Cloud Detections

Name Data Source Technique Type Analytic Story Date
Abnormally High Number Of Cloud Infrastructure API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Compromised User Account, Suspicious Cloud User Activities 2024-10-17
Abnormally High Number Of Cloud Instances Destroyed AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Instances Launched AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining, Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Security Group API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
Amazon EKS Kubernetes cluster scan detection Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
Amazon EKS Kubernetes Pod scan detection Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
ASL AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs Impair Defenses Hunting AWS Defense Evasion 2024-10-17
ASL AWS Defense Evasion Stop Logging Cloudtrail Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Update Cloudtrail Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
ASL AWS ECR Container Upload Outside Business Hours Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
ASL AWS ECR Container Upload Unknown User Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
ASL AWS IAM Delete Policy Account Manipulation Hunting AWS IAM Privilege Escalation 2024-10-17
ASL AWS IAM Failure Group Deletion Account Manipulation Anomaly AWS IAM Privilege Escalation 2024-10-22
ASL AWS IAM Successful Group Deletion Cloud Groups Account Manipulation Permission Groups Discovery Hunting AWS IAM Privilege Escalation 2024-10-22
ASL AWS Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
ASL AWS New MFA Method Registered For User Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-10-17
AWS AMI Attribute Modification for Exfiltration AWS CloudTrail ModifyImageAttribute Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS Concurrent Sessions From Different Ips AWS CloudTrail DescribeEventAggregates Browser Session Hijacking TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Console Login Failed During MFA Challenge AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Create Policy Version to allow all resources AWS CloudTrail CreatePolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
AWS CreateAccessKey AWS CloudTrail CreateAccessKey Cloud Account Create Account Hunting AWS IAM Privilege Escalation 2024-10-17
AWS CreateLoginProfile AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile Cloud Account Create Account TTP AWS IAM Privilege Escalation 2024-09-30
AWS Credential Access Failed Login AWS CloudTrail Compromise Accounts Cloud Accounts Brute Force Password Guessing TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access GetPasswordData AWS CloudTrail GetPasswordData Compromise Accounts Cloud Accounts Brute Force Password Guessing Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access RDS Password reset AWS CloudTrail ModifyDBInstance Compromise Accounts Cloud Accounts Brute Force TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Cross Account Activity From Previously Unseen Account AWS CloudTrail N/A Anomaly Suspicious Cloud Authentication Activities 2024-10-17
AWS Defense Evasion Delete Cloudtrail AWS CloudTrail DeleteTrail Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Delete CloudWatch Log Group AWS CloudTrail DeleteLogGroup Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Impair Security Services AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteWebACL Disable or Modify Cloud Logs Impair Defenses Hunting AWS Defense Evasion 2024-10-17
AWS Defense Evasion PutBucketLifecycle AWS CloudTrail PutBucketLifecycle Disable or Modify Cloud Logs Impair Defenses Lifecycle-Triggered Deletion Data Destruction Hunting AWS Defense Evasion 2024-10-17
AWS Defense Evasion Stop Logging Cloudtrail AWS CloudTrail StopLogging Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Update Cloudtrail AWS CloudTrail UpdateTrail Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
aws detect attach to role policy Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect permanent key creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect role creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect sts assume role abuse Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect sts get session token abuse Use Alternate Authentication Material Hunting AWS Cross Account Activity 2024-10-17
AWS Detect Users creating keys with encrypt policy without MFA AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy Data Encrypted for Impact TTP Ransomware Cloud 2024-09-30
AWS Detect Users with KMS keys performing encryption S3 AWS CloudTrail Data Encrypted for Impact Anomaly Ransomware Cloud 2024-09-30
AWS Disable Bucket Versioning AWS CloudTrail PutBucketVersioning Inhibit System Recovery Anomaly Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS EC2 Snapshot Shared Externally AWS CloudTrail ModifySnapshotAttribute Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS ECR Container Scanning Findings High AWS CloudTrail DescribeImageScanFindings Malicious Image User Execution TTP Dev Sec Ops 2024-09-30
AWS ECR Container Scanning Findings Low Informational Unknown AWS CloudTrail DescribeImageScanFindings Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Scanning Findings Medium AWS CloudTrail DescribeImageScanFindings Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Upload Outside Business Hours AWS CloudTrail PutImage Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Upload Unknown User AWS CloudTrail PutImage Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS Excessive Security Scanning AWS CloudTrail Cloud Service Discovery TTP AWS User Monitoring 2024-09-30
