Cloud Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Abnormally High Number Of Cloud Infrastructure API Calls	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Compromised User Account, Suspicious Cloud User Activities	2024-10-17
Abnormally High Number Of Cloud Instances Destroyed	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Suspicious Cloud Instance Activities	2024-10-22
Abnormally High Number Of Cloud Instances Launched	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Cloud Cryptomining, Suspicious Cloud Instance Activities	2024-10-22
Abnormally High Number Of Cloud Security Group API Calls	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Suspicious Cloud User Activities	2024-10-17
Amazon EKS Kubernetes cluster scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
Amazon EKS Kubernetes Pod scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
ASL AWS Concurrent Sessions From Different Ips		Browser Session Hijacking	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
ASL AWS Defense Evasion Delete Cloudtrail		Disable or Modify Cloud Logs Impair Defenses	TTP	AWS Defense Evasion	2024-09-30
ASL AWS Defense Evasion Delete CloudWatch Log Group		Impair Defenses Disable or Modify Cloud Logs	TTP	AWS Defense Evasion	2024-09-30
ASL AWS Defense Evasion Impair Security Services		Disable or Modify Cloud Logs Impair Defenses	Hunting	AWS Defense Evasion	2024-10-17
ASL AWS Defense Evasion Stop Logging Cloudtrail		Disable or Modify Cloud Logs Impair Defenses	TTP	AWS Defense Evasion	2024-09-30
ASL AWS Defense Evasion Update Cloudtrail		Impair Defenses Disable or Modify Cloud Logs	TTP	AWS Defense Evasion	2024-09-30
ASL AWS ECR Container Upload Outside Business Hours		Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
ASL AWS ECR Container Upload Unknown User		Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
ASL AWS IAM Delete Policy		Account Manipulation	Hunting	AWS IAM Privilege Escalation	2024-10-17
ASL AWS IAM Failure Group Deletion		Account Manipulation	Anomaly	AWS IAM Privilege Escalation	2024-10-22
ASL AWS IAM Successful Group Deletion		Cloud Groups Account Manipulation Permission Groups Discovery	Hunting	AWS IAM Privilege Escalation	2024-10-22
ASL AWS Multi-Factor Authentication Disabled		Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
ASL AWS New MFA Method Registered For User		Modify Authentication Process Multi-Factor Authentication	TTP	AWS Identity and Access Management Account Takeover	2024-10-17
AWS AMI Attribute Modification for Exfiltration	AWS CloudTrail ModifyImageAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-09-30
AWS Concurrent Sessions From Different Ips	AWS CloudTrail DescribeEventAggregates	Browser Session Hijacking	TTP	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
AWS Console Login Failed During MFA Challenge	AWS CloudTrail ConsoleLogin	Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
AWS Create Policy Version to allow all resources	AWS CloudTrail CreatePolicyVersion	Cloud Accounts Valid Accounts	TTP	AWS IAM Privilege Escalation	2024-09-30
AWS CreateAccessKey	AWS CloudTrail CreateAccessKey	Cloud Account Create Account	Hunting	AWS IAM Privilege Escalation	2024-10-17
AWS CreateLoginProfile	AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile	Cloud Account Create Account	TTP	AWS IAM Privilege Escalation	2024-09-30
AWS Credential Access Failed Login	AWS CloudTrail	Compromise Accounts Cloud Accounts Brute Force Password Guessing	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Credential Access GetPasswordData	AWS CloudTrail GetPasswordData	Compromise Accounts Cloud Accounts Brute Force Password Guessing	Anomaly	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Credential Access RDS Password reset	AWS CloudTrail ModifyDBInstance	Compromise Accounts Cloud Accounts Brute Force	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Cross Account Activity From Previously Unseen Account	AWS CloudTrail	N/A	Anomaly	Suspicious Cloud Authentication Activities	2024-10-17
AWS Defense Evasion Delete Cloudtrail	AWS CloudTrail DeleteTrail	Disable or Modify Cloud Logs Impair Defenses	TTP	AWS Defense Evasion	2024-09-30
AWS Defense Evasion Delete CloudWatch Log Group	AWS CloudTrail DeleteLogGroup	Impair Defenses Disable or Modify Cloud Logs	TTP	AWS Defense Evasion	2024-09-30
AWS Defense Evasion Impair Security Services	AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteWebACL	Disable or Modify Cloud Logs Impair Defenses	Hunting	AWS Defense Evasion	2024-10-17
AWS Defense Evasion PutBucketLifecycle	AWS CloudTrail PutBucketLifecycle	Disable or Modify Cloud Logs Impair Defenses Lifecycle-Triggered Deletion Data Destruction	Hunting	AWS Defense Evasion	2024-10-17
AWS Defense Evasion Stop Logging Cloudtrail	AWS CloudTrail StopLogging	Disable or Modify Cloud Logs Impair Defenses	TTP	AWS Defense Evasion	2024-09-30
