Penetration testing tool activity attempt

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-11-18
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

2 Days

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Serverless Execution (T1648)

Severity

Informational

Description

A SaaS API was invoked by a penetration testing tool.

Attacker's Goals

Usage of known tools and frameworks.

Investigative actions

  • Check if there is an active PT test ongoing.

Variations

Penetration testing tool activity attempt

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Serverless Execution (T1648)

Severity

Medium

Description

A SaaS API was successfully invoked by a penetration testing tool.

Attacker's Goals

Usage of known tools and frameworks.

Investigative actions

  • Check if there is an active PT test ongoing.