AWS Exfiltration via Anomalous GetObject API Activity AWS CloudTrail GetObject Automated Collection Anomaly Data Exfiltration 2024-09-30
AWS Exfiltration via Batch Service AWS CloudTrail JobCreated Automated Collection TTP Data Exfiltration 2024-09-30
AWS Exfiltration via Bucket Replication AWS CloudTrail PutBucketReplication Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS Exfiltration via DataSync Task AWS CloudTrail CreateTask Automated Collection TTP Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS Exfiltration via EC2 Snapshot AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute Transfer Data to Cloud Account TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS High Number Of Failed Authentications For User AWS CloudTrail ConsoleLogin Password Policy Discovery Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS High Number Of Failed Authentications From Ip AWS CloudTrail ConsoleLogin Brute Force Password Spraying Credential Stuffing Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS IAM AccessDenied Discovery Events AWS CloudTrail Cloud Infrastructure Discovery Anomaly Suspicious Cloud User Activities 2024-09-30
AWS IAM Assume Role Policy Brute Force AWS CloudTrail Cloud Infrastructure Discovery Brute Force TTP AWS IAM Privilege Escalation 2024-09-30
AWS IAM Delete Policy AWS CloudTrail DeletePolicy Account Manipulation Hunting AWS IAM Privilege Escalation 2024-10-17
AWS IAM Failure Group Deletion AWS CloudTrail DeleteGroup Account Manipulation Anomaly AWS IAM Privilege Escalation 2024-10-22
AWS IAM Successful Group Deletion AWS CloudTrail DeleteGroup Cloud Groups Account Manipulation Permission Groups Discovery Hunting AWS IAM Privilege Escalation 2024-10-22
AWS Lambda UpdateFunctionCode AWS CloudTrail User Execution Hunting Suspicious Cloud User Activities 2024-10-22
AWS Multi-Factor Authentication Disabled AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Multiple Failed MFA Requests For User AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Multiple Users Failing To Authenticate From Ip AWS CloudTrail ConsoleLogin Brute Force Password Spraying Credential Stuffing Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-10-16
AWS Network Access Control List Created with All Open Ports AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry Disable or Modify Cloud Firewall Impair Defenses TTP AWS Network ACL Activity 2024-09-30
AWS Network Access Control List Deleted AWS CloudTrail DeleteNetworkAclEntry Disable or Modify Cloud Firewall Impair Defenses Anomaly AWS Network ACL Activity 2024-09-30
AWS New MFA Method Registered For User AWS CloudTrail CreateVirtualMFADevice Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Password Policy Changes AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy Password Policy Discovery Hunting AWS IAM Privilege Escalation, Compromised User Account 2024-10-17
AWS S3 Exfiltration Behavior Identified Transfer Data to Cloud Account Correlation Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS SAML Access by Provider User and Principal AWS CloudTrail AssumeRoleWithSAML Valid Accounts Anomaly Cloud Federated Credential Abuse 2024-09-30
AWS SAML Update identity provider AWS CloudTrail UpdateSAMLProvider Valid Accounts TTP Cloud Federated Credential Abuse 2024-09-30
AWS SetDefaultPolicyVersion AWS CloudTrail SetDefaultPolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
AWS Successful Console Authentication From Multiple IPs AWS CloudTrail ConsoleLogin Compromise Accounts Unused/Unsupported Cloud Regions Anomaly Compromised User Account, Suspicious AWS Login Activities 2024-09-30
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Unusual Number of Failed Authentications From Ip AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS UpdateLoginProfile AWS CloudTrail UpdateLoginProfile Cloud Account Create Account TTP AWS IAM Privilege Escalation 2024-09-30
Azure Active Directory High Risk Sign-in Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Admin Consent Bypassed by Service Principal Azure Active Directory Add app role assignment to service principal Additional Cloud Roles TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Application Administrator Role Assigned Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Authentication Failed During MFA Challenge Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-10-31
Azure AD Block User Consent For Risky Apps Disabled Azure Active Directory Update authorization policy Impair Defenses TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Concurrent Sessions From Different Ips Azure Active Directory Browser Session Hijacking TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD Device Code Authentication Azure Active Directory Steal Application Access Token Phishing Spearphishing Link TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD External Guest User Invited Azure Active Directory Invite external user Cloud Account TTP Azure Active Directory Persistence 2024-09-30
Azure AD FullAccessAsApp Permission Assigned Azure Active Directory Update application Additional Email Delegate Permissions Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Global Administrator Role Assigned Azure Active Directory Add member to role Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD High Number Of Failed Authentications For User Azure Active Directory Brute Force Password Guessing TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD High Number Of Failed Authentications From Ip Azure Active Directory Brute Force Password Guessing Password Spraying TTP Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group 2024-09-30
