open-menu
closeme
Azure Blob Permissions Modification
calendar
Sep 5, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Rare User Logon
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Spike in Failed Logon Events
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Spike in Logon Events
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Spike in Successful Logon Events from a Source IP
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Hour for a User to Logon
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Login Activity
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Source IP for a User to Logon from
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Policy Rule
calendar
Aug 21, 2023
·
Use Case: Identity and Access Audit
Tactic: Defense Evasion
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate MFA for an Okta User Account
calendar
Aug 21, 2023
·
Tactic: Persistence
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Policy Rule
calendar
Aug 21, 2023
·
Use Case: Identity and Access Audit
Tactic: Defense Evasion
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Reset MFA Factors for an Okta User Account
calendar
Aug 21, 2023
·
Tactic: Persistence
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Attempted Bypass of Okta MFA
calendar
Aug 21, 2023
·
Data Source: Okta
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Attempts to Brute Force an Okta User Account
calendar
Aug 21, 2023
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
High Number of Okta User Password Reset or Unlock Attempts
calendar
Aug 21, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Modification or Removal of an Okta Application Sign-On Policy
calendar
Aug 21, 2023
·
Tactic: Persistence
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta Brute Force or Password Spraying Attack
calendar
Aug 21, 2023
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta User Session Impersonation
calendar
Aug 21, 2023
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Potential Abuse of Repeated MFA Push Notifications
calendar
Aug 21, 2023
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Unauthorized Access to an Okta Application
calendar
Aug 21, 2023
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Application
calendar
Jul 17, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Network Zone
calendar
Jul 17, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Policy
calendar
Jul 17, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Network Zone
calendar
Jul 17, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Policy
calendar
Jul 17, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Policy Rule
calendar
Jul 17, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Network Zone
calendar
Jul 17, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Policy
calendar
Jul 17, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Revoke Okta API Token
calendar
Jul 17, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Administrator Privileges Assigned to an Okta Group
calendar
Jun 22, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Administrator Role Assigned to an Okta User
calendar
Jun 22, 2023
·
Data Source: Okta
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Create Okta API Token
calendar
Jun 22, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Application
calendar
Jun 22, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Application
calendar
Jun 22, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempts to Brute Force a Microsoft 365 User Account
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Assume Role Policy Update
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Brute Force of Assume Role Policy
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Group Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Password Recovery Requested
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM User Addition to Group
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Credential Access
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS Management Console Brute Force of Root User Identity
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS Management Console Root Login
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
AWS Root Login Without MFA
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS SAML Activity
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS Security Token Service (STS) AssumeRole Usage
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS STS GetSessionToken Abuse
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk Sign-in
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk User Sign-in Heuristic
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory PowerShell Sign-in
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure AD Global Administrator Role Assigned
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Application Credential Modification
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Automation Account Created
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure External Guest User Invitation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Global Administrator Role Addition to PIM User
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Kubernetes Rolebindings Created
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Azure Privilege Identity Management Role Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Service Principal Addition
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Service Principal Credentials Added
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Azure Storage Account Key Regenerated
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
External User Added to Google Workspace Group
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Custom Role Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Role Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Service Account Key Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Disabled
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Key Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
GCP Storage Bucket Configuration Modification
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Storage Bucket Permissions Modification
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Admin Role Assigned to a User
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Admin Role Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Impact
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace API Access Granted via Domain-Wide Delegation of Authority
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Custom Admin Role Created
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Password Policy Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Role Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Suspended User Account Renewed
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
MFA Disabled for Google Workspace Organization
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Management Group Role Assignment
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Safe Link Policy Disabled
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Global Administrator Role Assigned
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Multi-Factor Authentication Disabled for an Azure User
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
New or Modified Federation Domain
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
O365 Excessive Single Sign-On Logon Errors
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Okta ThreatInsight Threat Suspected Promotion
calendar
Jun 22, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Possible Consent Grant Attack via Azure-Registered Application
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Possible Okta DoS Attack
calendar
Jun 22, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Potential Password Spraying of Microsoft 365 User Accounts
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Activity Reported by Okta User
calendar
Jun 22, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
to-top