AWS Defense Evasion Update Cloudtrail	AWS CloudTrail UpdateTrail	Impair Defenses Disable or Modify Cloud Logs	TTP	AWS Defense Evasion	2024-09-30
aws detect attach to role policy		Valid Accounts	Hunting	AWS Cross Account Activity	2024-10-17
aws detect permanent key creation		Valid Accounts	Hunting	AWS Cross Account Activity	2024-10-17
aws detect role creation		Valid Accounts	Hunting	AWS Cross Account Activity	2024-10-17
aws detect sts assume role abuse		Valid Accounts	Hunting	AWS Cross Account Activity	2024-10-17
aws detect sts get session token abuse		Use Alternate Authentication Material	Hunting	AWS Cross Account Activity	2024-10-17
AWS Detect Users creating keys with encrypt policy without MFA	AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy	Data Encrypted for Impact	TTP	Ransomware Cloud	2024-09-30
AWS Detect Users with KMS keys performing encryption S3	AWS CloudTrail	Data Encrypted for Impact	Anomaly	Ransomware Cloud	2024-09-30
AWS Disable Bucket Versioning	AWS CloudTrail PutBucketVersioning	Inhibit System Recovery	Anomaly	Data Exfiltration, Suspicious AWS S3 Activities	2024-09-30
AWS EC2 Snapshot Shared Externally	AWS CloudTrail ModifySnapshotAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-09-30
AWS ECR Container Scanning Findings High	AWS CloudTrail DescribeImageScanFindings	Malicious Image User Execution	TTP	Dev Sec Ops	2024-09-30
AWS ECR Container Scanning Findings Low Informational Unknown	AWS CloudTrail DescribeImageScanFindings	Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
AWS ECR Container Scanning Findings Medium	AWS CloudTrail DescribeImageScanFindings	Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
AWS ECR Container Upload Outside Business Hours	AWS CloudTrail PutImage	Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
AWS ECR Container Upload Unknown User	AWS CloudTrail PutImage	Malicious Image User Execution	Anomaly	Dev Sec Ops	2024-09-30
AWS Excessive Security Scanning	AWS CloudTrail	Cloud Service Discovery	TTP	AWS User Monitoring	2024-09-30
AWS Exfiltration via Anomalous GetObject API Activity	AWS CloudTrail GetObject	Automated Collection	Anomaly	Data Exfiltration	2024-09-30
AWS Exfiltration via Batch Service	AWS CloudTrail JobCreated	Automated Collection	TTP	Data Exfiltration	2024-09-30
AWS Exfiltration via Bucket Replication	AWS CloudTrail PutBucketReplication	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2024-09-30
AWS Exfiltration via DataSync Task	AWS CloudTrail CreateTask	Automated Collection	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2024-09-30
AWS Exfiltration via EC2 Snapshot	AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute	Transfer Data to Cloud Account	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-09-30
AWS High Number Of Failed Authentications For User	AWS CloudTrail ConsoleLogin	Password Policy Discovery	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
AWS High Number Of Failed Authentications From Ip	AWS CloudTrail ConsoleLogin	Brute Force Password Spraying Credential Stuffing	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
AWS IAM AccessDenied Discovery Events	AWS CloudTrail	Cloud Infrastructure Discovery	Anomaly	Suspicious Cloud User Activities	2024-09-30
AWS IAM Assume Role Policy Brute Force	AWS CloudTrail	Cloud Infrastructure Discovery Brute Force	TTP	AWS IAM Privilege Escalation	2024-09-30
AWS IAM Delete Policy	AWS CloudTrail DeletePolicy	Account Manipulation	Hunting	AWS IAM Privilege Escalation	2024-10-17
AWS IAM Failure Group Deletion	AWS CloudTrail DeleteGroup	Account Manipulation	Anomaly	AWS IAM Privilege Escalation	2024-10-22
AWS IAM Successful Group Deletion	AWS CloudTrail DeleteGroup	Cloud Groups Account Manipulation Permission Groups Discovery	Hunting	AWS IAM Privilege Escalation	2024-10-22
AWS Lambda UpdateFunctionCode	AWS CloudTrail	User Execution	Hunting	Suspicious Cloud User Activities	2024-10-22
AWS Multi-Factor Authentication Disabled	AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice	Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Multiple Failed MFA Requests For User	AWS CloudTrail ConsoleLogin	Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation	Anomaly	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Multiple Users Failing To Authenticate From Ip	AWS CloudTrail ConsoleLogin	Brute Force Password Spraying Credential Stuffing	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-10-16
AWS Network Access Control List Created with All Open Ports	AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry	Disable or Modify Cloud Firewall Impair Defenses	TTP	AWS Network ACL Activity	2024-09-30
AWS Network Access Control List Deleted	AWS CloudTrail DeleteNetworkAclEntry	Disable or Modify Cloud Firewall Impair Defenses	Anomaly	AWS Network ACL Activity	2024-09-30
