← Back to Cybersecurity News Center
Severity
LOW
Priority
0.678
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Cisco Talos researcher Martin Lee has published a defensive technique using large language models to generate dynamic, high-fidelity honeypots that convincingly simulate Linux shells and IoT device interfaces. The approach targets a structural weakness in AI-driven automated attack tools: they prioritize speed and scale over environmental verification, making them susceptible to deception at the same pace they attack. For security leaders, this signals a meaningful shift in the honeypot paradigm, from passive logging infrastructure to active behavioral manipulation of automated adversaries.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
LOW
Low severity — monitor and assess
Actor Attribution
HIGH
Automated AI-orchestrated scanning tooling (unattributed), Credential-stuffing bot operators (unattributed)
TTP Sophistication
HIGH
10 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
AI-driven automated attack tools (generic); Shellshock (CVE-2014-6271) referenced as simulated vulnerability in honeypot demonstrations only, not newly affected
Are You Exposed?
⚠
Your industry is targeted by Automated AI-orchestrated scanning tooling (unattributed), Credential-stuffing bot operators (unattributed) → Heightened risk
⚠
You use products/services from AI-driven automated attack tools (generic); Shellshock (CVE-2014-6271) referenced as simulated vulnerability in honeypot demonstrations only → Assess exposure
⚠
10 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Organizations operating large numbers of internet-exposed Linux systems, IoT devices, or legacy infrastructure face a growing volume of automated, AI-accelerated probing that traditional static defenses do not slow meaningfully. This research signals that the cost of deploying credible deception infrastructure is dropping, potentially allowing security teams to convert attacker activity into actionable threat intelligence without significant capital investment. For boards and executives, the strategic message is that AI is not solely an offensive accelerant — it is also becoming a cost-effective defensive tool that can shift the economics of automated attacks.
You Are Affected If
Your organization operates internet-facing Linux servers or IoT devices that are regularly probed by automated scanners.
Your security operations program currently relies on static honeypots or honeytokens that sophisticated tooling may fingerprint.
Your threat model includes credential-stuffing bot operators or automated exploitation frameworks targeting exposed services.
Your environment includes legacy systems running services historically targeted by known exploits (e.g., Shellshock-era Bash vulnerabilities) that automated tools continue to probe opportunistically.
Business Risk
Likelihood: LOW
Impact: VERY LOW
Treatment: ACCEPT
Confidence: Moderate
This item describes a defensive research technique, not an active threat targeting the organization; no confirmed exploitation exists and the CVE referenced (Shellshock) appears only in honeypot simulation context, meaning direct organizational exposure to novel attack activity from this item is negligible. Business impact is very low because the primary consequence of inaction is a missed opportunity to adopt an emerging deception capability, not an operational, financial, or regulatory harm.
Treatment rationale: No new attack surface is introduced by this research; the item presents an optional defensive capability to evaluate, not a threat requiring active remediation, making acceptance of current posture appropriate while monitoring adoption maturity.
Loss Exposure (illustrative)
Magnitude: very low — illustrative $0–$10K opportunity cost if deception capability is deferred and automated probing consumes analyst triage time that this technique could have reduced
Frequency: Not applicable as a direct loss event; framed as an unrealized defensive efficiency gain rather than a discrete loss scenario
Basis: No loss event is introduced by this item. The illustrative figure reflects analyst triage overhead cost from AI-accelerated automated probing that continues without a deception layer — derived from the operational premise that security teams absorbing high-volume automated probe alerts incur triage labor cost. No third-party loss figures cited.
Illustrative estimate — not actuarially derived.
Technical Analysis
Martin Lee's research, published on the Cisco Talos Blog, demonstrates that generative AI, specifically OpenAI's GPT-3.5-turbo, can serve as the back-end engine for honeypots that simulate realistic computing environments in real time.
Unlike static honeypots, which attacker tooling can fingerprint through response inconsistencies, LLM-generated environments adapt dynamically to attacker inputs, producing contextually plausible shell responses, file system structures, and service banners.
The core insight is adversarial asymmetry: AI-orchestrated attack tools (automated scanners, credential-stuffing bots, exploitation frameworks) are optimized for throughput.
They do not pause to verify environmental authenticity. This blind spot, speed prioritized over stealth, is precisely what LLM honeypots exploit. The simulated environment responds convincingly enough to sustain attacker engagement long enough to collect TTPs at scale.
