Alert Pack: Initial Access (MITRE Att&ck Tactic: TA0001)

[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

This alert pack brings our SecOps-related content to our non-SecOps customers and helps jump-start threat coverage. This pack contains a multitude of detections that alert when an attacker is using common initial access tactics. These tactics are often used to gain access to your environment. Once inside, the attackers intend to elevate those permissions and start making longer-lasting impacts on your system. These alerts provide your team with actionable information as soon as the attackers attempt these tactics.

Security Operations application SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.
SecOpsLog4ShellVulnerabilityOverProxyConnections	SecOpsAzureUserConfirmedCompromised	SecOpsAWSRootLogin
SecOpsSimultaneouslyLoginbyIP	SecOpsGSuiteLoginAccountWarning	SecOpsLog4ShellVulnerabilityCloudAWS
SecOpsSimultaneouslyLoginbyUser	SecOpsGSuiteMobileSuspiciousActivity	SecOpsAWSIamSuccessfulGroupDeletion
SecOpsLog4ShellVulnerabilityOverWebServerConnections	SecOpsGSuiteUnauthorizedOAuthApp	SecOpsWinAdminRemoteLogon
SecOpsLog4ShellVulnOverDomainsUnionTableConnections	SecOpsGSuiteGovernmentAttackWarning	SecOpsProofpointTAPUserClickedMalwareLink
SecOpsLog4ShellVulnOverFirewallTrafficConnections	SecOpsLog4ShellVulnerabilityCloudGCP	SecOpsProofpointTAPUserReceivedMalwareEmail
SecOpsAzureUserLoginSuspiciousRisk	SecOpsO365PowerShellActivity	SecOpsProofpointTAPUserReceivedImpostorEmail
SecOpsAzureImpossibleTravel	SecOpsO365PhishAttempt	SecOpsProofpointTAPUserReceivedPhishingEmail
SecOpsAzureUserHighRiskSignIn	SecOpsO365ImpossibleTravel	SecOpsProofpointTAPUserClickedPhishingLink
SecOpsAzureUserHighAggregateRiskSignIn	SecOpsAWSIamFailureGroupDeletion

What is Initial Access?

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network: targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access might allow for continued access, like valid accounts and use of external remote services, or could be limited use due to changing passwords.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

cloud.gsuite.reports.token ^{learn more}
cloud.office365.management ^{learn more}
cloud.office365.management.securitycompliancecenter^{learn more}
cloud.office365 ^{learn more}
web.all.access
cloud.gsuite.reports.login
cloud.gsuite.alerts ^{learn more}
cloud.gcp
cloud.aws.cloudtrail^{learn more}

mail.proofpoint.tapsiem_v2
box.all.win ^{learn more}
cloud.azure.ad.signin
firewall.all.traffic ^{learn more}
auth.all ^{learn more}
proxy.all.access
domains.all ^{learn more}
cloud.gsuite.reports.mobile

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.