docs-cortex.paloaltonetworks.com
Open in
urlscan Pro
51.44.32.207
Public Scan
URL:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Azure-Blob-Container-Access-Lev...
Submission: On November 01 via api from US — Scanned from FR
Submission: On November 01 via api from US — Scanned from FR
Form analysis 1 forms found in the DOM
<form class="searchbox-form">
<div class="searchbox-input-wrapper-wrapper">
<div class="searchbox-input-wrapper">
<div class="ft-label"><label for="gwt-uid-19" class="ft-label-hidden">Search content</label><input type="search" class="searchbox-input" name="query" placeholder="Keywords" autocapitalize="off" autocomplete="off" autocorrect="off"
spellcheck="false" id="gwt-uid-19"></div>
</div>
<div class="searchbox-button-wrapper"><button type="submit" class="ft-btn ft-btn-no-bg ft-btn-no-border ft-btn-square searchbox-button" title="Search" aria-label="Search"><i class="ft-icon ft-icon-no-icon" aria-hidden="true"></i><span
class="ft-btn-inner-text">Search</span></button></div>
</div>
</form>Text Content
Loading application...
* Cortex XSIAM
* Cortex XDR
* Cortex XSOAR
* Cortex Xpanse
* Cortex Developer Docs
* Pan.Dev
* PANW TechDocs
* Customer Support Portal
* KnowledgeBase
* LIVEcommunity
* Contact us
Your web browser must have JavaScript enabled in order for this application to
display correctly.
Skip to main content
Search in all documents
Sign In
Menu
Menu
Search Results
Go to Search page
Cortex XDR Analytics Alert Reference by data source > Azure Audit Log > Azure
Blob Container Access Level Modification
* Cortex XDR
* 29-10-2024
* data source
Rate this document
Rate this document
Share URL
Share URL
Print
Print
More
More
Cortex XDR Analytics Alert Reference by data source
Close
Rate this documentShare URLPrint
Product
Cortex XDR
Last date published
2024-10-29
Category
Analytics Alert Reference
Order
data source
Table of contents
Table of contents
Collapse sidebar
Collapse sidebar
Applied filters
Search in document
Return to table of contents
Search content
Search
Load more results
Expand table of contents
Expand table of contents
* Cortex XDR Analytics Alert Reference
* Required Data Sources
* AWS Audit Log
* AWS Flow Log
* AWS OCSF Flow Logs
* Azure Audit Log
* A Kubernetes Cronjob was created
* Object versioning was disabled
* Unusual secret management activity
* Azure Blob Container Access Level Modification
* Kubernetes network policy modification
* Penetration testing tool activity
* Denied API call by a Kubernetes service account
* Kubernetes pod creation with host network
* Azure user creation/deletion
* Azure mailbox rule creation
* Azure Key Vault modification
* An Azure Kubernetes Role or Cluster-Role was modified
* Unusual key management activity
* External user invitation to Azure tenant
* Kubernetes Pod created with host process ID (PID) namespace
* A cloud identity had escalated its permissions
* A Kubernetes StatefulSet was created
* A Kubernetes service account executed an unusual API call
* A Kubernetes node service account activity from external IP
* Credentials were added to Azure application
* Azure Network Watcher Deletion
* Azure Event Hub Deletion
* A Kubernetes deployment was created
* A Kubernetes service account was created or deleted
* Unusual resource modification/creation
* Unusual certificate management activity
* A Kubernetes ephemeral container was created
* Remote usage of an Azure Managed Identity token
* Azure Automation Webhook creation
* An Azure Kubernetes Cluster was created or deleted
* A Kubernetes secret was created or deleted
* A Kubernetes Pod was created with a sidecar container
* A Kubernetes ReplicaSet was created
* A Kubernetes Pod was deleted
* An Azure Network Security Group was modified
* An Azure virtual network was modified
* Azure diagnostic configuration deletion
* Cloud compute serial console access
* Azure Event Hub Authorization rule creation/modification
* A cloud identity created or modified a security group
* Kubernetes Pod Created with host Inter Process Communications (IPC)
namespace
* An identity accessed Azure Kubernetes Secrets
* An Azure virtual network Device was modified
* An Azure Suppression Rule was created
* Kubernetes Privileged Pod Creation
* Kubernetes pod creation from unknown container image registry
* Azure device code authentication flow used
* OneDrive file download
* A cloud snapshot was created or modified
* A cloud identity invoked IAM related persistence operations
* Suspicious API call from a Tor exit node