AWS New MFA Method Registered For User	AWS CloudTrail CreateVirtualMFADevice	Modify Authentication Process Multi-Factor Authentication	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Password Policy Changes	AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy	Password Policy Discovery	Hunting	AWS IAM Privilege Escalation, Compromised User Account	2024-10-17
AWS S3 Exfiltration Behavior Identified		Transfer Data to Cloud Account	Correlation	Data Exfiltration, Suspicious Cloud Instance Activities	2024-09-30
AWS SAML Access by Provider User and Principal	AWS CloudTrail AssumeRoleWithSAML	Valid Accounts	Anomaly	Cloud Federated Credential Abuse	2024-09-30
AWS SAML Update identity provider	AWS CloudTrail UpdateSAMLProvider	Valid Accounts	TTP	Cloud Federated Credential Abuse	2024-09-30
AWS SetDefaultPolicyVersion	AWS CloudTrail SetDefaultPolicyVersion	Cloud Accounts Valid Accounts	TTP	AWS IAM Privilege Escalation	2024-09-30
AWS Successful Console Authentication From Multiple IPs	AWS CloudTrail ConsoleLogin	Compromise Accounts Unused/Unsupported Cloud Regions	Anomaly	Compromised User Account, Suspicious AWS Login Activities	2024-09-30
AWS Successful Single-Factor Authentication	AWS CloudTrail ConsoleLogin	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts	TTP	AWS Identity and Access Management Account Takeover	2024-09-30
AWS Unusual Number of Failed Authentications From Ip	AWS CloudTrail ConsoleLogin	Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing	Anomaly	AWS Identity and Access Management Account Takeover	2024-09-30
AWS UpdateLoginProfile	AWS CloudTrail UpdateLoginProfile	Cloud Account Create Account	TTP	AWS IAM Privilege Escalation	2024-09-30
Azure Active Directory High Risk Sign-in	Azure Active Directory	Compromise Accounts Cloud Accounts Brute Force Password Spraying	TTP	Azure Active Directory Account Takeover	2024-09-30
Azure AD Admin Consent Bypassed by Service Principal	Azure Active Directory Add app role assignment to service principal	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-09-30
Azure AD Application Administrator Role Assigned	Azure Active Directory Add member to role	Account Manipulation Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation	2024-09-30
Azure AD Authentication Failed During MFA Challenge	Azure Active Directory	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Azure Active Directory Account Takeover	2024-10-31
Azure AD Block User Consent For Risky Apps Disabled	Azure Active Directory Update authorization policy	Impair Defenses	TTP	Azure Active Directory Account Takeover	2024-09-30
Azure AD Concurrent Sessions From Different Ips	Azure Active Directory	Browser Session Hijacking	TTP	Azure Active Directory Account Takeover, Compromised User Account	2024-09-30
Azure AD Device Code Authentication	Azure Active Directory	Steal Application Access Token Phishing Spearphishing Link	TTP	Azure Active Directory Account Takeover	2024-09-30
Azure AD External Guest User Invited	Azure Active Directory Invite external user	Cloud Account	TTP	Azure Active Directory Persistence	2024-09-30
Azure AD FullAccessAsApp Permission Assigned	Azure Active Directory Update application	Additional Email Delegate Permissions Additional Cloud Roles	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-09-30
Azure AD Global Administrator Role Assigned	Azure Active Directory Add member to role	Additional Cloud Roles	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2024-09-30
Azure AD High Number Of Failed Authentications For User	Azure Active Directory	Brute Force Password Guessing	TTP	Azure Active Directory Account Takeover, Compromised User Account	2024-09-30
Azure AD High Number Of Failed Authentications From Ip	Azure Active Directory	Brute Force Password Guessing Password Spraying	TTP	Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group	2024-09-30
Azure AD Multi-Factor Authentication Disabled	Azure Active Directory Disable Strong Authentication	Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication	TTP	Azure Active Directory Account Takeover	2024-09-30
Azure AD Multi-Source Failed Authentications Spike	Azure Active Directory	Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing	Hunting	Azure Active Directory Account Takeover, NOBELIUM Group	2024-10-17
Azure AD Multiple AppIDs and UserAgents Authentication Spike	Azure Active Directory Sign-in activity	Valid Accounts	Anomaly	Azure Active Directory Account Takeover	2024-09-30
Azure AD Multiple Denied MFA Requests For User	Azure Active Directory Sign-in activity	Multi-Factor Authentication Request Generation	TTP	Azure Active Directory Account Takeover	2024-09-30
Azure AD Multiple Failed MFA Requests For User	Azure Active Directory Sign-in activity	Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts	TTP	Azure Active Directory Account Takeover	2024-09-30
