Comment
Author: Admin | 2025-04-28
Escalation and ensures customers have sufficient time to response effectively.Credit to Min Kim (Cyber Analyst) and Ryan Traill (Analyst Content Lead) AppendicesDarktrace Model Detections Case 1SaaS / Compromise / SaaS Anomaly Following Anomalous LoginSaaS / Compromise / Unusual Login and New Email RuleSaaS / Compliance / Anomalous New Email RuleSaaS / Unusual Activity / Multiple Unusual SaaS ActivitiesSaaS / Access / Unusual External Source for SaaS Credential Us SaaS / Compromise / Login From Rare Endpoint While User is Active SaaS / Email Nexus / Unusual Login Location Following Link to File StorageAntigena / SaaS / Antigena Email Rule Block (Autonomous Response)Antigena / SaaS / Antigena Suspicious SaaS Activity Block (Autonomous Response)Antigena / SaaS / Antigena Enhanced Monitoring from SaaS User Block (Autonomous Response)List of Indicators of Compromise (IoCs) 176.105.224[.]132 – IP address – Unusual SaaS Activity Sourcehremployeepyaroll@mail[.]com – Email address – Reply-to email address MITRE ATT&CK MappingCloud Accounts – DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS – T1078Outlook Rules – PERSISTENCE – T1137Cloud Service Dashboard – DISCOVERY – T1538Compromise Accounts – RESOURCE DEVELOPMENT – T1586Steal Web Session Cookie – CREDENTIAL ACCESS – T1539Darktrace Model Detections Case 2SaaS / Compromise / SaaS Anomaly Following Anomalous LoginSaaS / Compromise / Unusual Login and Account UpdateSecurity Integration / High Severity Integration DetectionSaaS / Access / Unusual External Source for SaaS Credential UseSaaS / Compromise / Login From Rare Endpoint While User Is ActiveSaaS / Compromise / Login from Rare High Risk EndpointSaaS / Access / M365 High Risk Level LoginAntigena / SaaS
Add Comment