* An Azure Firewall Rule Collection was modified
* A Kubernetes service account has enumerated its permissions
* A Kubernetes namespace was created or deleted
* Azure conditional access policy creation or modification
* Azure Storage Account key generated
* An identity was granted permissions to manage user access to Azure
resources
* Cloud storage delete protection disabled
* Azure Key Vault Secrets were modified
* Azure user password reset
* Azure Automation Runbook Creation/Modification
* An Azure Firewall policy deletion
* Kubernetes Pod Created With Sensitive Volume
* Modification or Deletion of an Azure Application Gateway Detected
* An Azure VPN Connection was modified
* OneDrive file upload
* An Azure firewall rule group was modified
* A Kubernetes cluster role binding was created or deleted
* Owner was added to Azure application
* Azure Service principal/Application creation
* Kubernetes vulnerability scanning tool usage
* Authentication method was added to Azure account
* PIM privilege member removal
* A cloud instance was stopped
* A Kubernetes API operation was successfully invoked by an anonymous user
* Azure Automation Account Creation
* Network sniffing detected in Cloud environment
* A Kubernetes role binding was created or deleted
* Suspicious cloud compute instance ssh keys modification attempt
* Azure virtual machine commands execution
* An Azure Key Vault key was modified
* Remote usage of an Azure Service Principal token
* A Kubernetes cluster was created or deleted
* Kubernetes cluster events deletion
* An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or
deleted
* An operation was performed by an identity from a domain that was not seen
in the organization
* Kubernetes service account activity outside the cluster
* A Kubernetes service was created or deleted
* Attempted Azure application access from unknown tenant
* An Azure DNS Zone was modified
* An Azure Kubernetes Service Account was modified or deleted
* A Kubernetes ConfigMap was created or deleted
* A cloud storage configuration was modified
* Cloud email service activity
* Cloud identity reached a throttling API rate
* Azure Resource Group Deletion
* Kubernetes admission controller activity
* A Service Principal was removed from Azure
* An Azure Firewall was modified
* Removal of an Azure Owner from an Application or Service Principal
* An Azure Point-to-Site VPN was modified
* A Kubernetes DaemonSet was created
* Azure Kubernetes events were deleted
* A container registry was created or deleted
* Granting Access to an Account
* Azure Automation Runbook Deletion
* A cloud identity executed an API call from an unusual country
* Unusual cross projects activity
* OneDrive folder creation
* Unusual exec into a Kubernetes Pod
* Unusual resource modification by newly seen IAM user
* A New Server was Added to an Azure Active Directory Hybrid Health ADFS
Environment
* An Azure Key Vault was modified
* Suspicious heavy allocation of compute resources - possible mining activity
* A Kubernetes dashboard service account was used outside the cluster
* Activity in a dormant region of a cloud project
* An Azure Cloud Shell was Created
* Billing admin role was removed
* Abnormal Allocation of compute resources in multiple regions
* An identity dumped multiple secrets from a project
* Storage enumeration activity
* Suspicious identity downloaded multiple objects from a bucket
* Cloud user performed multiple actions that were denied
* Kubernetes enumeration activity
* Allocation of multiple cloud compute resources
* Impossible travel by a cloud identity
* Multiple cloud snapshots export
* Multiple failed logins from a single IP
* An identity performed a suspicious download of multiple cloud storage
objects
* Deletion of multiple cloud resources
* Multi region enumeration activity
* Azure Flow Log
* Azure SignIn Log
* AzureAD
* AzureAD Audit Log
* Box Audit Log
* DropBox
* Duo
* Gcp Audit Log
* Gcp Flow Log
* Google Workspace Audit Logs
* Google Workspace Authentication
* Health Monitoring Data
* Office 365 Audit
* Okta
* Okta Audit Log
* OneLogin
* Palo Alto Networks Global Protect
* Palo Alto Networks Platform Logs
* Palo Alto Networks Url Logs
* PingOne
* Third-Party Firewalls
* Third-Party VPNs
* Windows Event Collector
* XDR Agent
* XDR Agent with eXtended Threat Hunting (XTH)
* Trust Center
* Privacy
* Terms of Use
* Legal
* Palo Alto Networks
* Palo Alto Networks Cortex HELP CENTER
© 2024 Palo Alto Networks, Inc. All rights reserved.
