Hello. How can we help you?
April 17, 2025- Content Update
We are committed to continuously strengthening security operations for our customers through our innovative DARC Vault fortnightly releases. Just like Microsoft’s Patch Tuesday, the DARC Vault serves as a reliable source for enhanced security content, enabling our users to stay ahead of evolving threats.
Each fortnight, we deliver the latest Out-Of-The-Box (OOTB) content that not only introduces brand-new capabilities but also enhances existing detections. This fortnight, we are excited to announce a significant update focused on Azure, AWS SNS and Okta.
Below is a summary of the new additions and improvements:
Summary of Fortnightly Improvements
| Content Type | Actions | Count |
| Detections | New | 54 |
| Enhanced | – | |
| Dashboards | New | 4 |
| Reports | New | 4 |
New Detections
| # | Name | Description |
| 1 | SNS Topic Created by Rare User | This detection identifies when an AWS SNS (Simple Notification Service) topic is created by a user who rarely or never performs this activity. While SNS topics are used to enable distributed messaging for applications and services, adversaries may abuse them to exfiltrate data, conduct phishing, or establish communication channels for further compromise. A rare user creating an SNS topic can be indicative of compromised credentials or abuse of excessive permissions. |
| 2 | SNS Topic Subscription with Email by Rare User | This detection identifies when an AWS SNS (Simple Notification Service) topic is subscribed to using an email protocol by a user who does not typically perform such actions. This could indicate an attempt by an adversary to exfiltrate data or receive sensitive notifications externally by leveraging SNS topics. Malicious actors may subscribe external email addresses to SNS topics to receive information from within the environment without detection. |
| 3 | SNS Topic Message Published by Rare User | This detection identifies when a Simple Notification Service (SNS) topic message is published by a rare user in AWS. Such activity may indicate malicious behavior, such as phishing, data exfiltration, or unauthorized communication with internal or external services. Since SNS topics can deliver messages to various endpoints like Lambda functions, SQS queues, email addresses, or HTTP endpoints, misuse can have broad security implications. |
| 4 | SNS Direct-to-Phone Messaging Spike | This detection identifies a spike in AWS SNS direct-to-phone (SMS) messaging activity, potentially indicating misuse of the SNS service to send mass messages. Adversaries may exploit SNS to distribute smishing attacks, send malicious content, or overwhelm users with deceptive messages. An unusually high volume of SMS messages sent by a user or service may signal compromised credentials or an insider threat attempting to misuse AWS infrastructure. |
| 5 | MFA Reset or Deactivated for Okta User Account | Detects when an Okta Application Sign-On Policy is modified or deleted. Sign-on policies enforce authentication controls such as MFA and access restrictions. Unauthorized changes may indicate an attacker attempting to weaken authentication security, bypass policies, or facilitate unauthorized access. Analysts should verify if the modification or deletion was authorized, review the associated user or admin, and check for privilege escalation or account compromise. |
| 6 | Okta Application Sign-On Policy Modified or Deleted | Detects when an Okta Application Sign-On Policy is modified or deleted. Sign-on policies enforce authentication controls such as MFA and access restrictions. Unauthorized changes may indicate an attacker attempting to weaken authentication security, bypass policies, or facilitate unauthorized access. Analysts should verify if the modification or deletion was authorized, review the associated user or admin, and check for privilege escalation or account compromise |
| 7 | Multiple Device Token Hashes for Single Okta Session | Detects instances where multiple device token hashes are associated with a single Okta session. Normally, an Okta session should be linked to a single trusted device. Multiple token hashes may indicate session hijacking, adversary-in-the-middle (AiTM) attacks, or unauthorized session sharing. Analysts should investigate if the session originated from expected devices, check geolocation and IP activity, and verify if the user experienced unusual authentication prompts. |
| 8 | Administrator Role Assigned to an Okta User | This detection identifies when a user is granted an administrator role in Okta. Admin roles provide elevated privileges, including user management, authentication policies, and security settings. Unauthorized assignments may indicate privilege escalation attempts by an attacker or insider threats. Analysts should verify if the assignment was authorized, review the associated user or admin making the change, and check for signs of suspicious privilege escalation. |
| 9 | Possible Okta DoS Attack | Detects a potential Denial-of-Service (DoS) attack targeting Okta authentication services. A DoS attack may involve excessive authentication requests, failed logins, or abuse of MFA prompts, leading to service degradation or account lockouts. This activity can disrupt user access, prevent legitimate authentication, or be part of a broader attack strategy such as MFA fatigue or brute-force attempts. Analysts should investigate the source of excessive authentication requests, review associated IPs and user activity, and determine if the activity is malicious or a misconfiguration. |
| 10 | Attempt to Create or Revoke Okta API Token | Detects attempts to create or revoke an Okta API token. API tokens provide programmatic access to identity and authentication services, and unauthorized actions involving these tokens may indicate an attacker attempting to establish persistence, exfiltrate data, or disrupt security controls. Analysts should verify if the token action was authorized, review the associated user or application, and check for signs of privilege escalation or credential abuse. |
