Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

5 alerts match the current filters. tactic: TA0001 ✕ technique: T1110 ✕

Show ATT&CK heatmap
  • Account probing Low Identity Analytics

    A user failed to log in to multiple hosts it never accessed before in a short amount of time.This may indicate the account is compromised and an attacker is probing for a host it can access with those credentials.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Gain access to hosts by using stolen user-account credentials.
    Investigative actions: Check if the user account was compromised, and which resources it could access.
  • FTP Connection Using an Anonymous Login or Default Credentials Low

    An FTP connection using an anonymous login was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this FTP. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.
  • Granting Access to an Account Informational Cloud

    Azure access has been granted to an account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials (T1552) Modify Authentication Process (T1556) OS Credential Dumping (T1003) Brute Force (T1110) Forge Web Credentials (T1606)
    Required data: Azure Audit Log
    Attacker's goals: Gain unauthorized access to an account. Gain access to sensitive data.
    Investigative actions: Check the account access logs to determine the source of the access. Check the account activity logs to determine the purpose of the access.
  • Intense SSO failures Informational Identity Analytics 1 variation

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts (T1078) Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: An attacker is attempting to gain access to an account secured with MFA.
    Investigative actions: Check the legitimacy of this activity and determine whether it is malicious or not. Check whether a successful login was made after unsuccessful attempts.

    Variations

    Intense SSO failures with suspicious characteristics

    Low overridden

    An abnormally high amount of SSO authentication attempts were seen within a short period of time.This could be the outcome of a brute-force login attempt. overridden

  • Multiple Suspicious FTP Login Attempts Low

    Multiple suspicious FTP sessions were detected, which may indicate a brute-force attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Brute Force (T1110) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek access to FTP accounts and use them to exfiltrate data, stage attack tools, or create command and control channels through trusted services.
    Investigative actions: Examine the legitimacy of the application that produced this uncommon FTP connection. Examine the parent process of this application. Verify that the connection attempts were not performed from an illegitimate source.