|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Okta Successful Single Factor Authentication
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2025-05-02
|
|
Okta User Logins from Multiple Cities
|
Okta
|
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2025-05-02
|
|
ASL AWS Credential Access GetPasswordData
|
ASL AWS CloudTrail
|
Password Guessing
Cloud Accounts
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-05-02
|
|
ASL AWS Credential Access RDS Password reset
|
ASL AWS CloudTrail
|
Brute Force
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-05-02
|
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2025-05-02
|
|
AWS Credential Access Failed Login
|
AWS CloudTrail ConsoleLogin
|
Password Guessing
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-05-02
|
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
Password Guessing
Cloud Accounts
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-05-02
|
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
Brute Force
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-05-02
|
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Unused/Unsupported Cloud Regions
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2025-05-02
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Cloud Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-05-02
|
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-05-02
|
|
Azure Active Directory High Risk Sign-in
|
Azure Active Directory
|
Password Spraying
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Azure AD Multi-Source Failed Authentications Spike
|
Azure Active Directory
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Hunting
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2025-09-17
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Azure AD Multiple Users Failing To Authenticate From Ip
|
Azure Active Directory
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Azure AD Unusual Number of Failed Authentications From Ip
|
Azure Active Directory
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
Unsecured Credentials
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities
|
2025-06-10
|
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2025-05-02
|
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2025-05-02
|
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2025-05-02
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
GCP Multiple Users Failing To Authenticate From Ip
|
Google Workspace
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
GCP Account Takeover
|
2025-05-02
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
Cloud Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
GCP Unusual Number of Failed Authentications From Ip
|
Google Workspace
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
GCP Account Takeover
|
2025-05-02
|
|
O365 Multi-Source Failed Authentications Spike
|
O365 UserLoginFailed
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Hunting
|
NOBELIUM Group, Office 365 Account Takeover
|
2025-05-02
|
|
O365 Multiple Users Failing To Authenticate From Ip
|
O365 UserLoginFailed
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
TTP
|
NOBELIUM Group, Office 365 Account Takeover
|
2025-05-02
|
|
Windows Certutil Root Certificate Addition
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Digital Certificates
|
TTP
|
Secret Blizzard
|
2025-10-06
|
|
Windows NirSoft AdvancedRun
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Tool
|
TTP
|
Data Destruction, Ransomware, Unusual Processes, WhisperGate
|
2025-05-02
|
|
Windows NirSoft Tool Bundle File Created
|
Sysmon EventID 11
|
Tool
|
Anomaly
|
Data Destruction, Unusual Processes, WhisperGate
|
2025-10-22
|
|
Windows NirSoft Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Tool
|
Hunting
|
Data Destruction, WhisperGate
|
2025-05-02
|
|
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
|
Cisco Secure Firewall Threat Defense Connection Event
|
Code Signing Certificates
Digital Certificates
Web Protocols
Asymmetric Cryptography
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Connection to File Sharing Domain
|
Cisco Secure Firewall Threat Defense Connection Event
|
Web Protocols
External Proxy
Ingress Tool Transfer
Exfiltration to Cloud Storage
Tool
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Cisco Secure Firewall - Possibly Compromised Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Exploitation for Client Execution
Command and Scripting Interpreter
Malware
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Rare Snort Rule Triggered
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Phishing for Information
Web Services
|
Hunting
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