The research references CVE-2014-6271 (Shellshock) as an example of a simulated vulnerability bait embedded in the honeypot environment. This is not a new exploitation of Shellshock; it illustrates the technique of presenting known, credible-looking weaknesses to induce attacker interaction. The honeypot essentially offers the attacker what they expect to find, then observes what they do next.
From a MITRE ATT&CK perspective, the technique is designed to surface adversary behaviors across Initial Access (T1190 , Exploit Public-Facing Application), Execution (T1059.004 , Unix Shell), Discovery (T1049 , System Network Connections Discovery), and Collection (T1005 , Data from Local System). By presenting plausible attack surfaces, defenders can observe how automated tools combine techniques and what post-exploitation actions they attempt first.
The broader implication for security operations teams is architectural: this research suggests that LLM infrastructure already available to defenders can be repurposed as an active deception layer without requiring purpose-built honeypot appliances. The friction cost shifts to the attacker, who must now account for the possibility that any responding system may be a fabricated environment. That uncertainty, applied at scale, has measurable deterrent and intelligence value.
Action Checklist IR ENRICHED
Triage Priority:
DEFERRED
Escalate to urgent if network telemetry reveals AI-speed automated scanning (sub-second SSH or HTTP probe cadence) actively targeting internet-facing Linux or IoT assets, or if existing honeypots show a measurable decline in interaction volume suggesting AI-driven fingerprint-and-skip behavior has rendered current deception infrastructure ineffective.
1
Step 1: Containment — Inventory all internet-facing Linux and IoT assets to identify exposure surface before deploying any deception layer. Confirm each asset appears in the enterprise asset register. (Cite: CIS 1.1 — Establish and Maintain Detailed Enterprise Asset Inventory / NIST AC-4 — Information Flow Enforcement)
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Establishing IR capability and understanding the environment prior to incidents
NIST IR-4 (Incident Handling) — preparation sub-phase requires knowing which assets are exposed and what deception infrastructure supports them
NIST SI-4 (System Monitoring) — baseline understanding of which internet-facing Linux and IoT assets are currently monitored informs deception placement
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory) — accurate inventory of internet-facing Linux servers and IoT devices is prerequisite to deception layer placement decisions
CIS 4.4 (Implement and Manage a Firewall on Servers) — network exposure assessment for Linux assets is a prerequisite to understanding where LLM-backed honeypots provide the most value
Compensating Control
Run a passive internet exposure scan using Shodan CLI (`shodan search 'org:"YOUR-ORG"'`) or Censys free tier to enumerate your organization's publicly visible Linux and IoT assets. Cross-reference results against your asset inventory spreadsheet. For IoT-specific exposure, filter Shodan results by banner strings (e.g., BusyBox, OpenWRT, Telnet banners) to identify devices AI scanners would target with Shellshock-style probes or credential stuffing.
Preserve Evidence
Before committing to deception deployment, document current internet-facing asset exposure: capture Shodan/Censys scan results showing exposed services (SSH port 22, HTTP/S 80/443, Telnet 23) on Linux and IoT assets; preserve current firewall rule exports showing which services are accessible; record existing honeypot solution names and versions so you can later assess whether they are statically fingerprinted by AI scanners targeting Shellshock-era Linux signatures.
2
Step 2: Detection — Enable and verify audit logging across all externally exposed SSH, Telnet, and web authentication endpoints. Ensure logs capture source IP, timestamp, authentication outcome, and command sequences. Review SSH and web server logs for high-velocity sequential access attempts from single or narrow IP ranges. Hunt for Shellshock-style payload patterns (bash function definitions in HTTP request headers) in web server logs. (Cite: NIST AU-2 — Event Logging / NIST AU-3 — Content Of Audit Records / CIS 8.2 — Collect Audit Logs / D3-LAM — Local Account Monitoring)
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Equipping the IR team with tools and capabilities to detect and respond to incidents
NIST IR-4 (Incident Handling) — preparation includes maintaining and auditing deception tools as part of IR capability inventory
NIST SI-4 (System Monitoring) — evaluating whether existing honeypots generate actionable telemetry for AI-driven automated scanners vs. static decoys that are fingerprinted and skipped
NIST SI-7 (Software, Firmware, and Information Integrity) — assessing whether honeypot responses accurately simulate expected Linux shell or IoT firmware behavior to avoid trivial detection by AI tooling
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — deception posture review is part of the broader defensive control audit cycle
Compensating Control
Fingerprint your own honeypots before AI scanners do: use Nmap with version detection (`nmap -sV -p 22,23,80,8080 <honeypot_IP>`) and compare banners against known Cowrie, HoneyD, or OpenCanary default signatures listed in public fingerprint databases. Run a basic HTTP request to any web-facing honeypot with a Shellshock-style User-Agent header (`curl -H 'User-Agent: () { :; }; echo vulnerable'`) and verify whether the response is dynamically generated or a static canned reply — static replies are trivially detected by AI scanners performing behavioral verification.