Azure AD Multi-Factor Authentication Disabled Azure Active Directory Disable Strong Authentication Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multi-Source Failed Authentications Spike Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Hunting Azure Active Directory Account Takeover, NOBELIUM Group 2024-10-17
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure Active Directory Sign-in activity Valid Accounts Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Denied MFA Requests For User Azure Active Directory Sign-in activity Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Service Principals Created by SP Azure Active Directory Add service principal Cloud Account Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Multiple Service Principals Created by User Azure Active Directory Add service principal Cloud Account Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Multiple Users Failing To Authenticate From Ip Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD New Custom Domain Added Azure Active Directory Add unverified domain Domain or Tenant Policy Modification Trust Modification TTP Azure Active Directory Persistence 2024-09-30
Azure AD New Federated Domain Added Azure Active Directory Set domain authentication Domain or Tenant Policy Modification Trust Modification TTP Azure Active Directory Persistence 2024-09-30
Azure AD New MFA Method Registered Azure Active Directory Update user Account Manipulation Device Registration TTP Azure Active Directory Persistence 2024-09-30
Azure AD New MFA Method Registered For User Azure Active Directory User registered security info Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD OAuth Application Consent Granted By User Azure Active Directory Consent to application Steal Application Access Token TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD PIM Role Assigned Azure Active Directory Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD PIM Role Assignment Activated Azure Active Directory Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Privileged Authentication Administrator Role Assigned Azure Active Directory Add member to role Security Account Manager TTP Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Privileged Graph API Permission Assigned Azure Active Directory Update application Security Account Manager TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Privileged Role Assigned Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Privileged Role Assigned to Service Principal Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Authentication Azure Active Directory Sign-in activity Cloud Accounts TTP Azure Active Directory Account Takeover, NOBELIUM Group 2024-09-30
Azure AD Service Principal Created Azure Active Directory Add service principal Cloud Account TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Service Principal New Client Credentials Azure Active Directory Account Manipulation Additional Cloud Credentials TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Owner Added Azure Active Directory Add owner to application Account Manipulation TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Successful Authentication From Different Ips Azure Active Directory Brute Force Password Guessing Password Spraying TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD Successful PowerShell Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Successful Single-Factor Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Tenant Wide Admin Consent Granted Azure Active Directory Consent to application Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Unusual Number of Failed Authentications From Ip Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD User Consent Blocked for Risky Application Azure Active Directory Consent to application Steal Application Access Token TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD User Consent Denied for OAuth Application Azure Active Directory Sign-in activity Steal Application Access Token TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD User Enabled And Password Reset Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user Account Manipulation TTP Azure Active Directory Persistence 2024-09-30
Azure AD User ImmutableId Attribute Updated Azure Active Directory Update user Account Manipulation TTP Azure Active Directory Persistence 2024-09-30
Azure Automation Account Created Azure Audit Create or Update an Azure Automation account Create Account Cloud Account TTP Azure Active Directory Persistence 2024-09-30
Azure Automation Runbook Created Azure Audit Create or Update an Azure Automation Runbook Create Account Cloud Account TTP Azure Active Directory Persistence 2024-09-30
Azure Runbook Webhook Created Azure Audit Create or Update an Azure Automation webhook Valid Accounts Cloud Accounts TTP Azure Active Directory Persistence 2024-09-30
Circle CI Disable Security Job CircleCI Compromise Host Software Binary Anomaly Dev Sec Ops 2024-09-30
Circle CI Disable Security Step CircleCI Compromise Host Software Binary Anomaly Dev Sec Ops 2024-10-17
Cloud API Calls From Previously Unseen User Roles AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
Cloud Compute Instance Created By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created In Previously Unused Region AWS CloudTrail Unused/Unsupported Cloud Regions Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created With Previously Unseen Image AWS CloudTrail N/A Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created With Previously Unseen Instance Type AWS CloudTrail N/A Anomaly Cloud Cryptomining 2024-10-17