| 11 | Okta Identity Provider Created | Detects the creation of a new Identity Provider (IdP) in Okta. Identity Providers authenticate users via external services (e.g., SAML, OIDC, or social login integrations). Unauthorized IdP creation may indicate an attacker attempting to establish a backdoor for persistence, bypass authentication policies, or facilitate unauthorized access to Okta applications. Analysts should verify if the IdP creation was authorized, review associated users, and check for privilege escalation or suspicious configuration changes. |
| 12 | Okta Sign-In Events via Third-Party IdP | This detection monitors failed Okta authentication attempts via third-party Identity Providers (IdPs). These failures may indicate misconfigurations, integration issues, or potential malicious attempts to exploit federated login mechanisms. Identifying such events is essential for maintaining the integrity of your authentication process and preventing unauthorized access attempts. |
| 13 | Okta FastPass Attempt | Detects failed user authentication attempts in Okta where FastPass declined a phishing attempt. This detection helps identify attackers using real-time phishing proxies to intercept user credentials. If confirmed malicious, this could lead to unauthorized access, potential data breaches, and lateral movement within the organization. |
| 14 | Administrator Privileges Assigned to an Okta Group | Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization. |
| 15 | Okta User Session Start Via An Anonymising Proxy Service | Detects an Okta user session initiated from an anonymizing proxy service (e.g., Tor, VPN, or other privacy-focused proxies). While some legitimate users may use anonymizing services for privacy reasons, such behavior can also indicate evasion attempts, credential stuffing, session hijacking, or adversary-in-the-middle (AiTM) attacks. Analysts should investigate if the session aligns with the user’s normal behavior, check for failed authentication attempts, and correlate with other suspicious activities. |
| 16 | Attempt to Modify or Delete an Okta Application | Detects an attempt to modify or delete an Okta application. Unauthorized changes to Okta applications can disrupt authentication, remove security controls, or indicate an attacker manipulating access. Analysts should verify if the modification or deletion was authorized, review the associated user or admin, and check for privilege escalation or security policy changes. |
| 17 | Okta Authentication Failed During MFA | This detection identifies failed multi-factor authentication (MFA) attempts in Okta. Frequent or unexpected MFA failures may indicate unauthorized access attempts, phishing attacks, or adversary-in-the-middle (AiTM) tactics. Analysts should investigate repeated failures, correlate with user activity, and check for potential credential compromise or MFA fatigue attacks. |
| 18 | Attempted Bypass of Okta MFA | Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application. |
| 19 | Okta Suspicious Activity Reported by End-user | Triggered when an end-user reports suspicious activity in Okta, such as unauthorized login attempts, unexpected MFA prompts, or unusual device access. This may indicate account compromise, phishing attacks, MFA fatigue, or adversary-in-the-middle (AiTM) attacks. Analysts should investigate the reported activity, review recent authentication logs, check for unauthorized session takeovers, and correlate with other security events. |
| 20 | Attempt to Delete or Deactivate an Okta Network Zone | Detects an attempt to delete or deactivate an Okta Network Zone. Network Zones define trusted locations for authentication and security policies. Their modification or removal could indicate an attacker attempting to bypass security controls, evade geo-restrictions, or disable risk-based authentication policies. Analysts should investigate whether the change was authorized, review associated users, and check for signs of privilege escalation or unauthorized access. |
| 21 | MFA Deactivation with no Re-Activation for Okta User Account | Detects instances where multi-factor authentication (MFA) is deactivated for an Okta user account without subsequent re-activation within six hours. This activity may indicate an adversary attempting to weaken authentication controls to facilitate unauthorized access. |
| 22 | Multiple Okta User Authentication Events with Client Address | Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt credential stuffing or password spraying attacks using known usernames and passwords to gain unauthorized access to user accounts. |
| 23 | Azure Automation Account Created | This detection identifies the creation of a new Azure Automation Account, which is used for running automation scripts, process automation, configuration management, and security automation. While legitimate users create automation accounts for operational efficiency, an attacker may create one to establish persistence, execute malicious scripts, or move laterally within the environment. Analysts should verify if the creation was authorized, review the associated user or service principal, and check for signs of privilege escalation or suspicious automation runbooks. |
| 24 | Azure Virtual Network Deleted | Identifies when a virtual network device is deleted. This can be a network virtual appliance, virtual hub, or virtual router. Unauthorized deletions can disrupt connectivity, impact security, and indicate potential malicious activity. Analysts should verify whether the deletion was authorized and investigate for signs of privilege abuse or misconfigurations. |
| 25 | Multi-Factor Authentication Disabled for an Azure User | Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. Disabling MFA weakens authentication security and can indicate potential unauthorized access. Adversaries may attempt to disable MFA to maintain persistence or escalate privileges within the environment. |
