open-menu
closeme
Attempts to Brute Force a Microsoft 365 User Account
calendar
Oct 10, 2024
·
Domain: Cloud
Domain: SaaS
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM AdministratorAccess Policy Attached to Group
calendar
Oct 10, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM AdministratorAccess Policy Attached to Role
calendar
Oct 10, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM AdministratorAccess Policy Attached to User
calendar
Oct 10, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM User Created Access Keys For Another User
calendar
Oct 10, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Azure Entra Sign-in Brute Force against Microsoft 365 Accounts
calendar
Oct 10, 2024
·
Domain: Cloud
Domain: SaaS
Data Source: Azure
Data Source: Entra ID
Data Source: Entra ID Sign-in
Use Case: Identity and Access Audit
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
calendar
Oct 10, 2024
·
Domain: Cloud
Domain: SaaS
Data Source: Azure
Data Source: Entra ID
Data Source: Entra ID Sign-in
Use Case: Identity and Access Audit
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
High Number of Okta Device Token Cookies Generated for Authentication
calendar
Oct 10, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Multiple Device Token Hashes for Single Okta Session
calendar
Oct 10, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Credential Access
Domain: SaaS
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta User Authentication Events with Client Address
calendar
Oct 10, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta User Authentication Events with Same Device Token Hash
calendar
Oct 10, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Okta User Sessions Started from Different Geolocations
calendar
Oct 10, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Successful Application SSO from Rare Unknown Client Device
calendar
Oct 7, 2024
·
Domain: SaaS
Data Source: Okta
Use Case: Threat Detection
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Administrator Privileges Assigned to an Okta Group
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Administrator Role Assigned to an Okta User
calendar
Sep 25, 2024
·
Data Source: Okta
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Create Okta API Token
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Application
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Network Zone
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Policy
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Policy Rule
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Defense Evasion
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Application
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Network Zone
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Policy
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Policy Rule
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Application
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Network Zone
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Policy
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Policy Rule
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Defense Evasion
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Reset MFA Factors for an Okta User Account
calendar
Sep 25, 2024
·
Tactic: Persistence
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Revoke Okta API Token
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempted Bypass of Okta MFA
calendar
Sep 25, 2024
·
Data Source: Okta
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Attempts to Brute Force an Okta User Account
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
External User Added to Google Workspace Group
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
First Occurrence of Okta User Session Started via Proxy
calendar
Sep 25, 2024
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Admin Role Assigned to a User
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Admin Role Deletion
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Impact
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace API Access Granted via Domain-Wide Delegation
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Custom Admin Role Created
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Password Policy Modified
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Role Modified
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Suspended User Account Renewed
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
High Number of Okta User Password Reset or Unlock Attempts
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
MFA Deactivation with no Re-Activation for Okta User Account
calendar
Sep 25, 2024
·
Tactic: Persistence
Use Case: Identity and Access Audit
Data Source: Okta
Domain: Cloud
·
Share on:
twitter
facebook
linkedin
copy
MFA Disabled for Google Workspace Organization
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Modification or Removal of an Okta Application Sign-On Policy
calendar
Sep 25, 2024
·
Tactic: Persistence
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta Sessions Detected for a Single User
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
New Okta Authentication Behavior Detected
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Initial Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
New Okta Identity Provider (IdP) Added by Admin
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Persistence
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta Brute Force or Password Spraying Attack
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta FastPass Phishing Detection
calendar
Sep 25, 2024
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta Sign-In Events via Third-Party IdP
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Initial Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta ThreatInsight Threat Suspected Promotion
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta User Session Impersonation
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Possible Okta DoS Attack
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Potential Okta MFA Bombing via Push Notifications
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Potentially Successful MFA Bombing via Push Notifications
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Stolen Credentials Used to Login to Okta Account After MFA Reset
calendar
Sep 25, 2024
·
Tactic: Persistence
Use Case: Identity and Access Audit
Data Source: Okta
Data Source: Elastic Defend
Rule Type: Higher-Order Rule
Domain: Endpoint
Domain: Cloud
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Activity Reported by Okta User
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unauthorized Access to an Okta Application
calendar
Sep 25, 2024
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
calendar
Sep 25, 2024
·
Domain: SaaS
Data Source: Okta
Use Case: Threat Detection
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS STS GetCallerIdentity API Called for the First Time
calendar
Sep 24, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS STS
Use Case: Identity and Access Audit
Tactic: Discovery
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Potential Password Spraying of Microsoft 365 User Accounts
calendar
Sep 10, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM SAML Provider Updated
calendar
Aug 20, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS STS Temporary Credentials via AssumeRole
calendar
Aug 20, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS STS
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM CompromisedKeyQuarantine Policy Attached to User
calendar
Aug 1, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Resources: Investigation Guide
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Instance Console Login via Assumed Role
calendar
Jul 31, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS EC2
Data Source: AWS STS
Use Case: Identity and Access Audit
Tactic: Lateral Movement
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Instance Interaction with IAM Service
calendar
Jul 31, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS EC2
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Instance Connect SSH Public Key Uploaded
calendar
Jul 24, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS EC2
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Roles Anywhere Profile Creation
calendar
Jul 24, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Roles Anywhere Trust Anchor Created with External CA
calendar
Jul 24, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Entra ID Device Code Auth with Broker Client
calendar
Jul 1, 2024
·
Domain: Cloud
Data Source: Azure
Data Source: Microsoft Entra ID
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Rare User Logon
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Spike in Failed Logon Events
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Spike in Logon Events
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Spike in Successful Logon Events from a Source IP
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Hour for a User to Logon
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Login Activity
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Source IP for a User to Logon from
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
New or Modified Federation Domain
calendar
Jun 4, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Admin Credential Fetch via Assumed Role
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: Amazon EC2
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Assume Role Policy Update
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS STS
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Brute Force of Assume Role Policy
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Group Creation
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Password Recovery Requested
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Signin
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM User Addition to Group
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Credential Access
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS Management Console Brute Force of Root User Identity
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS Management Console Root Login
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Signin
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
AWS Root Login Without MFA
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Route53
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS STS GetSessionToken Abuse
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS STS
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk Sign-in
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk User Sign-in Heuristic
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory PowerShell Sign-in
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure AD Global Administrator Role Assigned
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Application Credential Modification
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Automation Account Created
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Blob Permissions Modification
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Azure External Guest User Invitation
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Global Administrator Role Addition to PIM User
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Kubernetes Rolebindings Created
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Azure Privilege Identity Management Role Modified
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Service Principal Addition
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Service Principal Credentials Added
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Azure Storage Account Key Regenerated
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Custom Role Creation
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Role Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Service Account Key Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Creation
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Disabled
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Key Creation
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
GCP Storage Bucket Configuration Modification
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Storage Bucket Permissions Modification
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Management Group Role Assignment
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Safe Link Policy Disabled
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Global Administrator Role Assigned
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Multi-Factor Authentication Disabled for an Azure User
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
O365 Excessive Single Sign-On Logon Errors
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Possible Consent Grant Attack via Azure-Registered Application
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
to-top