1. Home
  2. Data Sources
  3. Application Log

Application Log

Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)[1]

ID: DS0015
Platforms: IaaS, Linux, Office Suite, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Host
Version: 1.0
Created: 20 October 2021
Last Modified: 14 October 2024
Version Permalink

Data Components

Application Log: Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Application Log: Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Domain ID Name Detects
Enterprise T1098 .002 Account Manipulation: Additional Email Delegate Permissions

Enable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None.

A larger than normal volume of emails sent from an account and similar phishing emails sent from real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.
.005 Account Manipulation: Device Registration

Entra ID creates several log entries when new devices are enrolled, which can be monitored for unexpected device registrations.[2] Additionally, joined devices can be viewed via the Entra ID portal.[3]
ICS T0800 Activate Firmware Update Mode

Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode.
Enterprise T1557 Adversary-in-the-Middle

Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.[4]
.003 DHCP Spoofing

Monitor Windows logs (ex: EIDs 1341, 1342, 1020, and 1063) for changes to DHCP settings. These may also highlight DHCP issues such as when IP allocations are low or have run out.[4][5]
ICS T0830 Adversary-in-the-Middle

Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.
ICS T0803 Block Command Message

Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.
ICS T0804 Block Reporting Message

Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.
ICS T0805 Block Serial COM

Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.
Enterprise T1110 Brute Force

Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.
.001 Password Guessing

Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.[6]
.002 Password Cracking

Monitor authentication logs for system and application login failures of Valid Accounts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as OS Credential Dumping or Kerberoasting.
.003 Password Spraying

Monitor authentication logs for system and application login failures of Valid Accounts. Consider the following event IDs:[7]Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625.Domain Controllers: "Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771.All systems: "Audit Logon" (Success & Failure) for event ID 4648.[6]
.004 Credential Stuffing

Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.[6]
ICS T0806 Brute Force I/O

Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.
ICS T0858 Change Operating Mode

Monitor device application logs which may contain information related to operating mode changes, although not all devices produce such logs.
ICS T0807 Command-Line Interface

Monitor logs from installed applications (e.g., historian logs) for unexpected commands or abuse of system features.
Enterprise T1213 Data from Information Repositories

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
.001 Confluence

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Confluence repositories to mine valuable information. Watch for access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
.002 Sharepoint

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage the SharePoint repository as a source to mine valuable information. Monitor access to Microsoft SharePoint repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
.003 Code Repositories

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage code repositories to collect valuable information. Monitor access to code repositories, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access code repositories. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.
.004 Customer Relationship Management Software

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage the CRM database as a source to mine valuable information. Monitor access to the CRM database, especially performed by privileged users as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of records; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.

.005 Messaging Applications

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage code repositories to collect valuable information. Monitor access to messaging applications, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access messaging applications. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.

ICS T0811 Data from Information Repositories

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.
Enterprise T1622 Debugger Evasion

Monitor debugger logs for signs of abnormal and potentially malicious activity.
Enterprise T1491 Defacement

Monitor for third-party application logging, messaging, and/or other artifacts that may modify visual content available internally or externally to an enterprise network.

.001 Internal Defacement

Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems internal to an organization in an attempt to intimidate or mislead users.

.002 External Defacement

Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.

ICS T0814 Denial of Service

Monitor for application logging, messaging, and/or other artifacts that may result from Denial of Service (DoS) attacks which degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection.
Enterprise T1610 Deploy Container

Monitor application logs for any unexpected or suspicious container deployment activities through the management API or service-specific logs (e.g., Docker Daemon logs, Kubernetes event logs).

Analytic 1 - Container creation and start activities in Docker and Kubernetes

sourcetype=docker:daemon OR sourcetype=kubernetes:event| where action IN ("create", "start")

ICS T0816 Device Restart/Shutdown

Device restarts and shutdowns may be observable in device application logs. Monitor for unexpected device restarts or shutdowns.
Enterprise T1484 Domain or Tenant Policy Modification

Monitor changes to cloud-based directory services and identity tenants, especially regarding the addition of new federated identity providers. In Okta environments, the event system.idp.lifecycle.create will trigger on the creation of an identity provider, while sign-ins from a third-party identity provider will create the event user.authentication.auth_via_IDP.[8]
.002 Trust Modification

