
|
AWS CloudTrail
|
Data from Cloud Storage
|
Anomaly
|
Suspicious AWS S3 Activities
|
2024-11-14
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Detect gcploit framework
|
|
Valid Accounts
|
TTP
|
GCP Cross Account Activity
|
2024-11-14
|
|
GCP Kubernetes cluster pod scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2024-11-14
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Multiple Users Failing To Authenticate From Ip
|
Google Workspace
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
Cloud Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Unusual Number of Failed Authentications From Ip
|
Google Workspace
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
GCP Account Takeover
|
2025-02-10
|
|
Gdrive suspicious file sharing
|
|
Phishing
|
Hunting
|
Data Exfiltration, Spearphishing Attachments
|
2024-11-14
|
|
GitHub Enterprise Delete Branch Ruleset
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Enterprise Disable 2FA Requirement
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Enterprise Disable Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
Disable or Modify Cloud Logs
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-16
|
|
GitHub Enterprise Disable Classic Branch Protection Rule
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Enterprise Disable Dependabot
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-14
|
|
GitHub Enterprise Disable IP Allow List
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-20
|
|
GitHub Enterprise Modify Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
Disable or Modify Cloud Logs
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-16
|
|
GitHub Enterprise Pause Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
Disable or Modify Cloud Logs
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-16
|
|
GitHub Enterprise Register Self Hosted Runner
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-20
|
|
GitHub Enterprise Remove Organization
|
GitHub Enterprise Audit Logs
|
Data Destruction
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-16
|
|
GitHub Enterprise Repository Archived
|
GitHub Enterprise Audit Logs
|
Data Destruction
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Enterprise Repository Deleted
|
GitHub Enterprise Audit Logs
|
Data Destruction
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-16
|
|
GitHub Organizations Delete Branch Ruleset
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Organizations Disable 2FA Requirement
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Organizations Disable Classic Branch Protection Rule
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Organizations Disable Dependabot
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-14
|
|
GitHub Organizations Repository Archived
|
GitHub Organizations Audit Logs
|
Data Destruction
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Organizations Repository Deleted
|
GitHub Organizations Audit Logs
|
Data Destruction
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
Gsuite Drive Share In External Email
|
G Suite Drive
|
Exfiltration to Cloud Storage
|
Anomaly
|
Dev Sec Ops, Insider Threat
|
2025-02-10
|
|
GSuite Email Suspicious Attachment
|
G Suite Gmail
|
Spearphishing Attachment
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
Gsuite Email Suspicious Subject With Attachment
|
G Suite Gmail
|
Spearphishing Attachment
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
Gsuite Email With Known Abuse Web Service Link
|
G Suite Gmail
|
Spearphishing Attachment
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
Gsuite Outbound Email With Attachment To External Domain
|
G Suite Gmail
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
Hunting
|
Dev Sec Ops, Insider Threat
|
2025-02-10
|
|
Gsuite suspicious calendar invite
|
|
Phishing
|
Hunting
|
Spearphishing Attachments
|
2024-11-14
|
|
Gsuite Suspicious Shared File Name
|
G Suite Drive
|
Spearphishing Attachment
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
High Number of Login Failures from a single source
|
O365 UserLoginFailed
|
Password Guessing
|
Anomaly
|
Office 365 Account Takeover
|
2025-02-10
|
|
Kubernetes Abuse of Secret by Unusual Location
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Abuse of Secret by Unusual User Agent
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Abuse of Secret by Unusual User Group
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Abuse of Secret by Unusual User Name
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Access Scanning
|
Kubernetes Audit
|
Network Service Discovery
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Anomalous Inbound Network Activity from Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Inbound Outbound Network IO
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Outbound Network Activity from Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Traffic on Network Edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes AWS detect suspicious kubectl calls
|
Kubernetes Audit
|
N/A
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Create or Update Privileged Pod
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
Container Orchestration Job
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes DaemonSet Deployed
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Falco Shell Spawned
|
Kubernetes Falco
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes newly seen TCP edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes newly seen UDP edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Nginx Ingress LFI
|
|
Exploitation for Credential Access
|
TTP
|
Dev Sec Ops
|
2024-11-14
|
|
Kubernetes Nginx Ingress RFI
|
|
Exploitation for Credential Access
|
TTP
|
Dev Sec Ops
|
2024-11-14
|
|
Kubernetes Node Port Creation
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Pod Created in Default Namespace
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Pod With Host Network Attachment
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Previously Unseen Container Image Name
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Previously Unseen Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Process Running From New Path
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Process with Anomalous Resource Utilisation
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Process with Resource Ratio Anomalies
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Scanner Image Pulling
|
|
Cloud Service Discovery
|
TTP
|
Dev Sec Ops
|
2024-11-14
|
|
Kubernetes Scanning by Unauthenticated IP Address
|
Kubernetes Audit
|
Network Service Discovery
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Shell Running on Worker Node
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Shell Running on Worker Node with CPU Activity
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Suspicious Image Pulling
|
Kubernetes Audit
|
Cloud Service Discovery
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Unauthorized Access
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-06
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
Software Deployment Tools
Domain or Tenant Policy Modification
Cloud Services
Disable or Modify Tools
Disable or Modify System Firewall
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
Cloud Services
Software Deployment Tools
System Shutdown/Reboot
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
O365 Add App Role Assignment Grant User
|
O365 Add app role assignment grant to user.