Azure AD Multiple Service Principals Created by SP	Azure Active Directory Add service principal	Cloud Account	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2024-09-30
Azure AD Multiple Service Principals Created by User	Azure Active Directory Add service principal	Cloud Account	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2024-09-30
Azure AD Multiple Users Failing To Authenticate From Ip	Azure Active Directory	Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing	Anomaly	Azure Active Directory Account Takeover	2024-09-30
Azure AD New Custom Domain Added	Azure Active Directory Add unverified domain	Domain or Tenant Policy Modification Trust Modification	TTP	Azure Active Directory Persistence	2024-09-30
Azure AD New Federated Domain Added	Azure Active Directory Set domain authentication	Domain or Tenant Policy Modification Trust Modification	TTP	Azure Active Directory Persistence	2024-09-30
Azure AD New MFA Method Registered	Azure Active Directory Update user	Account Manipulation Device Registration	TTP	Azure Active Directory Persistence	2024-09-30
Azure AD New MFA Method Registered For User	Azure Active Directory User registered security info	Modify Authentication Process Multi-Factor Authentication	TTP	Azure Active Directory Account Takeover, Compromised User Account	2024-09-30
Azure AD OAuth Application Consent Granted By User	Azure Active Directory Consent to application	Steal Application Access Token	TTP	Azure Active Directory Account Takeover	2024-09-30
Azure AD PIM Role Assigned	Azure Active Directory	Account Manipulation Additional Cloud Roles	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2024-09-30
Azure AD PIM Role Assignment Activated	Azure Active Directory	Account Manipulation Additional Cloud Roles	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2024-09-30
Azure AD Privileged Authentication Administrator Role Assigned	Azure Active Directory Add member to role	Security Account Manager	TTP	Azure Active Directory Privilege Escalation	2024-09-30
Azure AD Privileged Graph API Permission Assigned	Azure Active Directory Update application	Security Account Manager	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-09-30
Azure AD Privileged Role Assigned	Azure Active Directory Add member to role	Account Manipulation Additional Cloud Roles	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-09-30
Azure AD Privileged Role Assigned to Service Principal	Azure Active Directory Add member to role	Account Manipulation Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-09-30
Azure AD Service Principal Authentication	Azure Active Directory Sign-in activity	Cloud Accounts	TTP	Azure Active Directory Account Takeover, NOBELIUM Group	2024-09-30
Azure AD Service Principal Created	Azure Active Directory Add service principal	Cloud Account	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-09-30
Azure AD Service Principal New Client Credentials	Azure Active Directory	Account Manipulation Additional Cloud Credentials	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-09-30
Azure AD Service Principal Owner Added	Azure Active Directory Add owner to application	Account Manipulation	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-09-30
Azure AD Successful Authentication From Different Ips	Azure Active Directory	Brute Force Password Guessing Password Spraying	TTP	Azure Active Directory Account Takeover, Compromised User Account	2024-09-30
Azure AD Successful PowerShell Authentication	Azure Active Directory	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts	TTP	Azure Active Directory Account Takeover	2024-09-30
Azure AD Successful Single-Factor Authentication	Azure Active Directory	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts	TTP	Azure Active Directory Account Takeover	2024-09-30
Azure AD Tenant Wide Admin Consent Granted	Azure Active Directory Consent to application	Account Manipulation Additional Cloud Roles	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-09-30
Azure AD Unusual Number of Failed Authentications From Ip	Azure Active Directory	Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing	Anomaly	Azure Active Directory Account Takeover	2024-09-30
Azure AD User Consent Blocked for Risky Application	Azure Active Directory Consent to application	Steal Application Access Token	TTP	Azure Active Directory Account Takeover	2024-09-30
Azure AD User Consent Denied for OAuth Application	Azure Active Directory Sign-in activity	Steal Application Access Token	TTP	Azure Active Directory Account Takeover	2024-09-30
Azure AD User Enabled And Password Reset	Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user	Account Manipulation	TTP	Azure Active Directory Persistence	2024-09-30
