Analytics Alerts
Browse the Cortex analytics alert reference.
1273 alerts match the current filters.
Show list14 tactics · 153 techniques · cell shade = number of matching alerts; click a cell to list them.
Reconnaissance
14 alerts
Resource Development
22 alerts
Initial Access
155 alerts
- Valid Accounts (87)
- Phishing (46)
- Trusted Relationship (14)
- User Execution (10)
- External Remote Services (9)
- Unsecured Credentials (9)
- Steal Application Access Token (8)
- Exploit Public-Facing Application (6)
- Phishing for Information (6)
- Brute Force (5)
- Proxy (5)
- Account Manipulation (4)
- Exfiltration Over Alternative Protocol (4)
- Impair Defenses (4)
- Server Software Component (4)
- Modify Authentication Process (3)
- Resource Hijacking (3)
- Abuse Elevation Control Mechanism (2)
- Application Layer Protocol (2)
- Cloud Service Discovery (2)
- Command and Scripting Interpreter (2)
- Compromise Accounts (2)
- Data from Information Repositories (2)
- Forge Web Credentials (2)
- Impersonation (2)
- Non-Standard Port (2)
- Automated Collection (1)
- Automated Exfiltration (1)
- Cloud Service Dashboard (1)
- Data Destruction (1)
- Domain or Tenant Policy Modification (1)
- Exploitation of Remote Services (1)
- Hardware Additions (1)
- Multi-Factor Authentication Request Generation (1)
- OS Credential Dumping (1)
- Process Injection (1)
- Remote Services (1)
- Software Extensions (1)
- Supply Chain Compromise (1)
- Use Alternate Authentication Material (1)
Execution
145 alerts
- User Execution (53)
- Command and Scripting Interpreter (35)
- Deploy Container (15)
- System Services (14)
- Remote Services (11)
- Phishing (10)
- Brute Force (8)
- Windows Management Instrumentation (8)
- Scheduled Task/Job (7)
- Escape to Host (6)
- Masquerading (6)
- Container Administration Command (5)
- Native API (5)
- Cloud Administration Command (4)
- Serverless Execution (4)
- Create or Modify System Process (3)
- Automated Exfiltration (2)
- Container and Resource Discovery (2)
- Event Triggered Execution (2)
- Steal Application Access Token (2)
- Unsecured Credentials (2)
- Valid Accounts (2)
- Access Token Manipulation (1)
- Account Discovery (1)
- Account Manipulation (1)
- Application Layer Protocol (1)
- Boot or Logon Autostart Execution (1)
- Exploit Public-Facing Application (1)
- Hide Artifacts (1)
- Hijack Execution Flow (1)
- Impersonation (1)
- Lateral Tool Transfer (1)
- System Binary Proxy Execution (1)
- System Information Discovery (1)
- System Owner/User Discovery (1)
- Taint Shared Content (1)
Persistence
207 alerts
- Account Manipulation (82)
- Valid Accounts (52)
- Boot or Logon Autostart Execution (20)
- Scheduled Task/Job (16)
- Create Account (13)
- Hijack Execution Flow (10)
- Create or Modify System Process (8)
- Event Triggered Execution (8)
- External Remote Services (7)
- Modify Authentication Process (7)
- Server Software Component (7)
- Software Extensions (5)
- Cloud Application Integration (4)
- Remote Services (4)
- Use Alternate Authentication Material (4)
- Domain or Tenant Policy Modification (3)
- Masquerading (3)
- Command and Scripting Interpreter (2)
- Forge Web Credentials (2)
- Hide Artifacts (2)
- Impair Defenses (2)
- Permission Groups Discovery (2)
- Process Injection (2)
- Steal or Forge Authentication Certificates (2)
- System Services (2)
- Access Token Manipulation (1)
- Account Access Removal (1)
- Account Discovery (1)
- Application Layer Protocol (1)
- Automated Exfiltration (1)
- BITS Jobs (1)
- Boot or Logon Initialization Scripts (1)
- Compromise Host Software Binary (1)
- Data Destruction (1)
- Escape to Host (1)
- Exfiltration Over Alternative Protocol (1)
- Multi-Factor Authentication Request Generation (1)
- Pre-OS Boot (1)
- Replication Through Removable Media (1)
- Serverless Execution (1)
- Supply Chain Compromise (1)
- System Binary Proxy Execution (1)
- Trusted Relationship (1)
- Unsecured Credentials (1)
- User Execution (1)
- Windows Management Instrumentation (1)
Privilege Escalation
130 alerts
- Account Manipulation (53)
- Valid Accounts (46)
- Abuse Elevation Control Mechanism (14)
- Escape to Host (13)
- Domain or Tenant Policy Modification (7)
