Document toolboxDocument toolbox

Alert Pack: Create Account (MITRE Att&ck Technique: T1136)

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
2 min read
[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

This alert pack helps you to control any sort of misuse of credentials to create accounts and help secure environments by notifying you. This alert pack can also help you to maintain compliance by confirming any sort of account that was created and approved and is audit-friendly.

Security Operations application

SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.

SecOpsAzureExternalUserInvited

SecOpsO365NewFederatedDomain

SecOpsWinUserCreationAbnormalNamingConvention

SecOpsAzureUserCreated

SecOpsO365AddedServicePrincipal

SecOpsLocalUserCreation

SecOpsAzureExternalUserInvitationRedeemed

SecOpsAWSIAMCreateUserActionObserved

SecOpsWinAnonymousAccountCreated

SecOpsGCPIAMServiceAccountCreated

SecOpsAWSNewUserPoolClientCreated

 

 

About MITRE framework

Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.