Resource Development Detections

Name Data Source Technique Type Analytic Story Date
Okta Authentication Failed During MFA Challenge Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Okta Account Takeover 2024-05-29
Okta Successful Single Factor Authentication Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-05-26
Okta User Logins from Multiple Cities Okta Cloud Accounts Anomaly Okta Account Takeover 2024-05-09
Splunk Digital Certificates Infrastructure Version Splunk Digital Certificates Hunting Splunk Vulnerabilities 2024-05-27
Splunk Digital Certificates Lack of Encryption Splunk Digital Certificates Anomaly Splunk Vulnerabilities 2024-05-18
Splunk protocol impersonation weak encryption selfsigned Splunk Digital Certificates Hunting Splunk Vulnerabilities 2024-05-21
Splunk protocol impersonation weak encryption simplerequest Splunk Digital Certificates Hunting Splunk Vulnerabilities 2024-05-23
ASL AWS Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-05-22
AWS Console Login Failed During MFA Challenge AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-05-29
AWS Credential Access Failed Login AWS CloudTrail Compromise Accounts Cloud Accounts Brute Force Password Guessing TTP AWS Identity and Access Management Account Takeover 2024-05-16
AWS Credential Access GetPasswordData AWS CloudTrail GetPasswordData Compromise Accounts Cloud Accounts Brute Force Password Guessing Anomaly AWS Identity and Access Management Account Takeover 2024-05-21
AWS Credential Access RDS Password reset AWS CloudTrail ModifyDBInstance Compromise Accounts Cloud Accounts Brute Force TTP AWS Identity and Access Management Account Takeover 2024-05-09
AWS Multi-Factor Authentication Disabled AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-05-15
AWS Multiple Failed MFA Requests For User AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly AWS Identity and Access Management Account Takeover 2024-05-31
AWS Successful Console Authentication From Multiple IPs AWS CloudTrail ConsoleLogin Compromise Accounts Unused/Unsupported Cloud Regions Anomaly Compromised User Account, Suspicious AWS Login Activities 2024-09-24
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP AWS Identity and Access Management Account Takeover 2024-05-12
AWS Unusual Number of Failed Authentications From Ip AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly AWS Identity and Access Management Account Takeover 2024-05-24
Azure Active Directory High Risk Sign-in Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying TTP Azure Active Directory Account Takeover 2024-09-24
Azure AD Authentication Failed During MFA Challenge Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-09-24
Azure AD Multi-Factor Authentication Disabled Azure Active Directory Disable Strong Authentication Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover 2024-05-23
Azure AD Multi-Source Failed Authentications Spike Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Hunting Azure Active Directory Account Takeover, NOBELIUM Group 2024-09-24
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-24
Azure AD Multiple Users Failing To Authenticate From Ip Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly Azure Active Directory Account Takeover 2024-09-24
Azure AD Successful PowerShell Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-24
Azure AD Successful Single-Factor Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-24
Azure AD Unusual Number of Failed Authentications From Ip Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly Azure Active Directory Account Takeover 2024-09-24
Detect AWS Console Login by New User AWS CloudTrail Compromise Accounts Cloud Accounts Unsecured Credentials Hunting AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities 2024-05-28
Detect AWS Console Login by User from New City AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-05-25
Detect AWS Console Login by User from New Country AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-05-16
Detect AWS Console Login by User from New Region AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-05-18
GCP Authentication Failed During MFA Challenge Google Workspace login_failure Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP GCP Account Takeover 2024-09-24
GCP Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP GCP Account Takeover 2024-05-25
GCP Multiple Failed MFA Requests For User Google Workspace login_failure Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-05-23
GCP Multiple Users Failing To Authenticate From Ip Google Workspace login_failure Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly GCP Account Takeover 2024-05-22
GCP Successful Single-Factor Authentication Google Workspace login_success Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-05-25
GCP Unusual Number of Failed Authentications From Ip Google Workspace login_failure Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly GCP Account Takeover 2024-05-24
O365 Multi-Source Failed Authentications Spike O365 UserLoginFailed Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Hunting NOBELIUM Group, Office 365 Account Takeover 2024-09-24
O365 Multiple Users Failing To Authenticate From Ip O365 UserLoginFailed Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing TTP NOBELIUM Group, Office 365 Account Takeover 2024-09-24
Windows NirSoft AdvancedRun CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Tool TTP Data Destruction, Ransomware, Unusual Processes, WhisperGate 2024-08-15
Windows NirSoft Utilities CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Tool Hunting Data Destruction, WhisperGate 2024-08-15