Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. tactic: TA0001 ✕ technique: T1048 ✕

Show ATT&CK heatmap
  • A Torrent client was detected on a host Informational 1 variation

    The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Exfiltrate data or as a phishing entry point.
    Investigative actions: Check the host for torrent client software. Look at the download's folder for foreign files or Torrent files. Examine the client's network traffic for uploaded or downloaded file hashes.

    Variations

    A Torrent client was detected on a host

    Informational overridden

    The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data. overridden

  • Possible IPFS traffic was detected Informational

    The host attempted to access other nodes in an IPFS manner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.
    Investigative actions: Check the host for IPFS client software. Examine the client's network traffic for uploaded or downloaded file hashes.
  • Possible use of IPFS was detected Informational 1 variation

    The host produced traffic consistent with IPFS.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.
    Investigative actions: Check the host for IPFS client software. Look at the user's website history for IPFS url's and check the content ID (CID) for malicious indicators. Examine the client's network traffic for uploaded or downloaded file hashes.

    Variations

    Possible use of IPFS was detected

    Informational overridden

    The host produced traffic consistent with IPFS. overridden

  • Sending unusual file(s) to an external address Low Email

    Unusual files sent to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)
    ATT&CK techniques: Phishing (T1566) Exfiltration Over Alternative Protocol (T1048)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Extracting sensitive credentials, potentially leading to account takeover or unauthorized access to internal services. Extracting valuable information outside the company.
    Investigative actions: Check the content of the unusual files that were sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further actions taken, such as accessing private keys, API tokens and sensitive data.