Preserve Evidence
Capture current honeypot configuration files (e.g., Cowrie `cowrie.cfg`, OpenCanary `opencanary.conf`) and banner/response templates before any changes; preserve Nmap scan outputs of your own honeypots documenting current fingerprint exposure; collect 30 days of honeypot interaction logs to establish baseline interaction volume and determine whether existing decoys are already being skipped by high-speed automated scanners — a sudden drop in honeypot hits despite increased internet-facing scan activity is a direct indicator of AI-driven fingerprint-and-skip behavior.
3
Step 3: Eradication — Add AI-orchestrated automated scanning and credential-stuffing tooling as a distinct category in the threat register. These tools operate at machine speed with no variable dwell time; update detection logic to distinguish them from human-paced interactions. Enforce MFA on all externally exposed services to reduce automated credential attack effectiveness. Disable or rotate any credentials exposed during probing activity. (Cite: NIST AC-7 — Unsuccessful Logon Attempts / CIS 6.3 — Require MFA for Externally-Exposed Applications / CIS 6.4 — Require MFA for Remote Network Access / D3-CH — Credential Hardening / D3-CRO — Credential Rotation)
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Developing threat models and detection logic informed by current adversary capabilities
NIST IR-8 (Incident Response Plan) — threat register updates ensure the IR plan reflects current adversary tooling categories including AI-orchestrated automation
NIST RA-3 (Risk Assessment) — AI-automated scanners represent a distinct threat category with different velocity, scale, and evasion characteristics than human operators and must be assessed independently
NIST SI-4 (System Monitoring) — detection logic for AI-driven scanning tools differs from human-operator signatures: look for machine-speed request cadence, lack of browser fingerprints, and systematic credential list exhaustion rather than targeted guessing
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — threat register maintenance is part of the vulnerability management lifecycle, ensuring new attack categories like AI-automated tools are formally tracked
Compensating Control
Create a dedicated threat register entry using a structured template (MITRE ATT&CK T1595 — Active Scanning and T1110 — Brute Force as anchors). Document distinguishing behavioral characteristics: AI-driven tools exhibit sub-second inter-request timing, systematic port/path enumeration without randomization jitter, and credential stuffing patterns drawn from rockyou2024-style wordlists rather than targeted password guessing. Use a free Sigma rule (search the SigmaHQ GitHub repository for 'credential stuffing' and 'automated scanner' rules) to operationalize detection in any log aggregation tool, including the ELK Stack free tier.
Preserve Evidence
Pull 90 days of SSH authentication logs (`/var/log/auth.log` on Debian/Ubuntu or `/var/log/secure` on RHEL/CentOS) and web server access logs (`/var/log/apache2/access.log` or `/var/log/nginx/access.log`) for your internet-facing Linux assets; filter for request rates exceeding 10 authentication attempts per second from a single source IP or systematic URI path enumeration with no referrer header — these are behavioral signatures of the AI-automated scanning tools this research targets, distinct from human-operator patterns. Preserve pcap captures from any perimeter monitoring point showing inter-packet timing distributions for comparison against human browsing baselines.
4
Step 4: Recovery — Evaluate and audit current honeypot and deception technology posture. Determine whether existing solutions produce static, fingerprintable responses. Where gaps exist, assess feasibility of deploying dynamic deception resources (such as LLM-backed honeypots) to expose automated attacker tooling. Validate that deception assets are isolated from production systems and do not introduce new exposure. (Cite: NIST AC-4 — Information Flow Enforcement / D3-DNR — Decoy Network Resource / CIS 4.4 — Implement and Manage a Firewall on Servers)
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Selecting, deploying, and maintaining IR tools and capabilities aligned to organizational capacity
NIST IR-2 (Incident Response Training) — LLM-backed honeypot operation requires new skill sets; assess whether the team needs training on prompt engineering, LLM API integration, and deception telemetry analysis before deployment
NIST IR-3 (Incident Response Testing) — any LLM-backed honeypot must be tested to verify it does not generate responses that accidentally expose real infrastructure details or provide adversaries with useful information about actual system configurations
NIST SA-11 (Developer Testing and Evaluation) — evaluating LLM integration feasibility includes assessing whether LLM-generated shell responses could inadvertently leak real hostnames, internal IP ranges, or valid credentials through hallucinated but accurate-seeming outputs
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — feasibility assessment includes evaluating the operational overhead of maintaining LLM-backed deception infrastructure as a managed defensive control
Compensating Control
For a 2-person team evaluating feasibility without production commitment: stand up a sandboxed proof-of-concept using a locally hosted open-source LLM (Ollama with Llama 3 or Mistral) on an isolated VM, configured to respond to simulated Shellshock probe strings (`() { :; };`) and SSH banner requests; log all generated responses to a flat file for manual review. This validates LLM response fidelity and identifies hallucination risks (e.g., the LLM generating real-looking but internally consistent hostnames) before any internet-facing deployment. Budget estimate: 0 licensing cost, ~4 hours setup time.
