Analytics Alerts
Browse the Cortex analytics alert reference.
207 alerts match the current filters. tactic: TA0003 ✕
Show list11 tactics · 46 techniques · cell shade = number of matching alerts; click a cell to list them.
Initial Access
13 alerts
- Valid Accounts (8)
- Account Manipulation (4)
- External Remote Services (4)
- Server Software Component (4)
- Domain or Tenant Policy Modification (1)
- Forge Web Credentials (1)
- Multi-Factor Authentication Request Generation (1)
- Remote Services (1)
- Software Extensions (1)
- Supply Chain Compromise (1)
- Trusted Relationship (1)
Execution
11 alerts
- Scheduled Task/Job (5)
- Command and Scripting Interpreter (2)
- Create or Modify System Process (2)
- Event Triggered Execution (2)
- System Services (2)
- Access Token Manipulation (1)
- Account Manipulation (1)
- Automated Exfiltration (1)
- Boot or Logon Autostart Execution (1)
- Serverless Execution (1)
- User Execution (1)
- Windows Management Instrumentation (1)
Persistence
207 alerts
- Account Manipulation (82)
- Valid Accounts (52)
- Boot or Logon Autostart Execution (20)
- Scheduled Task/Job (16)
- Create Account (13)
- Hijack Execution Flow (10)
- Create or Modify System Process (8)
- Event Triggered Execution (8)
- External Remote Services (7)
- Modify Authentication Process (7)
- Server Software Component (7)
- Software Extensions (5)
- Cloud Application Integration (4)
- Remote Services (4)
- Use Alternate Authentication Material (4)
- Domain or Tenant Policy Modification (3)
- Masquerading (3)
- Command and Scripting Interpreter (2)
- Forge Web Credentials (2)
- Hide Artifacts (2)
- Impair Defenses (2)
- Permission Groups Discovery (2)
- Process Injection (2)
- Steal or Forge Authentication Certificates (2)
- System Services (2)
- Access Token Manipulation (1)
- Account Access Removal (1)
- Account Discovery (1)
- Application Layer Protocol (1)
- Automated Exfiltration (1)
- BITS Jobs (1)
- Boot or Logon Initialization Scripts (1)
- Compromise Host Software Binary (1)
- Data Destruction (1)
- Escape to Host (1)
- Exfiltration Over Alternative Protocol (1)
- Multi-Factor Authentication Request Generation (1)
- Pre-OS Boot (1)
- Replication Through Removable Media (1)
- Serverless Execution (1)
- Supply Chain Compromise (1)
- System Binary Proxy Execution (1)
- Trusted Relationship (1)
- Unsecured Credentials (1)
- User Execution (1)
- Windows Management Instrumentation (1)
Privilege Escalation
64 alerts
- Account Manipulation (46)
- Valid Accounts (22)
- Hijack Execution Flow (6)
- Event Triggered Execution (3)
- Boot or Logon Autostart Execution (2)
- Create or Modify System Process (2)
- Domain or Tenant Policy Modification (2)
- Scheduled Task/Job (2)
- Steal or Forge Authentication Certificates (2)
- Access Token Manipulation (1)
- Boot or Logon Initialization Scripts (1)
- Command and Scripting Interpreter (1)
- Data Destruction (1)
- Escape to Host (1)
Defense Evasion
21 alerts
- Hijack Execution Flow (6)
- Modify Authentication Process (4)
- Account Manipulation (3)
- Masquerading (3)
- Use Alternate Authentication Material (3)
- Create or Modify System Process (2)
- Hide Artifacts (2)
- Impair Defenses (2)
- Process Injection (2)
- Valid Accounts (2)
- Cloud Application Integration (1)
- Compromise Host Software Binary (1)
- Create Account (1)
- Domain or Tenant Policy Modification (1)
- Scheduled Task/Job (1)
- System Binary Proxy Execution (1)
Credential Access
11 alerts
Discovery
3 alerts
Lateral Movement
6 alerts
Command and Control
1 alert
Exfiltration
2 alerts
Impact
2 alerts