|
Cloud Account
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Added Service Principal
|
O365
|
Cloud Account
|
TTP
|
Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 Advanced Audit Disabled
|
O365 Change user license.
|
Disable or Modify Cloud Logs
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Application Available To Other Tenants
|
Office 365 Universal Audit Log
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration
|
2025-02-10
|
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
Account Manipulation
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
Additional Email Delegate Permissions
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 BEC Email Hiding Rule Created
|
|
Email Hiding Rules
|
TTP
|
Office 365 Account Takeover
|
2025-02-14
|
|
O365 Block User Consent For Risky Apps Disabled
|
O365 Update authorization policy.
|
Impair Defenses
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Bypass MFA via Trusted IP
|
O365 Set Company Information.
|
Disable or Modify Cloud Firewall
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Compliance Content Search Exported
|
|
Remote Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
O365 Compliance Content Search Started
|
|
Remote Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
O365 Concurrent Sessions From Different Ips
|
O365 UserLoggedIn
|
Browser Session Hijacking
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Cross-Tenant Access Change
|
Office 365 Universal Audit Log
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
Modify Authentication Process
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 DLP Rule Triggered
|
Office 365 Universal Audit Log
|
Exfiltration Over Alternative Protocol
Exfiltration Over Web Service
|
Anomaly
|
Data Exfiltration
|
2024-11-14
|
|
O365 Elevated Mailbox Permission Assigned
|
|
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
O365 Email Access By Security Administrator
|
Office 365 Universal Audit Log
|
Remote Email Collection
Exfiltration Over Web Service
|
TTP
|
Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover
|
2025-02-10
|
|
O365 Email Hard Delete Excessive Volume
|
Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Suspicious Emails
|
2025-01-20
|
|
O365 Email New Inbox Rule Created
|
Office 365 Universal Audit Log
|
Email Forwarding Rule
Email Hiding Rules
|
Anomaly
|
Office 365 Collection Techniques
|
2025-01-20
|
|
O365 Email Password and Payroll Compromise Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
Local Email Collection
|
TTP
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2025-01-20
|
|
O365 Email Receive and Hard Delete Takeover Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
Local Email Collection
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2025-01-20
|
|
O365 Email Reported By Admin Found Malicious
|
Office 365 Universal Audit Log
|
Spearphishing Attachment
Spearphishing Link
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2025-02-10
|
|
O365 Email Reported By User Found Malicious
|
Office 365 Universal Audit Log
|
Spearphishing Attachment
Spearphishing Link
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2025-02-10
|
|
O365 Email Security Feature Changed
|
Office 365 Universal Audit Log
|
Disable or Modify Tools
Disable or Modify Cloud Logs
|
TTP
|
Office 365 Account Takeover, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Email Send and Hard Delete Exfiltration Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Local Email Collection
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2025-01-20
|
|
O365 Email Send and Hard Delete Suspicious Behavior
|
Office 365 Universal Audit Log
|
Local Email Collection
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2025-01-20
|
|
O365 Email Send Attachments Excessive Volume
|
Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails
|
2025-01-20
|
|
O365 Email Suspicious Behavior Alert
|
Office 365 Universal Audit Log
|
Email Forwarding Rule
|
TTP
|
Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2025-02-10
|
|
O365 Email Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
Remote Email Collection
Unsecured Credentials
|
Anomaly
|
CISA AA22-320A, Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques
|
2025-02-27
|
|
O365 Email Transport Rule Changed
|
Office 365 Universal Audit Log
|
Email Forwarding Rule
Email Hiding Rules
|
Anomaly
|
Data Exfiltration, Office 365 Account Takeover
|
2025-01-15
|
|
O365 Excessive Authentication Failures Alert
|
|
Brute Force
|
Anomaly
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
Modify Authentication Process
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2024-11-14
|
|
O365 Exfiltration via File Access
|
Office 365 Universal Audit Log
|
Exfiltration Over Web Service
Data from Cloud Storage
|
Anomaly
|
Data Exfiltration, Office 365 Account Takeover
|
2024-10-14
|
|
O365 Exfiltration via File Download
|
Office 365 Universal Audit Log
|
Exfiltration Over Web Service
Data from Cloud Storage
|
Anomaly
|
Data Exfiltration, Office 365 Account Takeover
|
2024-10-14
|
|
O365 Exfiltration via File Sync Download
|
Office 365 Universal Audit Log
|
Exfiltration Over Web Service
Data from Cloud Storage
|
Anomaly
|
Data Exfiltration, Office 365 Account Takeover
|
2024-10-14
|
|
O365 External Guest User Invited
|
Office 365 Universal Audit Log
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
