EXPLORE DETECTIONS
Spike in GCP Audit Failed Messages
A machine learning job detected a significant spike in the rate of a particular failure in the GCP Audit messages. Spikes in failed messages may accompany attempts at privilege escalation, lateral movement, or discovery.
Spike in Group Application Assignment Change Events
A machine learning job has identified an unusual spike in Okta group application assignment change events, indicating potential privileged access activity. Threat actors might be assigning applications to groups to escalate access, maintain persistence, or facilitate lateral movement within an organization’s environment.
Spike in Group Lifecycle Change Events
A machine learning job has identified an unusual spike in Okta group lifecycle change events, indicating potential privileged access activity. Adversaries may be altering group structures to escalate privileges, maintain persistence, or facilitate lateral movement within an organization’s identity management system.
Spike in Group Management Events
A machine learning job has identified a spike in group management events for a user, indicating potential privileged access activity. The machine learning has flagged an abnormal rise in group management actions (such as adding or removing users from privileged groups), which could point to an attempt to escalate privileges or unauthorized modifications to group memberships.
Spike in Group Membership Events
A machine learning job has identified an unusual spike in Okta group membership events, indicating potential privileged access activity. Attackers or malicious insiders might be adding accounts to privileged groups to escalate their access, potentially leading to unauthorized actions or data breaches.
Spike in Group Privilege Change Events
A machine learning job has identified an unusual spike in Okta group privilege change events, indicating potential privileged access activity. Attackers might be elevating privileges by adding themselves or compromised accounts to high-privilege groups, enabling further access or persistence.
Spike in host-based traffic
A machine learning job has detected a sudden spike in host based traffic. This can be due to a range of security issues, such as a compromised system, DDoS attacks, malware infections, privilege escalation, or data exfiltration.
Spike in Logon Events
A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.
Spike in Network Traffic
A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.
Spike in Network Traffic To a Country
A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.
Spike in Number of Connections Made from a Source IP
A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points.
Spike in Number of Connections Made to a Destination IP
A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets detected and blocked.
Spike in Number of Processes in an RDP Session
A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a large number of processes remotely on other machines can be an indicator of lateral movement activity.
Spike in Privileged Command Execution by a User
A machine learning job has detected an increase in the execution of privileged commands by a user, suggesting potential privileged access activity. This may indicate an attempt by the user to gain unauthorized access to sensitive or restricted parts of the system.
Spike in Remote File Transfers
A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection.
Spike in Special Logon Events
A machine learning job has detected a surge in special logon events for a user, indicating potential privileged access activity. A sudden spike in these events could suggest an attacker or malicious insider gaining elevated access, possibly for lateral movement or privilege escalation.
Spike in Special Privilege Use Events
A machine learning job has detected an unusual increase in special privilege usage events, such as privileged operations and service calls, for a user, suggesting potential unauthorized privileged access. A sudden spike in these events may indicate an attempt to escalate privileges, execute unauthorized tasks, or maintain persistence within a system.
Spike in Successful Logon Events from a Source IP
A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.
Spike in User Account Management Events
A machine learning job has identified a spike in user account management events for a user, indicating potential privileged access activity. This indicates an unusual increase in actions related to managing user accounts (such as creating, modifying, or deleting accounts), which could be a sign of an attempt to escalate privileges or unauthorized activity involving account management.
Spike in User Lifecycle Management Change Events
A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating potential privileged access activity. Threat actors may manipulate user accounts to gain higher access rights or persist within the environment.
Splunk External Alerts
Generates a detection alert for each Splunk alert written to the configured indices. Enabling this rule allows you to immediately begin investigating Splunk alerts in the app.
SSH Authorized Key File Activity Detected via Defend for Containers
This rule detects the creation or modification of an authorized_keys file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.
SSH Authorized Keys File Activity
The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
SSH Authorized Keys File Deletion
This rule detects the deletion of the authorized_keys or authorized_keys2 files on Linux systems. These files are used to store public keys for SSH authentication. Unauthorized deletion of these files can be an indicator of an attacker removing access to the system, and may be a precursor to further malicious activity.