open-menu
closeme
Okta FastPass Phishing Detection
calendar
Nov 28, 2023
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta Client Addresses for a Single User Session
calendar
Nov 28, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Okta Sign-In Events via Third-Party IdP
calendar
Nov 27, 2023
·
Use Case: Identity and Access Audit
Tactic: Initial Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
First Occurrence of Okta User Session Started via Proxy
calendar
Nov 27, 2023
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
New Okta Authentication Behavior Detected
calendar
Nov 27, 2023
·
Use Case: Identity and Access Audit
Tactic: Initial Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Browser Child Process
calendar
Nov 22, 2023
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious macOS MS Office Child Process
calendar
Nov 22, 2023
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Okta User Sessions Started from Different Geolocations
calendar
Nov 21, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Code Execution via Web Server
calendar
Nov 3, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Initial Access
Data Source: Elastic Endgame
Use Case: Vulnerability
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Command Execution via SolarWinds Process
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Server UM Spawning Suspicious Processes
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Server UM Writing Suspicious Files
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Worker Spawning Suspicious Processes
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Mounting Hidden or WebDav Remote Shares
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
SolarWinds Process Disabling Services via Registry
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Initial Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Explorer Child Process
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious HTML File Creation
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Office Child Process
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Outlook Child Process
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PDF Reader Child Process
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Web Shell Detection: Script Process Child of Common Web Processes
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Script Executing PowerShell
calendar
Oct 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Zoom Meeting with no Passcode
calendar
Oct 30, 2023
·
Data Source: Zoom
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
AWS Execution via System Manager
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Log Auditing
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Password Recovery Requested
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
AWS Management Console Root Login
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Activity Reported by Okta User
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unauthorized Access to an Okta Application
calendar
Oct 24, 2023
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Inbound Connection to an Unsecure Elasticsearch Node
calendar
Oct 16, 2023
·
Use Case: Threat Detection
Tactic: Initial Access
Domain: Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Windows Script Interpreter Executing Process via WMI
calendar
Oct 15, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Accepted Default Telnet Port Connection
calendar
Oct 3, 2023
·
Domain: Endpoint
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Lateral Movement
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
RPC (Remote Procedure Call) from the Internet
calendar
Oct 3, 2023
·
Tactic: Initial Access
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
RPC (Remote Procedure Call) to the Internet
calendar
Oct 3, 2023
·
Tactic: Initial Access
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
SMB (Windows File Sharing) Activity to the Internet
calendar
Oct 3, 2023
·
Tactic: Initial Access
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Removable Device
calendar
Sep 5, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Exfiltration
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution via Microsoft Office Add-Ins
calendar
Sep 5, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Rare User Logon
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Hour for a User to Logon
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux Username
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Source IP for a User to Logon from
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Remote User
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Username
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Microsoft 365 Mail Access by ClientAppId
calendar
Jul 19, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Anonymous Request Authorized
calendar
Jul 17, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Initial Access
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk Sign-in
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk User Sign-in Heuristic
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory PowerShell Sign-in
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure External Guest User Invitation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
External User Added to Google Workspace Group
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Google Workspace OAuth Login from Third-Party Application
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Tactic: Defense Evasion
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Custom Role Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Object Copied from External Drive and Access Granted to Custom Application
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Suspended User Account Renewed
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Anti-Phish Policy Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Anti-Phish Rule Modification
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Safe Link Policy Disabled
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Impossible travel activity
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 User Restricted from Sending Email
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
O365 Email Reported by User as Malware or Phish
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
O365 Mailbox Audit Logging Bypass
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Tactic: Initial Access
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Possible Consent Grant Attack via Azure-Registered Application
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
SSH Connection Established Inside A Running Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
to-top