Azure AD User ImmutableId Attribute Updated	Azure Active Directory Update user	Account Manipulation	TTP	Azure Active Directory Persistence	2024-09-30
Azure Automation Account Created	Azure Audit Create or Update an Azure Automation account	Create Account Cloud Account	TTP	Azure Active Directory Persistence	2024-09-30
Azure Automation Runbook Created	Azure Audit Create or Update an Azure Automation Runbook	Create Account Cloud Account	TTP	Azure Active Directory Persistence	2024-09-30
Azure Runbook Webhook Created	Azure Audit Create or Update an Azure Automation webhook	Valid Accounts Cloud Accounts	TTP	Azure Active Directory Persistence	2024-09-30
Circle CI Disable Security Job	CircleCI	Compromise Host Software Binary	Anomaly	Dev Sec Ops	2024-09-30
Circle CI Disable Security Step	CircleCI	Compromise Host Software Binary	Anomaly	Dev Sec Ops	2024-10-17
Cloud API Calls From Previously Unseen User Roles	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud User Activities	2024-10-17
Cloud Compute Instance Created By Previously Unseen User	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Cloud Cryptomining	2024-10-17
Cloud Compute Instance Created In Previously Unused Region	AWS CloudTrail	Unused/Unsupported Cloud Regions	Anomaly	Cloud Cryptomining	2024-10-17
Cloud Compute Instance Created With Previously Unseen Image	AWS CloudTrail	N/A	Anomaly	Cloud Cryptomining	2024-10-17
Cloud Compute Instance Created With Previously Unseen Instance Type	AWS CloudTrail	N/A	Anomaly	Cloud Cryptomining	2024-10-17
Cloud Instance Modified By Previously Unseen User	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Suspicious Cloud Instance Activities	2024-10-17
Cloud Provisioning Activity From Previously Unseen City	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-09-30
Cloud Provisioning Activity From Previously Unseen Country	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-09-30
Cloud Provisioning Activity From Previously Unseen IP Address	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-09-30
Cloud Provisioning Activity From Previously Unseen Region	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-09-30
Cloud Security Groups Modifications by User	AWS CloudTrail	Modify Cloud Compute Configurations	Anomaly	Suspicious Cloud User Activities	2024-09-30
Detect AWS Console Login by New User	AWS CloudTrail	Compromise Accounts Cloud Accounts Unsecured Credentials	Hunting	AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities	2024-10-17
Detect AWS Console Login by User from New City	AWS CloudTrail	Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions	Hunting	AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities	2024-10-17
Detect AWS Console Login by User from New Country	AWS CloudTrail	Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions	Hunting	AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities	2024-10-17
Detect AWS Console Login by User from New Region	AWS CloudTrail	Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions	Hunting	AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities	2024-10-17
Detect GCP Storage access from a new IP		Data from Cloud Storage	Anomaly	Suspicious GCP Storage Activities	2024-10-17
Detect New Open GCP Storage Buckets		Data from Cloud Storage	TTP	Suspicious GCP Storage Activities	2024-10-17
Detect New Open S3 buckets	AWS CloudTrail	Data from Cloud Storage	TTP	Suspicious AWS S3 Activities	2024-09-30
Detect New Open S3 Buckets over AWS CLI	AWS CloudTrail	Data from Cloud Storage	TTP	Suspicious AWS S3 Activities	2024-09-30
Detect S3 access from a new IP		Data from Cloud Storage	Anomaly	Suspicious AWS S3 Activities	2024-10-17
Detect Spike in AWS Security Hub Alerts for EC2 Instance	AWS Security Hub	N/A	Anomaly	AWS Security Hub Alerts, Critical Alerts	2024-10-09
Detect Spike in AWS Security Hub Alerts for User	AWS Security Hub	N/A	Anomaly	AWS Security Hub Alerts, Critical Alerts	2024-10-09
Detect Spike in blocked Outbound Traffic from your AWS		N/A	Anomaly	AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic	2024-10-17
Detect Spike in S3 Bucket deletion	AWS CloudTrail	Data from Cloud Storage	Anomaly	Suspicious AWS S3 Activities	2024-10-17
GCP Authentication Failed During MFA Challenge	Google Workspace login_failure	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	GCP Account Takeover	2024-09-30
GCP Detect gcploit framework		Valid Accounts	TTP	GCP Cross Account Activity	2024-10-17
GCP Kubernetes cluster pod scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
GCP Multi-Factor Authentication Disabled		Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication	TTP	GCP Account Takeover	2024-09-30
GCP Multiple Failed MFA Requests For User	Google Workspace login_failure	Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts	TTP	GCP Account Takeover	2024-09-30