Preserve Evidence
Before deploying any LLM-backed honeypot into an internet-facing position, document the threat model for the honeypot itself: capture the attack surface introduced by LLM API keys, prompt injection risks (an AI scanner could craft inputs designed to extract the system prompt or operational details), and outbound data flow from the honeypot host. Preserve the feasibility assessment as a dated artifact for audit purposes per NIST IR-8 (Incident Response Plan) requirements, noting specifically whether the LLM deployment introduces new risk to the organization's production environment.
5
Step 5: Post-Incident — Review audit log retention settings to ensure logs from deception assets and exposed services are retained long enough to support after-action analysis and threat hunting. Establish a recurring review cadence for AU log data from honeypot and perimeter systems. Monitor Cisco Talos for follow-on detection signatures or tooling releases associated with this research. (Cite: NIST AU-6 — Audit Record Review, Analysis, And Reporting / NIST AU-11 — Audit Record Retention / NIST AU-4 — Audit Storage Capacity)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Incorporating lessons learned and threat intelligence into improved defensive posture
NIST SI-5 (Security Alerts, Advisories, and Directives) — formally tracking Cisco Talos research feeds as an authoritative external source for emerging technique disclosures and associated detection artifacts
NIST IR-4 (Incident Handling) — post-incident improvement loop includes integrating new deception techniques and detection signatures from threat intelligence sources as they mature
CIS 7.2 (Establish and Maintain a Remediation Process) — tracking follow-on Talos publications ensures the organization's deception and detection roadmap incorporates vendor-released tooling or Snort/ClamAV signatures before AI-automated attack tooling adapts to counter initial LLM honeypot deployments
Compensating Control
Subscribe to the Cisco Talos Intelligence Blog RSS feed (https://blog.talosintelligence.com/rss/) using a free RSS reader (Feedly free tier or a self-hosted FreshRSS instance). Create a keyword alert for 'honeypot', 'LLM', 'deception', and 'Martin Lee' to surface directly relevant follow-on publications. If Talos releases Snort rules or ClamAV signatures tied to this research, import them immediately into any existing open-source IDS (Suricata free tier supports Snort rule format). Set a 90-day calendar reminder to re-review whether Talos has released an operationalized tool or updated implementation guidance, as the research is explicitly described as a technique demonstration.
Preserve Evidence
Maintain a dated threat intelligence log entry for this Talos research publication, recording: publication date, technique description, CVE-2014-6271 as the simulated vulnerability used in demonstrations, and the current maturity state (technique demonstration, no finished tooling as of publication date). This log entry serves as the baseline against which future Talos updates are compared, and satisfies NIST AU-6 (Audit Record Review, Analysis, and Reporting) requirements for tracking threat intelligence consumption and action taken.
Recovery Guidance
This advisory describes a defensive technique enhancement, not an active incident requiring recovery actions; post-implementation verification should confirm that any deployed LLM-backed honeypot produces varied, non-static responses across repeated probes from the same source IP (validating anti-fingerprint efficacy) and that honeypot interaction telemetry is flowing to a log aggregation point for analyst review. Monitor honeypot interaction volume weekly for the first 90 days post-deployment to establish a new baseline and detect whether AI-automated scanners adapt to the LLM-generated responses, which would signal the need for prompt template rotation or model updates. Verify that the honeypot host has no network path to production systems and that LLM API credentials are scoped exclusively to the deception deployment.