SSH BRUTE FORCE ATTEMPT
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
2 Hours
Deduplication Period
1 Day
Required Data
* Requires one of the following data sources:
* AWS Flow Log
OR
* AWS OCSF Flow Logs
OR
* Azure Flow Log
OR
* Gcp Flow Log
OR
* Palo Alto Networks Platform Logs
OR
* Third-Party Firewalls
* Requires one of the following data sources:
* Palo Alto Networks Platform Logs
OR
* XDR Agent
Detection Modules
Detector Tags
ATT&CK Tactic
Credential Access (TA0006)
ATT&CK Technique
Brute Force (T1110)
Severity
Informational
DESCRIPTION
There were multiple attempts to authenticate via SSH to a host in your network.
This may indicate a brute force attack.
ATTACKER'S GOALS
Attackers attempt to log in to a remote host.
INVESTIGATIVE ACTIONS
Audit the failed authentication attempts in the SSH server to identify the
abused user. If the abused user can authenticate to the SSH server, it may
indicate that the attacker managed to compromise the user credentials.
VARIATIONS
SSH brute force network detected from external source
SYNOPSIS
ATT&CK Tactic
Credential Access (TA0006)
ATT&CK Technique
Brute Force (T1110)
Severity
Informational
DESCRIPTION
There were multiple attempts to authenticate via SSH to a host in your network.
This may indicate a brute force attack.
ATTACKER'S GOALS
Attackers attempt to log in to a remote host.
INVESTIGATIVE ACTIONS
Audit the failed authentication attempts in the SSH server to identify the
abused user. If the abused user can authenticate to the SSH server, it may
indicate that the attacker managed to compromise the user credentials.
Rare SSH brute force attempt
SYNOPSIS
ATT&CK Tactic
Credential Access (TA0006)
ATT&CK Technique
Brute Force (T1110)
Severity
Low
DESCRIPTION
There were multiple attempts to authenticate via SSH to a host in your network.
This may indicate a brute force attack.
ATTACKER'S GOALS
Attackers attempt to log in to a remote host.
INVESTIGATIVE ACTIONS
Audit the failed authentication attempts in the SSH server to identify the
abused user. If the abused user can authenticate to the SSH server, it may
indicate that the attacker managed to compromise the user credentials.
Rate this content
Rate this content
AZURE AUDIT LOG
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Rate this content
Rate this content
A KUBERNETES CRONJOB WAS CREATED
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
5 Days
Required Data
* Requires one of the following data sources:
* AWS Audit Log
OR
* Azure Audit Log
OR
* Gcp Audit Log
Detection Modules
Cloud
Detector Tags
Kubernetes - API
ATT&CK Tactic
Persistence (TA0003)
ATT&CK Technique
Scheduled Task/Job: Container Orchestration Job (T1053.007)
Severity
Informational
DESCRIPTION
A Kubernetes CronJob was created.
ATTACKER'S GOALS
* Maintain persistence by scheduling deployment of containers configured to
execute malicious code.
INVESTIGATIVE ACTIONS
* Check which changes were made to the Kubernetes CronJob.
Rate this content
Rate this content
OBJECT VERSIONING WAS DISABLED
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
1 Day
Required Data
* Requires one of the following data sources:
* AWS Audit Log
OR
* Azure Audit Log
Detection Modules
Cloud
Detector Tags
ATT&CK Tactic
Impact (TA0040)
ATT&CK Technique
Inhibit System Recovery (T1490)
Severity
Informational
DESCRIPTION
Object versioning of a cloud storage resource was disabled.
ATTACKER'S GOALS
Impair the ability of the cloud environment to recover in disaster scenarios.
INVESTIGATIVE ACTIONS
* Confirm that the identity intended to disable the resource versioning.
* Follow further actions done by the identity.
* Monitor this resource for other suspicious activities.
VARIATIONS
Object versioning was disabled by an unusual identity
SYNOPSIS
ATT&CK Tactic
Impact (TA0040)
ATT&CK Technique
Inhibit System Recovery (T1490)
Severity
Informational
DESCRIPTION
Cloud storage versioning was disabled/suspended by an unusual identity.
ATTACKER'S GOALS
Impair the ability of the cloud environment to recover in disaster scenarios.
INVESTIGATIVE ACTIONS
* Confirm that the identity intended to disable the resource versioning.
* Follow further actions done by the identity.
* Monitor this resource for other suspicious activities.