- Hijack Execution Flow (7)
- Deploy Container (5)
- Access Token Manipulation (3)
- Boot or Logon Autostart Execution (3)
- Create or Modify System Process (3)
- Event Triggered Execution (3)
- Scheduled Task/Job (3)
- Exploitation for Privilege Escalation (2)
- Process Injection (2)
- Steal or Forge Authentication Certificates (2)
- System Services (2)
- Trusted Relationship (2)
- Unsecured Credentials (2)
- Use Alternate Authentication Material (2)
- Account Discovery (1)
- Boot or Logon Initialization Scripts (1)
- Cloud Infrastructure Discovery (1)
- Command and Scripting Interpreter (1)
- Container Administration Command (1)
- Container and Resource Discovery (1)
- Data Destruction (1)
- User Execution (1)
Defense Evasion
249 alerts
- Impair Defenses (82)
- Masquerading (24)
- System Binary Proxy Execution (22)
- Process Injection (15)
- Valid Accounts (15)
- Hide Artifacts (14)
- Impersonation (12)
- User Execution (10)
- Abuse Elevation Control Mechanism (9)
- Indicator Removal (9)
- Modify Authentication Process (9)
- Modify Cloud Compute Infrastructure (9)
- Obfuscated Files or Information (9)
- Hijack Execution Flow (8)
- Phishing (7)
- Domain or Tenant Policy Modification (5)
- Deobfuscate/Decode Files or Information (4)
- Virtualization/Sandbox Evasion (4)
- Account Manipulation (3)
- Application Layer Protocol (3)
- Data Destruction (3)
- OS Credential Dumping (3)
- Use Alternate Authentication Material (3)
- Create or Modify System Process (2)
- Data Encrypted for Impact (2)
- Data Manipulation (2)
- Data from Cloud Storage (2)
- File and Directory Permissions Modification (2)
- Reflective Code Loading (2)
- Remote Services (2)
- Rogue Domain Controller (2)
- Rootkit (2)
- Transfer Data to Cloud Account (2)
- Trusted Relationship (2)
- Unused/Unsupported Cloud Regions (2)
- Access Token Manipulation (1)
- Cloud Application Integration (1)
- Cloud Infrastructure Discovery (1)
- Cloud Service Discovery (1)
- Compromise Host Software Binary (1)
- Create Account (1)
- Credentials from Password Stores (1)
- Email Collection (1)
- Exfiltration Over Alternative Protocol (1)
- Exploitation for Defense Evasion (1)
- Indirect Command Execution (1)
- Ingress Tool Transfer (1)
- Modify Registry (1)
- Proxy (1)
- Scheduled Task/Job (1)
- Service Stop (1)
- Subvert Trust Controls (1)
- Trusted Developer Utilities Proxy Execution (1)
- Unsecured Credentials (1)
- Weaken Encryption (1)
- Web Service (1)
Credential Access
194 alerts
- Unsecured Credentials (55)
- Brute Force (49)
- OS Credential Dumping (21)
- Credentials from Password Stores (18)
- Valid Accounts (18)
- Steal Application Access Token (15)
- Compromise Accounts (14)
- Steal or Forge Authentication Certificates (12)
- Steal or Forge Kerberos Tickets (12)
- Adversary-in-the-Middle (10)
- Modify Authentication Process (9)
- User Execution (9)
- Account Discovery (7)
- Forge Web Credentials (6)
- Use Alternate Authentication Material (6)
- Account Manipulation (5)
- Forced Authentication (5)
- Data from Cloud Storage (3)
- File and Directory Discovery (3)
- Multi-Factor Authentication Request Generation (3)
- Network Sniffing (3)
- Cloud Service Discovery (2)
- Exploit Public-Facing Application (2)
- Input Capture (2)
- Phishing (2)
- Rogue Domain Controller (2)
- System Service Discovery (2)
- Trusted Relationship (2)
- Command and Scripting Interpreter (1)
- Deobfuscate/Decode Files or Information (1)
- Exploitation of Remote Services (1)
- Hide Artifacts (1)
- Remote Services (1)
- Steal Web Session Cookie (1)
- System Information Discovery (1)
- System Owner/User Discovery (1)
- Windows Management Instrumentation (1)
Discovery
134 alerts
- Account Discovery (37)
- Cloud Service Discovery (28)
- Cloud Infrastructure Discovery (17)
- Permission Groups Discovery (14)
- Remote System Discovery (13)
- System Network Configuration Discovery (11)
- Container and Resource Discovery (10)
- System Information Discovery (9)
- File and Directory Discovery (8)
- System Service Discovery (8)
- Network Service Discovery (7)
- Cloud Storage Object Discovery (4)
- Steal or Forge Authentication Certificates (4)
- System Owner/User Discovery (4)
- Create Account (3)