O365 External Identity Policy Changed
|
Office 365 Universal Audit Log
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
O365 File Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 High Number Of Failed Authentications for User
|
O365 UserLoginFailed
|
Password Guessing
|
TTP
|
Office 365 Account Takeover
|
2025-02-10
|
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Mail Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Mailbox Email Forwarding Enabled
|
|
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
O365 Mailbox Folder Read Permission Assigned
|
|
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
O365 Mailbox Folder Read Permission Granted
|
|
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
O365 Mailbox Inbox Folder Shared with All Users
|
O365 ModifyFolderPermissions
|
Remote Email Collection
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
Additional Cloud Roles
Remote Email Collection
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Multi-Source Failed Authentications Spike
|
O365 UserLoginFailed
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Hunting
|
NOBELIUM Group, Office 365 Account Takeover
|
2025-02-10
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
Valid Accounts
|
Anomaly
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Multiple Failed MFA Requests For User
|
O365 UserLoginFailed
|
Multi-Factor Authentication Request Generation
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Multiple Mailboxes Accessed via API
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-11-14
|
|
O365 Multiple OS Vendors Authenticating From User
|
Office 365 Universal Audit Log
|
Brute Force
|
TTP
|
Office 365 Account Takeover
|
2024-12-19
|
|
O365 Multiple Service Principals Created by SP
|
O365 Add service principal.
|
Cloud Account
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 Multiple Service Principals Created by User
|
O365 Add service principal.
|
Cloud Account
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 Multiple Users Failing To Authenticate From Ip
|
O365 UserLoginFailed
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
TTP
|
NOBELIUM Group, Office 365 Account Takeover
|
2025-02-10
|
|
O365 New Email Forwarding Rule Created
|
|
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
O365 New Email Forwarding Rule Enabled
|
|
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
O365 New Federated Domain Added
|
O365
|
Cloud Account
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 New Forwarding Mailflow Rule Created
|
|
Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2024-11-14
|
|
O365 New MFA Method Registered
|
O365 Update user.
|
Device Registration
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 OAuth App Mailbox Access via EWS
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-11-14
|
|
O365 OAuth App Mailbox Access via Graph API
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-11-14
|
|
O365 Privileged Graph API Permission Assigned
|
O365 Update application.
|
Security Account Manager
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 Privileged Role Assigned
|
Office 365 Universal Audit Log
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
O365 Privileged Role Assigned To Service Principal
|
Office 365 Universal Audit Log
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2025-02-10
|
|
O365 PST export alert
|
O365
|
Email Collection
|
TTP
|
Data Exfiltration, Office 365 Collection Techniques
|
2024-11-14
|
|
O365 Safe Links Detection
|
Office 365 Universal Audit Log
|
Spearphishing Attachment
|
TTP
|
Office 365 Account Takeover, Spearphishing Attachments
|
2025-02-10
|
|
O365 Security And Compliance Alert Triggered
|
|
Cloud Accounts
|
TTP
|
Office 365 Account Takeover
|
2025-02-10
|
|
O365 Service Principal New Client Credentials
|
O365
|
Additional Cloud Credentials
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Service Principal Privilege Escalation
|
O365 Add app role assignment grant to user.
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, Office 365 Account Takeover
|
2025-02-10
|
|
O365 SharePoint Allowed Domains Policy Changed
|
Office 365 Universal Audit Log
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
O365 SharePoint Malware Detection
|
Office 365 Universal Audit Log
|
Malicious File
|
TTP
|
Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud
|
2025-02-10
|
|
O365 SharePoint Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
Sharepoint
Unsecured Credentials
|
Anomaly
|
CISA AA22-320A, Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques
|
2025-02-27
|
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Threat Intelligence Suspicious Email Delivered
|
Office 365 Universal Audit Log
|
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2025-02-10
|
|
O365 Threat Intelligence Suspicious File Detected
|
Office 365 Universal Audit Log
|
Malicious File
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud
|
2025-02-10
|
|
O365 User Consent Blocked for Risky Application
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 User Consent Denied for OAuth Application
|
O365
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 ZAP Activity Detection
|
Office 365 Universal Audit Log
|
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2025-02-10
|
|
Risk Rule for Dev Sec Ops by Repository
|
|
Malicious Image
|
Correlation
|
Dev Sec Ops
|
2025-02-10
|