GCP Multiple Users Failing To Authenticate From Ip	Google Workspace login_failure	Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing	Anomaly	GCP Account Takeover	2024-09-30
GCP Successful Single-Factor Authentication	Google Workspace login_success	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts	TTP	GCP Account Takeover	2024-09-30
GCP Unusual Number of Failed Authentications From Ip	Google Workspace login_failure	Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing	Anomaly	GCP Account Takeover	2024-09-30
Gdrive suspicious file sharing		Phishing	Hunting	Data Exfiltration, Spearphishing Attachments	2024-10-17
GitHub Actions Disable Security Workflow	GitHub	Compromise Software Supply Chain Supply Chain Compromise	Anomaly	Dev Sec Ops	2024-09-30
Github Commit Changes In Master	GitHub	Trusted Relationship	Anomaly	Dev Sec Ops	2024-09-30
Github Commit In Develop	GitHub	Trusted Relationship	Anomaly	Dev Sec Ops	2024-09-30
GitHub Dependabot Alert	GitHub	Compromise Software Dependencies and Development Tools Supply Chain Compromise	Anomaly	Dev Sec Ops	2024-09-30
GitHub Pull Request from Unknown User	GitHub	Compromise Software Dependencies and Development Tools Supply Chain Compromise	Anomaly	Dev Sec Ops	2024-09-30
Gsuite Drive Share In External Email	G Suite Drive	Exfiltration to Cloud Storage Exfiltration Over Web Service	Anomaly	Dev Sec Ops, Insider Threat	2024-10-17
GSuite Email Suspicious Attachment	G Suite Gmail	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-09-30
Gsuite Email Suspicious Subject With Attachment	G Suite Gmail	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-09-30
Gsuite Email With Known Abuse Web Service Link	G Suite Gmail	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-09-30
Gsuite Outbound Email With Attachment To External Domain	G Suite Gmail	Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol	Hunting	Dev Sec Ops, Insider Threat	2024-10-17
Gsuite suspicious calendar invite		Phishing	Hunting	Spearphishing Attachments	2024-10-17
Gsuite Suspicious Shared File Name	G Suite Drive	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-09-30
High Number of Login Failures from a single source	O365 UserLoginFailed	Password Guessing Brute Force	Anomaly	Office 365 Account Takeover	2024-09-30
Kubernetes Abuse of Secret by Unusual Location	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Abuse of Secret by Unusual User Agent	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Abuse of Secret by Unusual User Group	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Abuse of Secret by Unusual User Name	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Access Scanning	Kubernetes Audit	Network Service Discovery	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Anomalous Inbound Network Activity from Process		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Anomalous Inbound Outbound Network IO		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Anomalous Inbound to Outbound Network IO Ratio		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Anomalous Outbound Network Activity from Process		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Anomalous Traffic on Network Edge		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes AWS detect suspicious kubectl calls	Kubernetes Audit	N/A	Anomaly	Kubernetes Security	2024-10-17
Kubernetes Create or Update Privileged Pod	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Cron Job Creation	Kubernetes Audit	Container Orchestration Job	Anomaly	Kubernetes Security	2024-09-30
Kubernetes DaemonSet Deployed	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Falco Shell Spawned	Kubernetes Falco	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes newly seen TCP edge		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes newly seen UDP edge		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Nginx Ingress LFI		Exploitation for Credential Access	TTP	Dev Sec Ops	2024-09-30
Kubernetes Nginx Ingress RFI		Exploitation for Credential Access	TTP	Dev Sec Ops	2024-09-30
Kubernetes Node Port Creation	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Pod Created in Default Namespace	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Pod With Host Network Attachment	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Previously Unseen Container Image Name		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Previously Unseen Process		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Process Running From New Path		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Process with Anomalous Resource Utilisation		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Process with Resource Ratio Anomalies		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Scanner Image Pulling		Cloud Service Discovery	TTP	Dev Sec Ops	2024-09-30