Monitor changes to cloud-based directory services and identity tenants, especially regarding the addition of new federated identity providers. In Okta environments, the event system.idp.lifecycle.create will trigger on the creation of an identity provider, while sign-ins from a third-party identity provider will create the event user.authentication.auth_via_IDP.[8] In AWS environments, alert on events such as StartSSO, CreateSAMLProvider, or CreateOIDCProvider.[9]
Enterprise T1189 Drive-by Compromise

Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.
ICS T0817 Drive-by Compromise

Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.
Enterprise T1114 Email Collection

Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.[10] High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.
.002 Remote Email Collection

In Office365 environments, consider using PurviewAudit to collect MailItemsAccessed events and monitoring for unusual email access behavior.[6]
.003 Email Forwarding Rule

Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.[11]Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.[10] High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.

In environments using Exchange, monitor logs for the creation or modification of mail transport rules.

Enterprise T1499 Endpoint Denial of Service

Monitor for third-party application logging, messaging, and/or other artifacts that may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS.
.002 Service Exhaustion Flood

Monitor for third-party application logging, messaging, and/or other artifacts that may target the different network services provided by systems to conduct a DoS. In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS.
.003 Application Exhaustion Flood

Monitor for third-party application logging, messaging, and/or other artifacts that may target resource intensive features of web applications to cause a denial of service (DoS). In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt. Externally monitor the availability of services that may be targeted by an Endpoint DoS.
.004 Application or System Exploitation

Monitor for third-party application logging, messaging, and/or other artifacts that may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. [12] Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.
Enterprise T1048 Exfiltration Over Alternative Protocol

Monitor cloud-based file hosting services, such as Google Drive and Microsoft OneDrive, for unusual instances of file downloads – for example, many downloads by a single user in a short period of time. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies. Additionally, data loss prevention policies can be defined to detect and alert on exfiltration events on particularly sensitive data.

Enterprise T1567 Exfiltration Over Web Service

Review logs for SaaS services, including Office 365 and Google Workspace, to detect the configuration of new webhooks or other features that could be abused to exfiltrate data.
.004 Exfiltration Over Webhook

Review logs for SaaS services, including Office 365 and Google Workspace, to detect the configuration of new webhooks.
Enterprise T1190 Exploit Public-Facing Application

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. Web server logs (e.g., var/log/httpd or /var/log/apache for Apache web servers on Linux) may also record evidence of exploitation.
ICS T0819 Exploit Public-Facing Application

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.
Enterprise T1203 Exploitation for Client Execution

Monitor log entries from browsers, Office applications, and third-party applications for suspicious behavior, such as crashes, abnormal terminations, or instability that could indicate an attempted exploit.

Analytic 1 - logs related to application crashes or unexpected behavior, which could signal an attempt to exploit vulnerabilities.

sourcetype=WinEventLog:Application EventCode=1000| search application IN ("chrome.exe", "firefox.exe", "winword.exe", "excel.exe", "acrord32.exe", "flashplayer.exe")| stats count by application event_description| where event_description IN ("crash", "instability", "unexpected termination")

Enterprise T1212 Exploitation for Credential Access

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.
Enterprise T1211 Exploitation for Defense Evasion

Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.

ICS T0820 Exploitation for Evasion

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.
ICS T0890 Exploitation for Privilege Escalation

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.
Enterprise T1210 Exploitation of Remote Services

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.
ICS T0866 Exploitation of Remote Services

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash, which may be recorded in the application log.
Enterprise T1133 External Remote Services

When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.
ICS T0822 External Remote Services

When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.
Enterprise T1657 Financial Theft

Review and monitor financial application logs for signs of financial theft, such as abnormal monetary transactions or resource balances.

Email logs may also highlight account takeovers, impersonation, or another activity that may enable monetary theft.
Enterprise T1200 Hardware Additions

Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.
Enterprise T1564 Hide Artifacts

Monitor for third-party application logging, messaging, and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection.

