Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation where one or more features of the activity deviate from the user, his peers, or the tenant profile.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | UEBA Essentials |
| ID | 0454c8d8-d0a6-42a4-8d03-f5b4fdcbd173 |
| Tactics | Persistence |
| Techniques | T1136 |
| Required Connectors | BehaviorAnalytics, AzureActiveDirectory |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
BehaviorAnalytics |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