| 26 | Azure Service Principal Addition | This detection identifies the addition of a new service principal in Azure. Service principals are identities used by applications, hosted services, or automated tools to access and modify resources. While service principals are recommended for automation over user-based authentication, unauthorized creation may indicate an attempt to establish persistence or elevate privileges. |
| 27 | Possible Consent Grant Attack via Azure Registered Application | Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents. |
| 28 | Virtual Network Gateway Connection Deleted | This detection identifies the successful deletion of an Azure Virtual Network Gateway Connection. This connection is critical for secure VPN or ExpressRoute communications between on-premises and cloud environments. Unauthorized deletions may indicate an attempt to disrupt network connectivity, isolate cloud resources, or evade monitoring. Analysts should verify the legitimacy of the deletion, check the associated user or service principal, and review logs for signs of unauthorized access or privilege escalation. |
| 29 | Network Security Group Deleted | This detection identifies the successful deletion of an Azure Network Security Group (NSG). NSGs regulate inbound and outbound traffic at the subnet or network interface level. Their removal may expose cloud resources to unauthorized access, allow lateral movement, or disrupt network protections. Analysts should verify the legitimacy of the deletion, review the associated user or service principal, and check for signs of privilege escalation or unauthorized access. |
| 30 | Azure Storage Account Key Regenerated | This detection identifies the regeneration of storage account access keys in Azure. Storage account keys grant full access to storage accounts, and their rotation can impact dependent applications and services. An adversary may regenerate a key to gain unauthorized access to sensitive storage resources. Analysts should verify whether the regeneration was authorized, review the responsible user or service principal, and assess the potential security implications. |
| 31 | Security Rule Deletion | This detection identifies the deletion of a security rule from an Azure Network Security Group (NSG). Security rules control inbound and outbound traffic, and unauthorized deletions could weaken security defenses, expose resources to external threats, or facilitate lateral movement. Analysts should verify if the deletion was authorized, review the associated user or service principal, and assess the potential impact on network security. |
| 32 | Azure Automation Runbook Created or Modified | Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target’s environment. |
| 33 | Virtual Network Subnet Deleted | This detection identifies the successful deletion of a subnet within an Azure Virtual Network (VNet). Subnets define network segmentation and access controls, and unauthorized deletions may disrupt connectivity, isolate critical resources, or be part of an attacker’s effort to evade detection. Analysts should verify if the deletion was authorized, review the associated user or service principal, and assess the impact on network security and operations. |
| 34 | Azure Application Credential Modification | This detection identifies modifications to application credentials in Azure, such as changes to client secrets or certificate-based authentication. Unauthorized changes can indicate an attacker attempting to gain persistent access, escalate privileges, or bypass existing authentication mechanisms. Analysts should verify if the modification was authorized, review the associated user or service principal, and check for potential privilege escalation or lateral movement. |
| 35 | Azure Privilege Identity Management Role Modified | Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target’s environment or modify a PIM role to weaken their target’s security controls. |
| 36 | Azure Firewall Policy Deletion | Identifies the deletion of a firewall policy in Azure. Firewall policies define critical security rules, and their removal may indicate an attempt to disable protections, evade defenses, or facilitate unauthorized access. Analysts should investigate whether the deletion was intentional and review associated user activity. |
| 37 | User Added as Owner for Azure Application | This detection identifies when a user is added as an owner of an Azure Application. Ownership grants full control over the application, including managing credentials, modifying configurations, and assigning permissions. Unauthorized ownership assignments may indicate privilege escalation, persistence, or an attempt to take over critical cloud resources. Analysts should verify if the change was authorized, review the associated user or service principal, and check for suspicious privilege modifications. |
| 38 | Azure Network Watcher Deletion | Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses. |
| 39 | Azure Automation Runbook Deleted | This detection identifies the successful deletion of an Azure Automation Runbook. Runbooks are used to automate operational and security tasks within an Azure environment. Unauthorized deletions may indicate an attempt to disrupt automated security responses, hide malicious activity, or disable critical workflows. Analysts should verify if the deletion was expected, review the associated user or service principal, and check for privilege escalation or unauthorized access attempts. |
| 40 | Azure Event Hub Authorization Rule Created or Updated | This detection identifies when an Event Hub Authorization Rule is created or updated in Azure. Authorization rules define access rights and carry cryptographic keys, making them critical for security. Unauthorized modifications could allow an attacker to gain control over Event Hub data, escalate privileges, or disrupt logging. Analysts should verify if the change was authorized, review the associated user or service principal, and check for signs of privilege escalation or unauthorized access. |
| 41 | Azure Resource Group Deletion | Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data. |