.008 Email Hiding Rules

Monitor for third-party application logging, messaging, and/or other artifacts that may use email rules to hide inbound emails in a compromised user's mailbox. Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries. In environments using Exchange, monitor logs for the creation or modification of mail transport rules.
Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Monitor for third-party application logging, messaging, and/or other artifacts provided by third-party services that may disable Windows event logging to limit data that can be leveraged for detections and audits.
Enterprise T1656 Impersonation

Review and monitor email and other user communication logs for signs of impersonation, such as suspicious emails (e.g., from known malicious or compromised accounts) or content associated with an adversary's actions on objective (e.g., abnormal monetary transactions).
Enterprise T1070 Indicator Removal

Monitor logs for abnormal modifications to application settings, such as the creation of malicious Exchange transport rules.
.008 Clear Mailbox Data

In environments using Exchange, monitor logs for the creation or modification of mail processing settings, such as transport rules.
Enterprise T1534 Internal Spearphishing

Monitor email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.[13]
ICS T0838 Modify Alarm Settings

Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.
Enterprise T1556 Modify Authentication Process

Enable security auditing to collect logs from hybrid identity solutions. For example, monitor sign-ins to the Entra ID Application Proxy Connector, which are typically generated only when a new Pass Through Authentication (PTA) Agent is added. [14] If AD FS is in use, review the logs for event ID 501, which specifies all EKU attributes on a claim, and raise alerts on any values that are not configured in your environment.[15]

Analytic 1 - Unexpected sign-ins or new PTA Agent additions.

index=third_party_logs sourcetype IN ("azure:activity", "gsuite:reports:activity", "aws:cloudtrail", "office365:management", "saas_audit")(eventName IN ("AddServicePrincipal", "AddUser", "UpdateUser", "AddGroup", "UpdateGroup", "AddPolicy", "UpdatePolicy", "AddRole", "UpdateRole", "PutRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "AttachRolePolicy") OR eventCategory IN ("Sign-ins", "Security", "AuditLogs") OR EventID IN (501, 4662) OR "protoPayload.methodName" IN ("directory.users.update", "admin.directory.group.update", "admin.directory.roleAssignments.update"))
.006 Multi-Factor Authentication

Monitor for changes made to global multi-factor authentication settings in Identity-as-a-Service providers. For example, in Okta environments, the events system.mfa.factor.activate and system.mfa.factor.deactivate will trigger when an MFA factor is globally activated or deactivated. [8]

Analytic 1 - Changes to MFA settings outside of normal maintenance windows.

index=security sourcetype="audit" OR sourcetype="azure:eventhub" OR sourcetype="o365:management:activity" OR sourcetype="gsuite:reports:admin" EventCode IN ("UserAddedToMFAExcludedGroup", "MFASettingsModified", "MFASettingsDisabled", "AddMFAOption", "RemoveMFAOption", "MFAEnforcementDisabled")
.007 Hybrid Identity

Enable security auditing to collect logs from hybrid identity solutions. For example, monitor sign-ins to the Entra ID Application Proxy Connector, which are typically generated only when a new PTA Agent is added. [14] If AD FS is in use, review the logs for event ID 501, which specifies all EKU attributes on a claim, and raise alerts on any values that are not configured in your environment.[15]
ICS T0821 Modify Controller Tasking

Monitor asset application logs for information that indicate task parameters have changed.
ICS T0836 Modify Parameter

Monitor device application logs parameter changes, although not all devices will produce such logs.
ICS T0889 Modify Program

Monitor device application logs that indicate the program has changed, although not all devices produce such logs.
ICS T0839 Module Firmware

Monitor device application logs for firmware changes, although not all devices will produce such logs.
ICS T0801 Monitor Process State

Monitor applications logs for any access attempts to operational databases (e.g., historians) or other sources of operational data within the ICS environment. These devices should be monitored for adversary collection using techniques relevant to the underlying technologies (e.g., Windows, Linux).
Enterprise T1621 Multi-Factor Authentication Request Generation

Monitor application logs for suspicious events including repeated MFA failures that may indicate user's primary credentials have been compromised.
Enterprise T1027 Obfuscated Files or Information

The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.

.005 Indicator Removal from Tools

The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.
.014 Polymorphic Code

The initial detection of a malicious tool or anomalous behavior may trigger an anti-virus or other security tool alert, and may be one of the only indications received before the code is able to mutate and evade the same type of detection. The alerting system should be thoroughly investigated beyond the initial alert for activity that may not have been detected.
Enterprise T1137 Office Application Startup

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Microsoft Office-based applications for persistence between startups. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[16]
.003 Outlook Forms

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[16]
.004 Outlook Home Page

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[16]
.005 Outlook Rules

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft Outlook rules to obtain persistence on a compromised system. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.[16]
Enterprise T1069 Permission Groups Discovery

Monitor for logging, messaging, and other artifacts provided by cloud services.
.003 Cloud Groups

Monitor for events collected that may attempt to find cloud groups and permission settings.

