|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2024-09-30
|
|
Okta Successful Single Factor Authentication
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
|
Okta User Logins from Multiple Cities
|
Okta
|
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
|
Splunk Digital Certificates Infrastructure Version
|
Splunk
|
Digital Certificates
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Digital Certificates Lack of Encryption
|
Splunk
|
Digital Certificates
|
Anomaly
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk protocol impersonation weak encryption selfsigned
|
Splunk
|
Digital Certificates
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk protocol impersonation weak encryption simplerequest
|
Splunk
|
Digital Certificates
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
ASL AWS Multi-Factor Authentication Disabled
|
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-09-30
|
|
AWS Credential Access Failed Login
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Guessing
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Guessing
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
Compromise Accounts
Cloud Accounts
Brute Force
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Unused/Unsupported Cloud Regions
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2024-09-30
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
|
Azure Active Directory High Risk Sign-in
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-30
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2024-10-31
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
Compromise Accounts
Cloud Accounts
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-30
|
|
Azure AD Multi-Source Failed Authentications Spike
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Hunting
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-10-17
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-30
|
|
Azure AD Multiple Users Failing To Authenticate From Ip
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-09-30
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-30
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-30
|
|
Azure AD Unusual Number of Failed Authentications From Ip
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-09-30
|
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unsecured Credentials
|
Hunting
|
AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities
|
2024-10-17
|
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-10-17
|
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-10-17
|
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-10-17
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2024-09-30
|
|
GCP Multi-Factor Authentication Disabled
|
|
Compromise Accounts
Cloud Accounts
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
GCP Account Takeover
|
2024-09-30
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-09-30
|
|
GCP Multiple Users Failing To Authenticate From Ip
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
GCP Account Takeover
|
2024-09-30
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace login_success
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-09-30
|
|
GCP Unusual Number of Failed Authentications From Ip
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
GCP Account Takeover
|
2024-09-30
|
|
O365 Multi-Source Failed Authentications Spike
|
O365 UserLoginFailed
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Hunting
|
NOBELIUM Group, Office 365 Account Takeover
|
2024-10-17
|
|
O365 Multiple Users Failing To Authenticate From Ip
|
O365 UserLoginFailed
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
TTP
|
NOBELIUM Group, Office 365 Account Takeover
|
2024-09-30
|
|
Windows NirSoft AdvancedRun
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Tool
|
TTP
|
Data Destruction, Ransomware, Unusual Processes, WhisperGate
|
2024-09-30
|
|
Windows NirSoft Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Tool
|
Hunting
|
Data Destruction, WhisperGate
|
2024-10-17
|