| 42 | Network Security Group Created or Updated | This detection identifies the creation or modification of an Azure Network Security Group (NSG). NSGs are essential for controlling inbound and outbound traffic in Azure environments. Unauthorized changes may indicate an attempt to weaken security controls, allow lateral movement, or enable persistence. Analysts should verify if the change was expected, review the associated user or service principal, and assess the impact of the new or modified rules on network security. |
| 43 | Azure Key Vault Modified | This detection identifies modifications to an Azure Key Vault, such as changes to access policies, network settings, or other configurations. Azure Key Vault is used to store sensitive information like encryption keys, secrets, and certificates. Unauthorized modifications may indicate an attempt to weaken security controls, exfiltrate sensitive data, or establish persistence. Analysts should verify if the change was expected, review the associated user or service principal, and check for privilege escalation or unauthorized access. |
| 44 | Azure Command Execution on Virtual Machine | Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines but does not grant access to them, nor to the virtual network or storage account they’re connected to. However, commands can be executed via PowerShell on the VM, running as System. Other roles, such as certain Administrator roles, may also have the ability to execute commands on a VM. |
| 45 | Local Network Gateway Deleted | This detection identifies the successful deletion of an Azure Local Network Gateway, which is used to define on-premises VPN devices and enable hybrid network connectivity. Unauthorized deletions can disrupt VPN connections, isolate on-premises resources from the cloud, or be part of an attacker’s effort to evade monitoring and disable security controls. Analysts should verify if the deletion was authorized, review the associated user or service principal, and check for signs of privilege escalation or unauthorized access. |
| 46 | User Added as Owner for Azure Service Principal | This detection identifies when a user is added as an owner of an Azure Service Principal. Service Principals are critical for authentication and access control in Azure, and unauthorized ownership changes may indicate privilege escalation or persistence tactics by an attacker. Analysts should verify if the change was authorized, review the associated user or service principal, and check for any suspicious privilege modifications or credential abuse. |
| 47 | Azure Diagnostic Settings Deletion | Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses. |
| 48 | Security Rule has been Created or Updated | This detection identifies the creation or modification of a security rule within an Azure Network Security Group (NSG). Security rules define inbound and outbound traffic permissions, and unauthorized changes could weaken security controls, allowing unauthorized access or lateral movement. Analysts should verify if the change was expected, review the associated user or service principal, and check for deviations from security policies. |
| 49 | Azure Conditional Access Policy Modified | This detection identifies modifications to an Azure Conditional Access policy. Conditional Access policies enforce security controls by defining if-then conditions for resource access, such as requiring multi-factor authentication. An adversary may modify a policy to weaken security controls, enabling unauthorized access. Analysts should verify the legitimacy of the modification, review the associated user or service principal, and investigate potential privilege escalation. |
| 50 | Azure Automation Webhook Created | Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code. |
| 51 | Virtual Network Peering Deleted | This detection identifies the successful deletion of Virtual Network (VNet) Peering in Azure. VNet Peering connects different networks for secure communication, and its removal could disrupt connectivity or indicate malicious activity. Analysts should verify whether the deletion was authorized, review the associated user or service principal, and check for potential lateral movement or data exfiltration attempts. |
| 52 | Azure Network Configuration Modification | This detection identifies successful modifications to critical Azure network components, including network interfaces, TAP configurations, virtual appliances, virtual hubs, and virtual routers. Unauthorized or unexpected changes to these resources can impact network security and connectivity. Analysts should verify if the modifications were expected, review the associated user or service principal, and check for potential misconfigurations or malicious activity. |
| 53 | Azure Blob Container Access Level Modification | This detection identifies changes to the access level of an Azure Blob Storage container. Blob containers store critical data, and modifying their access level (e.g., making them public or changing role-based access) can expose sensitive information, facilitate data exfiltration, or weaken security controls. Analysts should verify if the modification was authorized, review the associated user or service principal, and check for signs of privilege escalation or unauthorized data access. |
| 54 | Azure Event Hub Deletion | This detection identifies the successful deletion of an Azure Event Hub, which is used for real-time data ingestion and streaming. Unauthorized deletions may indicate an attempt to disrupt logging, hide malicious activity, or disable security monitoring. Analysts should verify if the deletion was authorized, review the associated user or service principal, and check for signs of privilege escalation or unauthorized access. |
New Dashboards
| Name |
| OKTA – Monitoring Insights |
| OKTA – Security Insights |
| AZURE – Monitoring Insights |
| AZURE – Security Monitoring |
New Reports
| Name |
| OKTA – Monitoring Insights |
| OKTA – Security Insights |
| AZURE – Monitoring Insights |
| AZURE – Security Monitoring |