Resource Development Detections

Name Data Source Technique Type Analytic Story Date
Okta Authentication Failed During MFA Challenge Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Okta Account Takeover 2024-09-30
Okta Successful Single Factor Authentication Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-09-30
Okta User Logins from Multiple Cities Okta Cloud Accounts Anomaly Okta Account Takeover 2024-09-30
Splunk Digital Certificates Infrastructure Version Splunk Digital Certificates Hunting Splunk Vulnerabilities 2024-10-17
Splunk Digital Certificates Lack of Encryption Splunk Digital Certificates Anomaly Splunk Vulnerabilities 2024-10-16
Splunk protocol impersonation weak encryption selfsigned Splunk Digital Certificates Hunting Splunk Vulnerabilities 2024-10-17
Splunk protocol impersonation weak encryption simplerequest Splunk Digital Certificates Hunting Splunk Vulnerabilities 2024-10-17
ASL AWS Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Console Login Failed During MFA Challenge AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Credential Access Failed Login AWS CloudTrail Compromise Accounts Cloud Accounts Brute Force Password Guessing TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access GetPasswordData AWS CloudTrail GetPasswordData Compromise Accounts Cloud Accounts Brute Force Password Guessing Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access RDS Password reset AWS CloudTrail ModifyDBInstance Compromise Accounts Cloud Accounts Brute Force TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Multi-Factor Authentication Disabled AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Multiple Failed MFA Requests For User AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Successful Console Authentication From Multiple IPs AWS CloudTrail ConsoleLogin Compromise Accounts Unused/Unsupported Cloud Regions Anomaly Compromised User Account, Suspicious AWS Login Activities 2024-09-30
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Unusual Number of Failed Authentications From Ip AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
Azure Active Directory High Risk Sign-in Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Authentication Failed During MFA Challenge Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-10-31
Azure AD Multi-Factor Authentication Disabled Azure Active Directory Disable Strong Authentication Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multi-Source Failed Authentications Spike Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Hunting Azure Active Directory Account Takeover, NOBELIUM Group 2024-10-17
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Users Failing To Authenticate From Ip Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD Successful PowerShell Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Successful Single-Factor Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Unusual Number of Failed Authentications From Ip Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly Azure Active Directory Account Takeover 2024-09-30
Detect AWS Console Login by New User AWS CloudTrail Compromise Accounts Cloud Accounts Unsecured Credentials Hunting AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New City AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Country AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Region AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
GCP Authentication Failed During MFA Challenge Google Workspace login_failure Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP GCP Account Takeover 2024-09-30
GCP Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP GCP Account Takeover 2024-09-30
GCP Multiple Failed MFA Requests For User Google Workspace login_failure Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
GCP Multiple Users Failing To Authenticate From Ip Google Workspace login_failure Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly GCP Account Takeover 2024-09-30
GCP Successful Single-Factor Authentication Google Workspace login_success Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
GCP Unusual Number of Failed Authentications From Ip Google Workspace login_failure Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly GCP Account Takeover 2024-09-30
O365 Multi-Source Failed Authentications Spike O365 UserLoginFailed Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Hunting NOBELIUM Group, Office 365 Account Takeover 2024-10-17
O365 Multiple Users Failing To Authenticate From Ip O365 UserLoginFailed Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing TTP NOBELIUM Group, Office 365 Account Takeover 2024-09-30
Windows NirSoft AdvancedRun CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Tool TTP Data Destruction, Ransomware, Unusual Processes, WhisperGate 2024-09-30
Windows NirSoft Utilities CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Tool Hunting Data Destruction, WhisperGate 2024-10-17