Interactive login by a machine account

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent

Detection Modules

Identity Analytics

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts: Domain Accounts (T1078.002)

Severity

Informational

Description

A machine account performed an interactive or remote interactive login.

Attacker's Goals

Use an account that has access to resources to move laterally in the network and access privileged resources.

Investigative actions

  • See whether the login was successful.
  • Check whether the account has done any administrative actions it should not usually do.
  • Look for more logins and authentications by the account throughout the network.

Variations

Successful interactive login by a machine account

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts: Domain Accounts (T1078.002)

Severity

Low

Description

A machine account performed a successful interactive or remote interactive login.

Attacker's Goals

Use an account that has access to resources to move laterally in the network and access privileged resources.

Investigative actions

  • See whether the login was successful.
  • Check whether the account has done any administrative actions it should not usually do.
  • Look for more logins and authentications by the account throughout the network.