- Credentials from Password Stores (3)
- Network Sniffing (3)
- OS Credential Dumping (3)
- Valid Accounts (3)
- Virtualization/Sandbox Evasion (3)
- Browser Information Discovery (2)
- Brute Force (2)
- Deploy Container (2)
- Domain Trust Discovery (2)
- Log Enumeration (2)
- Process Discovery (2)
- Remote Services (2)
- Windows Management Instrumentation (2)
- Abuse Elevation Control Mechanism (1)
- Account Manipulation (1)
- Automated Collection (1)
- Cloud Service Dashboard (1)
- Data from Local System (1)
- Escape to Host (1)
- Group Policy Discovery (1)
- Network Share Discovery (1)
- Password Policy Discovery (1)
- Resource Hijacking (1)
- Software Discovery (1)
- Steal or Forge Kerberos Tickets (1)
- System Network Connections Discovery (1)
- System Time Discovery (1)
- Unsecured Credentials (1)
- Unused/Unsupported Cloud Regions (1)
Lateral Movement
77 alerts
- Remote Services (51)
- Use Alternate Authentication Material (18)
- System Services (5)
- Adversary-in-the-Middle (4)
- Valid Accounts (4)
- Account Manipulation (3)
- Exploitation of Remote Services (3)
- Cloud Administration Command (2)
- Command and Scripting Interpreter (2)
- Forge Web Credentials (2)
- Impair Defenses (2)
- Internal Spearphishing (2)
- Remote Access Tools (2)
- Scheduled Task/Job (2)
- Windows Management Instrumentation (2)
- Brute Force (1)
- Cloud Service Discovery (1)
- Exploit Public-Facing Application (1)
- Hijack Execution Flow (1)
- Lateral Tool Transfer (1)
- Network Service Discovery (1)
- Remote Service Session Hijacking (1)
- Replication Through Removable Media (1)
- Steal Application Access Token (1)
- Taint Shared Content (1)
- Unsecured Credentials (1)
- User Execution (1)
Collection
72 alerts
- Data from Cloud Storage (21)
- Data Staged (18)
- Automated Exfiltration (13)
- Email Collection (12)
- Data from Information Repositories (10)
- Archive Collected Data (6)
- Automated Collection (5)
- Data from Local System (5)
- Exfiltration Over Physical Medium (5)
- Unsecured Credentials (3)
- Valid Accounts (3)
- Input Capture (2)
- Modify Cloud Compute Infrastructure (2)
- Screen Capture (2)
- Transfer Data to Cloud Account (2)
- Audio Capture (1)
- Browser Information Discovery (1)
- Clipboard Data (1)
- Credentials from Password Stores (1)
- Data from Network Shared Drive (1)
- Exfiltration Over Alternative Protocol (1)
- Exfiltration Over Web Service (1)
- Gather Victim Host Information (1)
- Indicator Removal (1)
- Video Capture (1)
Command and Control
72 alerts
- Application Layer Protocol (36)
- Proxy (11)
- Web Service (7)
- Non-Standard Port (6)
- Remote Access Tools (5)
- Valid Accounts (5)
- Exfiltration Over Web Service (4)
- Non-Application Layer Protocol (4)
- Protocol Tunneling (4)
- System Binary Proxy Execution (4)
- Ingress Tool Transfer (3)
- Dynamic Resolution (2)
- Exfiltration Over Alternative Protocol (2)
- Phishing (2)
- Remote Services (2)
- Trusted Relationship (2)
- Command and Scripting Interpreter (1)
- Exfiltration Over C2 Channel (1)
- Impair Defenses (1)
- Masquerading (1)
- Software Extensions (1)
Exfiltration
83 alerts
- Transfer Data to Cloud Account (32)
- Exfiltration Over Alternative Protocol (20)
- Automated Exfiltration (16)
- Data from Cloud Storage (11)
- Exfiltration Over Web Service (7)
- Data Staged (6)
- Exfiltration Over Physical Medium (6)
- Email Collection (5)
- Application Layer Protocol (4)
- Phishing (4)
- Web Service (3)
- Command and Scripting Interpreter (2)
- Modify Cloud Compute Infrastructure (2)
- Data Transfer Size Limits (1)
- Event Triggered Execution (1)
- Exfiltration Over C2 Channel (1)
- External Remote Services (1)
- Impair Defenses (1)
- Remote Access Tools (1)
- Valid Accounts (1)
Impact
92 alerts
- Data Destruction (23)
- Account Access Removal (16)
- Network Denial of Service (14)
- Service Stop (12)
- Inhibit System Recovery (10)
- Data Manipulation (9)
- Impair Defenses (7)
- Resource Hijacking (7)
- Valid Accounts (6)
- Data Encrypted for Impact (4)
- Endpoint Denial of Service (2)
- Financial Theft (2)
- System Shutdown/Reboot (2)
- Cloud Service Discovery (1)
- Indicator Removal (1)
- Network Service Discovery (1)
- Obfuscated Files or Information (1)