open-menu
closeme
First Occurrence of Okta User Session Started via Proxy
calendar
Jul 24, 2024
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
New Okta Authentication Behavior Detected
calendar
Jul 24, 2024
·
Use Case: Identity and Access Audit
Tactic: Initial Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta FastPass Phishing Detection
calendar
Jul 24, 2024
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta Sign-In Events via Third-Party IdP
calendar
Jul 24, 2024
·
Use Case: Identity and Access Audit
Tactic: Initial Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Activity Reported by Okta User
calendar
Jul 24, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unauthorized Access to an Okta Application
calendar
Jul 24, 2024
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Google Workspace OAuth Login from Third-Party Application
calendar
Jul 11, 2024
·
Domain: Cloud
Data Source: Google Workspace
Tactic: Defense Evasion
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Microsoft 365 Mail Access by ClientAppId
calendar
Jul 5, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Object Copied to External Drive with App Consent
calendar
Jul 1, 2024
·
Domain: Cloud
Data Source: Google Workspace
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Suspicious JetBrains TeamCity Child Process
calendar
Jun 26, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Microsoft Defender for Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Outlook Child Process
calendar
Jun 26, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: SentinelOne
Data Source: Microsoft Defender for Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Okta User Sessions Started from Different Geolocations
calendar
Jun 20, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Rare User Logon
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Hour for a User to Logon
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux Username
calendar
Jun 19, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Source IP for a User to Logon from
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Remote User
calendar
Jun 19, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Username
calendar
Jun 19, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Web Shell Detection: Script Process Child of Common Web Processes
calendar
Jun 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Accepted Default Telnet Port Connection
calendar
May 22, 2024
·
Domain: Endpoint
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Lateral Movement
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
AWS Execution via System Manager
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS SSM
Use Case: Log Auditing
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Password Recovery Requested
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Signin
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
AWS Management Console Root Login
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Signin
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk Sign-in
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk User Sign-in Heuristic
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory PowerShell Sign-in
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure External Guest User Invitation
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Command Execution via SolarWinds Process
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution from a Removable Media with Network Connection
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
External User Added to Google Workspace Group
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Removable Device
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Exfiltration
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Custom Role Creation
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Suspended User Account Renewed
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Inbound Connection to an Unsecure Elasticsearch Node
calendar
May 22, 2024
·
Use Case: Threat Detection
Tactic: Initial Access
Domain: Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Anonymous Request Authorized
calendar
May 22, 2024
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Initial Access
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Anti-Phish Policy Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Anti-Phish Rule Modification
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Safe Link Policy Disabled
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 User Restricted from Sending Email
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Server UM Spawning Suspicious Processes
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Server UM Writing Suspicious Files
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Worker Spawning Suspicious Processes
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Mounting Hidden or WebDav Remote Shares
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
O365 Email Reported by User as Malware or Phish
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
O365 Mailbox Audit Logging Bypass
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Tactic: Initial Access
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Possible Consent Grant Attack via Azure-Registered Application
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Buffer Overflow Attack Detected
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Initial Access
Use Case: Vulnerability
Rule Type: Higher-Order Rule
·
Share on:
twitter
facebook
linkedin
copy
Potential Masquerading as Business App Installer
calendar
May 22, 2024
·
Domain: Endpoint
Data Source: Elastic Defend
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Initial Access
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Code Execution via Web Server
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Initial Access
Data Source: Elastic Endgame
Use Case: Vulnerability
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote File Execution via MSIEXEC
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote XSL Script Execution via COM
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
RPC (Remote Procedure Call) from the Internet
calendar
May 22, 2024
·
Tactic: Initial Access
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
RPC (Remote Procedure Call) to the Internet
calendar
May 22, 2024
·
Tactic: Initial Access
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
ScreenConnect Server Spawning Suspicious Processes
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
SMB (Windows File Sharing) Activity to the Internet
calendar
May 22, 2024
·
Tactic: Initial Access
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
SolarWinds Process Disabling Services via Registry
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Initial Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
SSH Connection Established Inside A Running Container
calendar
May 22, 2024
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Browser Child Process
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution from INET Cache
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Command and Control
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution via Microsoft Office Add-Ins
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Explorer Child Process
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious HTML File Creation
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Office Child Process
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PDF Reader Child Process
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Execution via Microsoft Common Console File
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Script Executing PowerShell
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Script Interpreter Executing Process via WMI
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Zoom Meeting with no Passcode
calendar
May 22, 2024
·
Data Source: Zoom
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Suspicious macOS MS Office Child Process
calendar
May 20, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Impossible travel activity
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
to-top