Cloud Instance Modified By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-17
Cloud Provisioning Activity From Previously Unseen City AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Country AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen IP Address AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Region AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Security Groups Modifications by User AWS CloudTrail Modify Cloud Compute Configurations Anomaly Suspicious Cloud User Activities 2024-09-30
Detect AWS Console Login by New User AWS CloudTrail Compromise Accounts Cloud Accounts Unsecured Credentials Hunting AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New City AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Country AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Region AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect GCP Storage access from a new IP Data from Cloud Storage Anomaly Suspicious GCP Storage Activities 2024-10-17
Detect New Open GCP Storage Buckets Data from Cloud Storage TTP Suspicious GCP Storage Activities 2024-10-17
Detect New Open S3 buckets AWS CloudTrail Data from Cloud Storage TTP Suspicious AWS S3 Activities 2024-09-30
Detect New Open S3 Buckets over AWS CLI AWS CloudTrail Data from Cloud Storage TTP Suspicious AWS S3 Activities 2024-09-30
Detect S3 access from a new IP Data from Cloud Storage Anomaly Suspicious AWS S3 Activities 2024-10-17
Detect Spike in AWS Security Hub Alerts for EC2 Instance AWS Security Hub N/A Anomaly AWS Security Hub Alerts, Critical Alerts 2024-10-09
Detect Spike in AWS Security Hub Alerts for User AWS Security Hub N/A Anomaly AWS Security Hub Alerts, Critical Alerts 2024-10-09
Detect Spike in blocked Outbound Traffic from your AWS N/A Anomaly AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic 2024-10-17
Detect Spike in S3 Bucket deletion AWS CloudTrail Data from Cloud Storage Anomaly Suspicious AWS S3 Activities 2024-10-17
GCP Authentication Failed During MFA Challenge Google Workspace login_failure Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP GCP Account Takeover 2024-09-30
GCP Detect gcploit framework Valid Accounts TTP GCP Cross Account Activity 2024-10-17
GCP Kubernetes cluster pod scan detection Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
GCP Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP GCP Account Takeover 2024-09-30
GCP Multiple Failed MFA Requests For User Google Workspace login_failure Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
GCP Multiple Users Failing To Authenticate From Ip Google Workspace login_failure Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly GCP Account Takeover 2024-09-30
GCP Successful Single-Factor Authentication Google Workspace login_success Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
GCP Unusual Number of Failed Authentications From Ip Google Workspace login_failure Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly GCP Account Takeover 2024-09-30
Gdrive suspicious file sharing Phishing Hunting Data Exfiltration, Spearphishing Attachments 2024-10-17
GitHub Actions Disable Security Workflow GitHub Compromise Software Supply Chain Supply Chain Compromise Anomaly Dev Sec Ops 2024-09-30
Github Commit Changes In Master GitHub Trusted Relationship Anomaly Dev Sec Ops 2024-09-30
Github Commit In Develop GitHub Trusted Relationship Anomaly Dev Sec Ops 2024-09-30
GitHub Dependabot Alert GitHub Compromise Software Dependencies and Development Tools Supply Chain Compromise Anomaly Dev Sec Ops 2024-09-30
GitHub Pull Request from Unknown User GitHub Compromise Software Dependencies and Development Tools Supply Chain Compromise Anomaly Dev Sec Ops 2024-09-30
Gsuite Drive Share In External Email G Suite Drive Exfiltration to Cloud Storage Exfiltration Over Web Service Anomaly Dev Sec Ops, Insider Threat 2024-10-17
GSuite Email Suspicious Attachment G Suite Gmail Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
Gsuite Email Suspicious Subject With Attachment G Suite Gmail Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
Gsuite Email With Known Abuse Web Service Link G Suite Gmail Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
Gsuite Outbound Email With Attachment To External Domain G Suite Gmail Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Hunting Dev Sec Ops, Insider Threat 2024-10-17
Gsuite suspicious calendar invite Phishing Hunting Spearphishing Attachments 2024-10-17
Gsuite Suspicious Shared File Name G Suite Drive Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
High Number of Login Failures from a single source O365 UserLoginFailed Password Guessing Brute Force Anomaly Office 365 Account Takeover 2024-09-30
Kubernetes Abuse of Secret by Unusual Location Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Agent Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Group Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Name Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Access Scanning Kubernetes Audit Network Service Discovery Anomaly Kubernetes Security 2024-09-30
Kubernetes Anomalous Inbound Network Activity from Process User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Inbound Outbound Network IO User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Inbound to Outbound Network IO Ratio User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Outbound Network Activity from Process User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Traffic on Network Edge User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes AWS detect suspicious kubectl calls Kubernetes Audit N/A Anomaly Kubernetes Security 2024-10-17