Kubernetes Scanning by Unauthenticated IP Address	Kubernetes Audit	Network Service Discovery	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Shell Running on Worker Node		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Shell Running on Worker Node with CPU Activity		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Suspicious Image Pulling	Kubernetes Audit	Cloud Service Discovery	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Unauthorized Access	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
O365 Add App Role Assignment Grant User	O365 Add app role assignment grant to user.	Cloud Account Create Account	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2024-09-30
O365 Added Service Principal	O365	Cloud Account Create Account	TTP	Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 Admin Consent Bypassed by Service Principal	O365 Add app role assignment to service principal.	Additional Cloud Roles	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Advanced Audit Disabled	O365 Change user license.	Impair Defenses Disable or Modify Cloud Logs	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Application Available To Other Tenants		Additional Cloud Roles Account Manipulation	TTP	Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration	2024-09-30
O365 Application Registration Owner Added	O365 Add owner to application.	Account Manipulation	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 ApplicationImpersonation Role Assigned	O365	Account Manipulation Additional Email Delegate Permissions	TTP	NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms	2024-09-30
O365 Block User Consent For Risky Apps Disabled	O365 Update authorization policy.	Impair Defenses	TTP	Office 365 Account Takeover	2024-09-30
O365 Bypass MFA via Trusted IP	O365 Set Company Information.	Disable or Modify Cloud Firewall Impair Defenses	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Compliance Content Search Exported		Email Collection Remote Email Collection	TTP	Office 365 Collection Techniques	2024-09-30
O365 Compliance Content Search Started		Email Collection Remote Email Collection	TTP	Office 365 Collection Techniques	2024-09-30
O365 Concurrent Sessions From Different Ips	O365 UserLoggedIn	Browser Session Hijacking	TTP	Office 365 Account Takeover	2024-09-30
O365 Cross-Tenant Access Change		Trust Modification	TTP	Azure Active Directory Persistence	2024-09-30
O365 Disable MFA	O365 Disable Strong Authentication.	Modify Authentication Process	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 DLP Rule Triggered		Exfiltration Over Alternative Protocol Exfiltration Over Web Service	Anomaly	Data Exfiltration	2024-09-30
O365 Elevated Mailbox Permission Assigned		Account Manipulation Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2024-09-30
O365 Email Access By Security Administrator		Exfiltration Over Web Service Email Collection Remote Email Collection	TTP	Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover	2024-09-30
O365 Email Reported By Admin Found Malicious		Phishing Spearphishing Attachment Spearphishing Link	TTP	Spearphishing Attachments, Suspicious Emails	2024-09-30
O365 Email Reported By User Found Malicious		Phishing Spearphishing Attachment Spearphishing Link	TTP	Spearphishing Attachments, Suspicious Emails	2024-09-30
O365 Email Security Feature Changed		Impair Defenses Disable or Modify Cloud Logs Disable or Modify Tools	TTP	Office 365 Account Takeover, Office 365 Persistence Mechanisms	2024-09-30
O365 Email Suspicious Behavior Alert		Email Collection Email Forwarding Rule	TTP	Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2024-09-30
O365 Excessive Authentication Failures Alert		Brute Force	Anomaly	Office 365 Account Takeover	2024-09-30
O365 Excessive SSO logon errors	O365 UserLoginFailed	Modify Authentication Process	Anomaly	Cloud Federated Credential Abuse, Office 365 Account Takeover	2024-09-30
O365 External Guest User Invited		Cloud Account	TTP	Azure Active Directory Persistence	2024-09-30
O365 External Identity Policy Changed		Cloud Account	TTP	Azure Active Directory Persistence	2024-09-30
O365 File Permissioned Application Consent Granted by User	O365 Consent to application.	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-09-30
O365 FullAccessAsApp Permission Assigned	O365 Update application.	Additional Email Delegate Permissions Additional Cloud Roles	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 High Number Of Failed Authentications for User	O365 UserLoginFailed	Brute Force Password Guessing	TTP	Office 365 Account Takeover	2024-09-30
O365 High Privilege Role Granted	O365 Add member to role.	Account Manipulation Additional Cloud Roles	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Mail Permissioned Application Consent Granted by User	O365 Consent to application.	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-09-30