Rate this content
Rate this content
UNUSUAL SECRET MANAGEMENT ACTIVITY
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
1 Day
Required Data
* Requires one of the following data sources:
* AWS Audit Log
OR
* Azure Audit Log
OR
* Gcp Audit Log
Detection Modules
Cloud
Detector Tags
ATT&CK Tactic
Credential Access (TA0006)
ATT&CK Technique
* Unsecured Credentials (T1552)
* Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
Severity
Informational
DESCRIPTION
A cloud Identity performed a secret management operation for the first time.
ATTACKER'S GOALS
Abuse exposed secrets to gain access to restricted cloud resources and
applications.
INVESTIGATIVE ACTIONS
* Check the identity's role designation in the organization.
* Verify that the identity did not perform any sensitive secret management
operation that it shouldn't.
Rate this content
Rate this content
AZURE BLOB CONTAINER ACCESS LEVEL MODIFICATION
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
1 Day
Required Data
* Requires:
* Azure Audit Log
Detection Modules
Cloud
Detector Tags
ATT&CK Tactic
Defense Evasion (TA0005)
ATT&CK Technique
File and Directory Permissions Modification (T1222)
Severity
Informational
DESCRIPTION
Access level modification for a blob container, this action might be dangerous
as sensitive data can be exposed.
ATTACKER'S GOALS
Access restricted data.
INVESTIGATIVE ACTIONS
* Check if and which data was exposed after the access level modification.
Rate this content
Rate this content
KUBERNETES NETWORK POLICY MODIFICATION
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
5 Days
Required Data
* Requires one of the following data sources:
* AWS Audit Log
OR
* Azure Audit Log
OR
* Gcp Audit Log
Detection Modules
Cloud
Detector Tags
Kubernetes - API
ATT&CK Tactic
Impact (TA0040)
ATT&CK Technique
Network Denial of Service (T1498)
Severity
Informational
DESCRIPTION
A change has been made to the network policies of a Kubernetes cluster.
ATTACKER'S GOALS
* Gain access to the network infrastructure.
* Gain access to sensitive data.
* Gain access to Kubernetes resources.
INVESTIGATIVE ACTIONS
* Investigate the Kubernetes Network Policy to identify the changes made.
* Verify whether the identity should be making this action.
Rate this content
Rate this content
PENETRATION TESTING TOOL ACTIVITY
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
7 Days
Required Data
* Requires one of the following data sources:
* AWS Audit Log
OR
* Azure Audit Log
OR
* Gcp Audit Log
Detection Modules
Cloud
Detector Tags
ATT&CK Tactic
Execution (TA0002)
ATT&CK Technique
User Execution (T1204)
Severity
Medium
DESCRIPTION
A cloud API was successfully executed using a known penetration testing tool.
ATTACKER'S GOALS
Usage of known attack tools and frameworks.
INVESTIGATIVE ACTIONS
* Verify whether there is an ongoing PT test.
Rate this content
Rate this content
DENIED API CALL BY A KUBERNETES SERVICE ACCOUNT
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
5 Days
Required Data
* Requires one of the following data sources:
* AWS Audit Log
OR
* Azure Audit Log
OR
* Gcp Audit Log
Detection Modules
Cloud
Detector Tags
Kubernetes - API
ATT&CK Tactic
Execution (TA0002)
ATT&CK Technique
User Execution (T1204)
Severity
Informational
DESCRIPTION
A Kubernetes service account API call was denied.
ATTACKER'S GOALS
Gain access to the Kubernetes cluster.
INVESTIGATIVE ACTIONS
* Check whether the service account should be making this API call.
* Check service account's activity, including additional executed API calls.
VARIATIONS
Denied API call by Kubernetes service account for the first time in the cluster
SYNOPSIS
ATT&CK Tactic
Execution (TA0002)
ATT&CK Technique
User Execution (T1204)
Severity
Low
DESCRIPTION
A Kubernetes service account API call was denied.
ATTACKER'S GOALS
Gain access to the Kubernetes cluster.
INVESTIGATIVE ACTIONS
* Check whether the service account should be making this API call.
* Check service account's activity, including additional executed API calls.
Suspicious denied API call by a Kubernetes service account
SYNOPSIS
ATT&CK Tactic
Execution (TA0002)
ATT&CK Technique
User Execution (T1204)
Severity
Informational
DESCRIPTION
A Kubernetes service account API call was denied.