Enterprise T1566 Phishing

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.
.001 Spearphishing Attachment

Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[19]
.002 Spearphishing Link

Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can help detect links leading to known malicious sites.[20] Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites).
.003 Spearphishing via Service

Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing messages via third-party services in an attempt to gain access to victim systems.

.004 Spearphishing Voice

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.
Enterprise T1598 Phishing for Information

Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18]When it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers.
.001 Spearphishing Service

Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.
.002 Spearphishing Attachment

Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18]
.003 Spearphishing Link

Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can also help detect links leading to known malicious sites.[20]

Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites).
.004 Spearphishing Voice

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers.
ICS T0861 Point & Tag Identification

Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.
ICS T0843 Program Download

Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.
ICS T0845 Program Upload

Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms.
Enterprise T1496 Resource Hijacking

Monitor logs for software-as-a-service (SaaS) applications for signs of abuse.

.003 SMS Pumping

Monitor for excessive use of SMS services, especially on public sign-up forms. For example, alert on large quantities of messages sent to adjacent numbers. In SMS-based OTP flows, monitor for large quantities of incomplete verification cycles.[21] In Amazon Cognito environments, monitor for spikes in calls to the SignUp or ResendConfirmationCode API.[9]
.004 Cloud Service Hijacking

Monitor for excessive use of SaaS applications, especially messaging and AI-related services. In AWS SES environments, monitor for spikes in calls to the SendEmail or SendRawEmail API. Especially note the use of services which are not typically used by the organization.

ICS T0848 Rogue Master

Monitor for new master devices communicating with outstation assets, which may be visible in asset application logs.
Enterprise T1594 Search Victim-Owned Websites

Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.
Enterprise T1505 Server Software Component

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse legitimate extensible development features of servers to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. [22]
.001 SQL Stored Procedures

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse SQL stored procedures to establish persistent access to systems. On a MSSQL Server, consider monitoring for xp_cmdshell usage.[23] Consider enabling audit features that can log malicious startup activities.
.002 Transport Agent

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft transport agents to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components.
.003 Web Shell

Monitor for third-party application logging, messaging, and/or other artifacts that may backdoor web servers with web shells to establish persistent access to systems. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. [22]
Enterprise T1648 Serverless Execution

Monitor Serverless Execution activities by examining logs that contain information about Serverless function invocations. This is especially useful for detecting anomalous behavior within AWS Lambda, Azure Functions, or Google Cloud Functions. For example, in Exchange environments emails sent by Power Automate via the Outlook 365 connector include the phrase ‘Power App’ or ‘Power Automate’ in the SMTP header 'x-ms-mail-application.'[24]

Analytic 1 - Failed or abnormal serverless function invocations across AWS, Azure, and Google Cloud

sourcetype=aws:lambda OR sourcetype=azure:function OR sourcetype=gcp:function| where result_status != "Success"

Enterprise T1072 Software Deployment Tools

Often these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.Perform application deployment at regular times so that irregular deployment activity stands out.

Analytic 1 - Look for irregular deployment activity, systems not typically used for deployment suddenly pushing software, abnormal account login activity

sourcetype= aws_system_manager OR sourcetype=azure_arc | search (event_description="deployment" OR action="push" OR result="success" OR result="failure" OR command="run script")

ICS T0865 Spearphishing Attachment

Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.[17][18] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.
Enterprise T1649 Steal or Forge Authentication Certificates

Ensure CA audit logs are enabled and monitor these services for signs of abuse.[25]
ICS T0857 System Firmware

Monitor device application logs for firmware changes, although not all devices will produce such logs.
Enterprise T1537 Transfer Data to Cloud Account