Kubernetes Create or Update Privileged Pod Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Cron Job Creation Kubernetes Audit Container Orchestration Job Anomaly Kubernetes Security 2024-09-30
Kubernetes DaemonSet Deployed Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Falco Shell Spawned Kubernetes Falco User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes newly seen TCP edge User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes newly seen UDP edge User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Nginx Ingress LFI Exploitation for Credential Access TTP Dev Sec Ops 2024-09-30
Kubernetes Nginx Ingress RFI Exploitation for Credential Access TTP Dev Sec Ops 2024-09-30
Kubernetes Node Port Creation Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Pod Created in Default Namespace Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Pod With Host Network Attachment Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Previously Unseen Container Image Name User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Previously Unseen Process User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process Running From New Path User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process with Anomalous Resource Utilisation User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process with Resource Ratio Anomalies User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Scanner Image Pulling Cloud Service Discovery TTP Dev Sec Ops 2024-09-30
Kubernetes Scanning by Unauthenticated IP Address Kubernetes Audit Network Service Discovery Anomaly Kubernetes Security 2024-09-30
Kubernetes Shell Running on Worker Node User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Shell Running on Worker Node with CPU Activity User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Suspicious Image Pulling Kubernetes Audit Cloud Service Discovery Anomaly Kubernetes Security 2024-09-30
Kubernetes Unauthorized Access Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
O365 Add App Role Assignment Grant User O365 Add app role assignment grant to user. Cloud Account Create Account TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2024-09-30
O365 Added Service Principal O365 Cloud Account Create Account TTP Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Admin Consent Bypassed by Service Principal O365 Add app role assignment to service principal. Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Advanced Audit Disabled O365 Change user license. Impair Defenses Disable or Modify Cloud Logs TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Application Available To Other Tenants Additional Cloud Roles Account Manipulation TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration 2024-09-30
O365 Application Registration Owner Added O365 Add owner to application. Account Manipulation TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 ApplicationImpersonation Role Assigned O365 Account Manipulation Additional Email Delegate Permissions TTP NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms 2024-09-30
O365 Block User Consent For Risky Apps Disabled O365 Update authorization policy. Impair Defenses TTP Office 365 Account Takeover 2024-09-30
O365 Bypass MFA via Trusted IP O365 Set Company Information. Disable or Modify Cloud Firewall Impair Defenses TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Compliance Content Search Exported Email Collection Remote Email Collection TTP Office 365 Collection Techniques 2024-09-30
O365 Compliance Content Search Started Email Collection Remote Email Collection TTP Office 365 Collection Techniques 2024-09-30
O365 Concurrent Sessions From Different Ips O365 UserLoggedIn Browser Session Hijacking TTP Office 365 Account Takeover 2024-09-30
O365 Cross-Tenant Access Change Trust Modification TTP Azure Active Directory Persistence 2024-09-30
O365 Disable MFA O365 Disable Strong Authentication. Modify Authentication Process TTP Office 365 Persistence Mechanisms 2024-09-30
O365 DLP Rule Triggered Exfiltration Over Alternative Protocol Exfiltration Over Web Service Anomaly Data Exfiltration 2024-09-30
O365 Elevated Mailbox Permission Assigned Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 Email Access By Security Administrator Exfiltration Over Web Service Email Collection Remote Email Collection TTP Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover 2024-09-30
O365 Email Reported By Admin Found Malicious Phishing Spearphishing Attachment Spearphishing Link TTP Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Email Reported By User Found Malicious Phishing Spearphishing Attachment Spearphishing Link TTP Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Email Security Feature Changed Impair Defenses Disable or Modify Cloud Logs Disable or Modify Tools TTP Office 365 Account Takeover, Office 365 Persistence Mechanisms 2024-09-30
O365 Email Suspicious Behavior Alert Email Collection Email Forwarding Rule TTP Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails 2024-09-30
O365 Excessive Authentication Failures Alert Brute Force Anomaly Office 365 Account Takeover 2024-09-30
O365 Excessive SSO logon errors O365 UserLoginFailed Modify Authentication Process Anomaly Cloud Federated Credential Abuse, Office 365 Account Takeover 2024-09-30