O365 Mailbox Email Forwarding Enabled		Email Collection Email Forwarding Rule	TTP	Office 365 Collection Techniques	2024-09-30
O365 Mailbox Folder Read Permission Assigned		Account Manipulation Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2024-09-30
O365 Mailbox Folder Read Permission Granted		Account Manipulation Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2024-09-30
O365 Mailbox Inbox Folder Shared with All Users	O365 ModifyFolderPermissions	Email Collection Remote Email Collection	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Mailbox Read Access Granted to Application	O365 Update application.	Remote Email Collection Email Collection Account Manipulation Additional Cloud Roles	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Multi-Source Failed Authentications Spike	O365 UserLoginFailed	Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing	Hunting	NOBELIUM Group, Office 365 Account Takeover	2024-10-17
O365 Multiple AppIDs and UserAgents Authentication Spike	O365 UserLoggedIn, O365 UserLoginFailed	Valid Accounts	Anomaly	Office 365 Account Takeover	2024-09-30
O365 Multiple Failed MFA Requests For User	O365 UserLoginFailed	Multi-Factor Authentication Request Generation	TTP	Office 365 Account Takeover	2024-09-30
O365 Multiple Mailboxes Accessed via API	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-09-30
O365 Multiple Service Principals Created by SP	O365 Add service principal.	Cloud Account	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 Multiple Service Principals Created by User	O365 Add service principal.	Cloud Account	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 Multiple Users Failing To Authenticate From Ip	O365 UserLoginFailed	Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing	TTP	NOBELIUM Group, Office 365 Account Takeover	2024-09-30
O365 New Email Forwarding Rule Created		Email Collection Email Forwarding Rule	TTP	Office 365 Collection Techniques	2024-09-30
O365 New Email Forwarding Rule Enabled		Email Collection Email Forwarding Rule	TTP	Office 365 Collection Techniques	2024-09-30
O365 New Federated Domain Added	O365	Cloud Account Create Account	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2024-09-30
O365 New Forwarding Mailflow Rule Created		Email Collection	TTP	Office 365 Collection Techniques	2024-09-30
O365 New MFA Method Registered	O365 Update user.	Account Manipulation Device Registration	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 OAuth App Mailbox Access via EWS	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-09-30
O365 OAuth App Mailbox Access via Graph API	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-09-30
O365 Privileged Graph API Permission Assigned	O365 Update application.	Security Account Manager	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 Privileged Role Assigned		Account Manipulation Additional Cloud Roles	TTP	Azure Active Directory Persistence	2024-09-30
O365 Privileged Role Assigned To Service Principal		Account Manipulation Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation	2024-09-30
O365 PST export alert	O365	Email Collection	TTP	Data Exfiltration, Office 365 Collection Techniques	2024-09-30
O365 Safe Links Detection		Phishing Spearphishing Attachment	TTP	Office 365 Account Takeover, Spearphishing Attachments	2024-09-30
O365 Security And Compliance Alert Triggered		Valid Accounts Cloud Accounts	TTP	Office 365 Account Takeover	2024-09-30
O365 Service Principal New Client Credentials	O365	Account Manipulation Additional Cloud Credentials	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 SharePoint Allowed Domains Policy Changed		Cloud Account	TTP	Azure Active Directory Persistence	2024-09-30
O365 SharePoint Malware Detection		Malicious File User Execution	TTP	Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud	2024-09-30
O365 Tenant Wide Admin Consent Granted	O365 Consent to application.	Account Manipulation Additional Cloud Roles	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-09-30
O365 Threat Intelligence Suspicious Email Delivered		Phishing Spearphishing Attachment Spearphishing Link	Anomaly	Spearphishing Attachments, Suspicious Emails	2024-09-30
O365 Threat Intelligence Suspicious File Detected		Malicious File User Execution	TTP	Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud	2024-09-30
O365 User Consent Blocked for Risky Application	O365 Consent to application.	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-09-30
O365 User Consent Denied for OAuth Application	O365	Steal Application Access Token	TTP	Office 365 Account Takeover	2024-09-30
O365 ZAP Activity Detection		Phishing Spearphishing Attachment Spearphishing Link	Anomaly	Spearphishing Attachments, Suspicious Emails	2024-09-30
Risk Rule for Dev Sec Ops by Repository		Malicious Image User Execution	Correlation	Dev Sec Ops	2024-10-22