ATTACKER'S GOALS
Gain access to the Kubernetes cluster.
INVESTIGATIVE ACTIONS
* Check whether the service account should be making this API call.
* Check service account's activity, including additional executed API calls.
Rate this content
Rate this content
KUBERNETES POD CREATION WITH HOST NETWORK
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
5 Days
Required Data
* Requires one of the following data sources:
* AWS Audit Log
OR
* Azure Audit Log
OR
* Gcp Audit Log
Detection Modules
Cloud
Detector Tags
Kubernetes - API
ATT&CK Tactic
* Privilege Escalation (TA0004)
* Execution (TA0002)
ATT&CK Technique
* Escape to Host (T1611)
* Deploy Container (T1610)
Severity
Informational
DESCRIPTION
An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost,
sniff traffic on any interface on the host, and potentially bypass the network
policy.
ATTACKER'S GOALS
* Access services bound to localhost.
* Sniff traffic on any interface on the host.
* Bypass network policy.
INVESTIGATIVE ACTIONS
* Check the identity's role designation in the organization.
* Inspect for any unusual access to localhost services.
* Inspect for any network sniffing tool being used inside the Kubernetes Pod.
VARIATIONS
Kubernetes pod creation with host network for the first time in the cluster
SYNOPSIS
ATT&CK Tactic
* Privilege Escalation (TA0004)
* Execution (TA0002)
ATT&CK Technique
* Escape to Host (T1611)
* Deploy Container (T1610)
Severity
Low
DESCRIPTION
An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost,
sniff traffic on any interface on the host, and potentially bypass the network
policy.
ATTACKER'S GOALS
* Access services bound to localhost.
* Sniff traffic on any interface on the host.
* Bypass network policy.
INVESTIGATIVE ACTIONS
* Check the identity's role designation in the organization.
* Inspect for any unusual access to localhost services.
* Inspect for any network sniffing tool being used inside the Kubernetes Pod.
Kubernetes pod creation with host network for the first time in the namespace
SYNOPSIS
ATT&CK Tactic
* Privilege Escalation (TA0004)
* Execution (TA0002)
ATT&CK Technique
* Escape to Host (T1611)
* Deploy Container (T1610)
Severity
Low
DESCRIPTION
An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost,
sniff traffic on any interface on the host, and potentially bypass the network
policy.
ATTACKER'S GOALS
* Access services bound to localhost.
* Sniff traffic on any interface on the host.
* Bypass network policy.
INVESTIGATIVE ACTIONS
* Check the identity's role designation in the organization.
* Inspect for any unusual access to localhost services.
* Inspect for any network sniffing tool being used inside the Kubernetes Pod.
Kubernetes pod creation with host network for the first time by the identity
SYNOPSIS
ATT&CK Tactic
* Privilege Escalation (TA0004)
* Execution (TA0002)
ATT&CK Technique
* Escape to Host (T1611)
* Deploy Container (T1610)
Severity
Low
DESCRIPTION
An identity created a Kubernetes pod attached to the host network.
This may indicate an adversary attempting to access services bound to localhost,
sniff traffic on any interface on the host, and potentially bypass the network
policy.
ATTACKER'S GOALS
* Access services bound to localhost.
* Sniff traffic on any interface on the host.
* Bypass network policy.
INVESTIGATIVE ACTIONS
* Check the identity's role designation in the organization.
* Inspect for any unusual access to localhost services.
* Inspect for any network sniffing tool being used inside the Kubernetes Pod.
Rate this content
Rate this content
AZURE USER CREATION/DELETION
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
5 Days
Required Data
* Requires:
* Azure Audit Log
Detection Modules
Cloud
Detector Tags
ATT&CK Tactic
Persistence (TA0003)
ATT&CK Technique
* Valid Accounts (T1078)
* Account Manipulation (T1098)
Severity
Informational
DESCRIPTION
A user in Azure was created or deleted.
ATTACKER'S GOALS
Gain persistence into the account.
INVESTIGATIVE ACTIONS
* Look for any unusual behavior originated from the suspected identity, and
check if they're compromised.
Rate this content
Rate this content
AZURE MAILBOX RULE CREATION
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
5 Days
Required Data
* Requires:
* Azure Audit Log
Detection Modules
Cloud
Detector Tags
ATT&CK Tactic
* Collection (TA0009)
* Defense Evasion (TA0005)
ATT&CK Technique
* Email Collection: Email Forwarding Rule (T1114.003)
* Indicator Removal: Clear Mailbox Data (T1070.008)
Severity
Informational
DESCRIPTION
A Mailbox rule in Azure was created.