O365 External Guest User Invited Cloud Account TTP Azure Active Directory Persistence 2024-09-30
O365 External Identity Policy Changed Cloud Account TTP Azure Active Directory Persistence 2024-09-30
O365 File Permissioned Application Consent Granted by User O365 Consent to application. Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
O365 FullAccessAsApp Permission Assigned O365 Update application. Additional Email Delegate Permissions Additional Cloud Roles TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 High Number Of Failed Authentications for User O365 UserLoginFailed Brute Force Password Guessing TTP Office 365 Account Takeover 2024-09-30
O365 High Privilege Role Granted O365 Add member to role. Account Manipulation Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Mail Permissioned Application Consent Granted by User O365 Consent to application. Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
O365 Mailbox Email Forwarding Enabled Email Collection Email Forwarding Rule TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Folder Read Permission Assigned Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Folder Read Permission Granted Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Inbox Folder Shared with All Users O365 ModifyFolderPermissions Email Collection Remote Email Collection TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Mailbox Read Access Granted to Application O365 Update application. Remote Email Collection Email Collection Account Manipulation Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Multi-Source Failed Authentications Spike O365 UserLoginFailed Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Hunting NOBELIUM Group, Office 365 Account Takeover 2024-10-17
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoggedIn, O365 UserLoginFailed Valid Accounts Anomaly Office 365 Account Takeover 2024-09-30
O365 Multiple Failed MFA Requests For User O365 UserLoginFailed Multi-Factor Authentication Request Generation TTP Office 365 Account Takeover 2024-09-30
O365 Multiple Mailboxes Accessed via API O365 MailItemsAccessed Remote Email Collection TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 Multiple Service Principals Created by SP O365 Add service principal. Cloud Account Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple Service Principals Created by User O365 Add service principal. Cloud Account Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple Users Failing To Authenticate From Ip O365 UserLoginFailed Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing TTP NOBELIUM Group, Office 365 Account Takeover 2024-09-30
O365 New Email Forwarding Rule Created Email Collection Email Forwarding Rule TTP Office 365 Collection Techniques 2024-09-30
O365 New Email Forwarding Rule Enabled Email Collection Email Forwarding Rule TTP Office 365 Collection Techniques 2024-09-30
O365 New Federated Domain Added O365 Cloud Account Create Account TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2024-09-30
O365 New Forwarding Mailflow Rule Created Email Collection TTP Office 365 Collection Techniques 2024-09-30
O365 New MFA Method Registered O365 Update user. Account Manipulation Device Registration TTP Office 365 Persistence Mechanisms 2024-09-30
O365 OAuth App Mailbox Access via EWS O365 MailItemsAccessed Remote Email Collection TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 OAuth App Mailbox Access via Graph API O365 MailItemsAccessed Remote Email Collection TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 Privileged Graph API Permission Assigned O365 Update application. Security Account Manager TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Privileged Role Assigned Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence 2024-09-30
O365 Privileged Role Assigned To Service Principal Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation 2024-09-30
O365 PST export alert O365 Email Collection TTP Data Exfiltration, Office 365 Collection Techniques 2024-09-30
O365 Safe Links Detection Phishing Spearphishing Attachment TTP Office 365 Account Takeover, Spearphishing Attachments 2024-09-30
O365 Security And Compliance Alert Triggered Valid Accounts Cloud Accounts TTP Office 365 Account Takeover 2024-09-30
O365 Service Principal New Client Credentials O365 Account Manipulation Additional Cloud Credentials TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 SharePoint Allowed Domains Policy Changed Cloud Account TTP Azure Active Directory Persistence 2024-09-30
O365 SharePoint Malware Detection Malicious File User Execution TTP Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud 2024-09-30
O365 Tenant Wide Admin Consent Granted O365 Consent to application. Account Manipulation Additional Cloud Roles TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Threat Intelligence Suspicious Email Delivered Phishing Spearphishing Attachment Spearphishing Link Anomaly Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Threat Intelligence Suspicious File Detected Malicious File User Execution TTP Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud 2024-09-30
O365 User Consent Blocked for Risky Application O365 Consent to application. Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
O365 User Consent Denied for OAuth Application O365 Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
O365 ZAP Activity Detection Phishing Spearphishing Attachment Spearphishing Link Anomaly Spearphishing Attachments, Suspicious Emails 2024-09-30
Risk Rule for Dev Sec Ops by Repository Malicious Image User Execution Correlation Dev Sec Ops 2024-10-22