Stolen User Credentials🔗
The Stolen User Credentials Detector combines signals from multiple sources to identify suspected stolen user credentials for a single user. The unusual events are then published as an alert that displays in the XDR Dashboard.
Requirements🔗
This detector requires the following data sources, integrations, or schemas:
- Auth, by way of detections from input detectors
-
Alerts from multiple sub-detectors including:
- Impossible Travel
- Specific rules from Tactic Graphs™ Detector:
- Unseen User Agent for User
- Unseen ASN for User
- Unseen ASN for Tenant
- Unseen IP Address for User
- Unseen IP Address for Tenant
- Microsoft:IPC
Inputs🔗
Detections are from the following normalized sources:
- Auth, Observations
Outputs🔗
Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.
Configuration Options🔗
This detector is enabled by default when the required data sources or integrations are available in the tenant.
Note
The events with source IP addresses that belong to tenant's VPN listed in their Tenant Profile will not generate any of the Unseen detections.
MITRE ATT&CK Category🔗
- MITRE Enterprise ATT&CK - Defense Evasion, Persistence, Privilege Escalation, Initial Access - Valid Accounts. For more information, see MITRE Technique T1078.
Detector Testing🔗
This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
References🔗
- Detectors
- Schemas