Penetration testing tool activity attempt

Cortex XDR Analytics Alert Reference by data source

Last date published: 2024-04-15
Order: data source

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	2 Days
Required Data	Requires: Office 365 Audit
Detection Modules	Identity Analytics
ATT&CK Tactic	Execution (TA0002)
ATT&CK Technique	Serverless Execution (T1648)
Severity	Informational

Description

A SaaS API was invoked by a penetration testing tool.

Attacker's Goals

Usage of known tools and frameworks.

Investigative actions

Check if there is an active PT test ongoing.

Variations

Penetration testing tool activity attempt

Synopsis

ATT&CK Tactic	Execution (TA0002)
ATT&CK Technique	Serverless Execution (T1648)
Severity	Medium

Description

A SaaS API was successfully invoked by a penetration testing tool.

Attacker's Goals

Usage of known tools and frameworks.

Investigative actions

Check if there is an active PT test ongoing.