Key Forensic Artifacts
SSH authentication logs on internet-facing Linux hosts (`/var/log/auth.log` or `/var/log/secure`) filtered for machine-speed brute-force cadence (>10 attempts/second) and systematic username enumeration from rockyou2024-style wordlists — the behavioral signature of AI-automated credential-stuffing tools this research targets
Web server access logs (`/var/log/apache2/access.log` or `/var/log/nginx/access.log`) filtered for HTTP requests containing Shellshock probe strings in User-Agent, Referer, or Cookie headers (pattern: `() { :;`), which AI-automated scanners continue to test at scale against Linux web servers as a fingerprinting and exploitation check
LLM-backed honeypot interaction logs capturing full request/response pairs from automated scanners, including the exact probe sequences AI tools use after receiving a convincing shell response — this telemetry is the primary intelligence output of the deception deployment and reveals AI scanner decision logic
Network flow records (NetFlow/IPFIX or pcap from a perimeter tap) showing inter-packet timing distributions for inbound connections to honeypot IP addresses — sub-millisecond timing jitter distinguishes AI-automated tools from human operators and validates that the honeypot is attracting the intended target category
Honeypot configuration snapshots (e.g., Cowrie `cowrie.cfg`, OpenCanary `opencanary.conf`, or LLM prompt templates) versioned and dated at each change — required to correlate shifts in attacker interaction patterns with specific deception configuration changes and to support post-incident analysis of what attacker behavior the honeypot successfully captured versus what it missed
Detection Guidance
This story describes a defensive technique demonstration, not an active incident.
Detection guidance targets the attacker behavior the technique is designed to expose: AI-driven automated attack tools.
Under NIST AU-2 (Event Logging), define and enable logging for authentication attempts, command execution, and service banner interactions across all internet-facing Linux and IoT systems.
NIST AU-3 (Content Of Audit Records) requires logs to capture event type, timestamp, source, and outcome — ensure SSH and web server logs meet this standard. CIS 8.2 (Collect Audit Logs) mandates logging is enabled across enterprise assets per the audit log management process; verify coverage on all perimeter-exposed services. Use NIST AU-6 (Audit Record Review, Analysis, And Reporting) to establish a recurring review cycle specifically targeting behavioral signatures of automated tooling: high-velocity sequential probing of SSH (port 22), Telnet (port 23), and HTTP/S endpoints; sub-second inter-request timing with no human-paced dwell; scripted exploitation sequences that do not verify prior-step success; and credential-stuffing patterns cycling large wordlists. Apply D3-LAM (Local Account Monitoring) to analyze local account activity on exposed systems for unauthorized or anomalous access patterns generated by automated tools. Apply D3-DNR (Decoy Network Resource) as the primary deception countermeasure: deploy honeypot assets that attract and log automated scanner behavior without exposing production systems. Use NIST AU-9 (Protection Of Audit Information) to protect honeypot log data from tampering — attacker tooling that reaches logging infrastructure could otherwise corrupt detection records. For web-facing services, apply D3-PBWSAM (Proxy-based Web Server Access Mediation) to regulate and inspect inbound HTTP traffic, enabling detection of Shellshock-style payloads (bash function definitions injected into HTTP headers such as User-Agent, Referer, or Cookie fields) before they reach origin servers. Note: NIST SI-family controls (e.g., SI-3, SI-4) for malicious code protection and system monitoring are directly relevant to this threat pattern but are not present in the current KB reference data. If your organization's NIST control set includes SI-4 (System Monitoring), apply it to continuous monitoring of perimeter services for anomalous automated activity.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 tool
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: Generative AI Honeypots Exploit Automation Blind Spots to Counter AI-Driven Atta
// Attack tool: Pending — refer to Cisco Talos Blog for any published indicators
// Context: The Cisco Talos research documents behavioral patterns of AI-orchestrated automated attack tools observed interacting with LLM-generated honeypots; specific tool signatures, hashes, or infrastructure
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "Pending — refer to Cisco Talos Blog for any published indicators"
or ProcessCommandLine has "Pending — refer to Cisco Talos Blog for any published indicators"
or InitiatingProcessCommandLine has "Pending — refer to Cisco Talos Blog for any published indicators"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1659
T1583.006
T1588.006
T1005
T1584
T1190
+4
CA-8
RA-5
SC-7
SI-2
SI-7
CM-7
+9
MITRE ATT&CK Mapping
T1659
Content Injection
initial-access
T1588.006
Vulnerabilities
resource-development
T1005
Data from Local System
collection
T1584
Compromise Infrastructure
resource-development
T1190
Exploit Public-Facing Application
initial-access
T1049
System Network Connections Discovery
discovery
T1566
Phishing
initial-access
T1078
Valid Accounts
defense-evasion
Free Template
CompTIA Security+ Certification
Build core cybersecurity skills — Security+ exam prep, study guide & roadmap.
Guidance Disclaimer