ATTACKER'S GOALS
Intercept or exfiltrate sensitive information.
INVESTIGATIVE ACTIONS
* Investigate the rule's details and confirm its legitimacy.
* Look for any unusual behavior originated from the suspected identity, and
check if they're compromised.
VARIATIONS
Unusual Azure mailbox rule creation
SYNOPSIS
ATT&CK Tactic
* Collection (TA0009)
* Defense Evasion (TA0005)
ATT&CK Technique
* Email Collection: Email Forwarding Rule (T1114.003)
* Indicator Removal: Clear Mailbox Data (T1070.008)
Severity
Low
DESCRIPTION
A Mailbox rule in Azure was created.
ATTACKER'S GOALS
Intercept or exfiltrate sensitive information.
INVESTIGATIVE ACTIONS
* Investigate the rule's details and confirm its legitimacy.
* Look for any unusual behavior originated from the suspected identity, and
check if they're compromised.
Rate this content
Rate this content
AZURE KEY VAULT MODIFICATION
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
3 Hours
Required Data
* Requires:
* Azure Audit Log
Detection Modules
Cloud
Detector Tags
ATT&CK Tactic
Credential Access (TA0006)
ATT&CK Technique
Unsecured Credentials (T1552)
Severity
Informational
DESCRIPTION
Azure Key Vault modifications can be crucial as it stores secrets e.g.
encryption keys, certifications, etc.
ATTACKER'S GOALS
Exfiltrate information, persistence on existing users or damage critical
accounts.
INVESTIGATIVE ACTIONS
* Check the identity actions prior/after the Key Vault modification.
* Find which credentials were modified and their usage.
Rate this content
Rate this content
AN AZURE KUBERNETES ROLE OR CLUSTER-ROLE WAS MODIFIED
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
5 Days
Required Data
* Requires:
* Azure Audit Log
Detection Modules
Cloud
Detector Tags
ATT&CK Tactic
Privilege Escalation (TA0004)
ATT&CK Technique
Valid Accounts (T1078)
Severity
Informational
DESCRIPTION
An Azure Kubernetes Role or Cluster-Role was modified or deleted. This could
indicate malicious activity and should be investigated.
ATTACKER'S GOALS
* Escalate privileges to gain access to restricted resources in Azure
Kubernetes cluster.
INVESTIGATIVE ACTIONS
* Investigate which actions were made by the identity and identify any
suspicious activity.
Rate this content
Rate this content
UNUSUAL KEY MANAGEMENT ACTIVITY
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
1 Day
Required Data
* Requires one of the following data sources:
* AWS Audit Log
OR
* Azure Audit Log
OR
* Gcp Audit Log
Detection Modules
Cloud
Detector Tags
ATT&CK Tactic
Credential Access (TA0006)
ATT&CK Technique
Unsecured Credentials (T1552)
Severity
Informational
DESCRIPTION
A cloud Identity performed a key management operation for the first time.
ATTACKER'S GOALS
Abuse exposed cryptographic keys to decrypt sensitive information or create
digital signatures to craft malicious messages.
Using the decrypted information, the attacker may perform additional activities
in an evasive manner.
INVESTIGATIVE ACTIONS
* Check the identity's role designation in the organization.
* Verify that the identity did not perform any sensitive KMS operation that it
shouldn't.
Rate this content
Rate this content
EXTERNAL USER INVITATION TO AZURE TENANT
Share URL
Share URL
Print topics
Print topics
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
Send Feedback. Go to Tips on the Cortex Help Center homepage if you're unable to
send feedback.
SYNOPSIS
Activation Period
14 Days
Training Period
30 Days
Test Period
N/A (single event)
Deduplication Period
5 Days
Required Data
* Requires:
* Azure Audit Log
Detection Modules
Cloud
Detector Tags
ATT&CK Tactic
* Persistence (TA0003)
* Privilege Escalation (TA0004)
ATT&CK Technique
Account Manipulation (T1098)
Severity
Informational
DESCRIPTION
An external user was invited to Azure tenant.
ATTACKER'S GOALS
Gain unauthorized access to the tenant.
INVESTIGATIVE ACTIONS
* Look for any unusual behavior originated from the suspected identity, and
check if they're compromised.
Rate this content
Rate this content