Monitor logs for SaaS applications to detect instances of data being shared inappropriately. For example, in Microsoft 365, file sharing events will appear in Audit logs under the event names SharingInvitationCreated, AnonymousLinkCreated, SecureLinkCreated, or AddedToSecureLink, with TargetUserOrGroupType being Guest.[26] In Google Workspace, externally shared files will have a Visibility property of Shared externally in the Drive audit logs.[27]
ICS T0864 Transient Cyber Asset

Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.
Enterprise T1199 Trusted Relationship

Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network. Monitor logs for unexpected actions taken by any delegated administrator accounts.[28]
ICS T0855 Unauthorized Command Message

Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.
Enterprise T1552 Unsecured Credentials

Monitor application logs for activity that may highlight malicious attempts to access application data, especially abnormal search activity targeting passwords and other artifacts related to credentials.[29]

Analytic 1 - Abnormal search activity targeting passwords and other credential artifacts.

(index=third_party sourcetype IN ("mailserver_logs", "webapp_logs", "appliance_logs") ("search" OR "query" OR "find" OR "grep") ("password" OR "credential" OR "key" OR "secret" OR "token"))
.008 Chat Messages

Monitor application logs for activity that may highlight malicious attempts to access application data, especially abnormal search activity targeting passwords and other artifacts related to credentials.[29]

Analytic 1 - Abnormal search activity targeting passwords and other credential artifacts.

index=security sourcetype IN ("gsuite:activity", "o365:audit", "slack:events", "teams:events") (action IN ("message_send", "file_upload") AND (message_content="password" OR message_content="token" OR message_content="apikey" OR message_content="credentials" OR message_content="login" OR file_name="password" OR file_name="token" OR file_name="apikey" OR file_name="credentials"))
Enterprise T1550 Use Alternate Authentication Material

Monitor for third-party application logging, messaging, and/or other artifacts that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
.004 Web Session Cookie

Monitor for third-party application logging, messaging, and/or other service artifacts that provide context of user authentication to web applications, including cloud-based services. Combine this information with web credentials usage events to identify authentication events that do not fit the organization baseline.
Enterprise T1204 User Execution

Monitor logs from applications to detect user-initiated actions such as opening malicious documents, clicking on phishing links, or executing downloaded malware.

Analytic 1 - Logs showing unexpected user actions triggering unusual processes.

sourcetype=application_log EventCode=1000 OR EventCode=1001| search application IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe", "adobe.exe", "zip.exe")| stats count by application event_description| where event_description IN ("opened document", "clicked link", "executed file")
.003 Malicious Image

Monitor logs from cloud platforms like AWS, GCP, or Azure to detect anomalies related to container or image execution. Look for unusual patterns or log events that deviate from typical behavior.

Analytic 1 - Unusual application logs indicating image execution anomalies.

sourcetype=application_log EventCode=1000 OR EventCode=1001| search log_level=ERROR OR log_level=WARNING OR message IN ("failed to pull image", "container crash", "unauthorized access")

ICS T0863 User Execution

Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.
ICS T0860 Wireless Compromise

Monitor application logs for new or unexpected devices or sessions on wireless networks.

References

  1. Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.
  2. Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022.
  3. Microsoft. (2022, February 18). Manage device identities by using the Azure portal. Retrieved April 13, 2022.
  4. Microsoft. (2006, August 31). DHCP Server Operational Events. Retrieved March 7, 2022.
  5. Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved September 12, 2024.
  6. Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.
  7. Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.
  8. Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024.
  9. Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.
  10. McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019.
  11. Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021.
  12. Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit in the Wild. Retrieved April 26, 2019.
  13. Chris Taylor. (2017, October 5). When Phishing Starts from the Inside. Retrieved October 8, 2019.
  14. Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022.
  15. Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.
  1. SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.
  2. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  3. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
  4. Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.
  5. Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.
  6. Twilio. (n.d.). What is SMS Pumping Fraud?. Retrieved September 25, 2024.
  7. US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.
  8. Sutherland, S. (2016, March 7). Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12, 2024.
  9. Microsoft. (2022, February 15). Email exfiltration controls for connectors. Retrieved May 27, 2022.
  10. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022.
  11. Microsoft. (2023, October 1). Use sharing auditing in the audit log. Retrieved March 4, 2024.
  12. Google. (n.d.). Drive log events. Retrieved March 4, 2024.
  13. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022.
  14. Slack Help Center. (n.d.). View Access Logs for your workspace. Retrieved April 10, 2023.