Analytics Alerts
Browse the Cortex analytics alert reference.
6 alerts match the current filters. tactic: TA0001 ✕ technique: T1190 ✕
Show ATT&CK heatmapAn unusual process in ingress-nginx has accessed a service-account token file High Cloud
An unusual process in ingress-nginx has read a service-account token.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, ContainersAttacker's goals: An attacker is attempting to gain unauthorized access by leveraging valid credentials.Investigative actions: Check if the process is intended to preform these actions.Cloud IMDS access followed by remote token usage Medium Cloud
A request was made to the cloud Instance Metadata Service (IMDS) followed by a remote usage of EC2 role token.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)Required data: AWS Audit Log XDR AgentAttacker's goals: Gain unauthorized access by leveraging valid cloud credentials.Investigative actions: Identify the process that accessed the IMDS on the cloud instance. Examine the AWS API calls made by the stolen token, focusing on unusual or sensitive actions. Assess the role's permissions and rotate credentials if compromise is confirmed.Failed Login For a Long Username With Special Characters Informational
A long username containing special characters failed to log in to the domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Exploit Public-Facing Application (T1190)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: An attacker is trying to get code execution on internet-facing assets through command injection.Investigative actions: Is the host running internet-facing services? Are we looking at sanction vulnerability scanning?Suspicious failed HTTP request - potential Spring4Shell exploit Low 1 variation
A potentially malicious failed HTTP request was received, possibly as part of a Spring4Shell exploitation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: Exploit Public-Facing Application (T1190)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Gain the ability to execute code remotely or drop malware.Investigative actions: Check if suspicious process executions occurred after the request. Consider limiting access to the vulnerable server.Variations
Suspicious HTTP request - potential Spring4Shell exploit
Medium overridden
A potentially malicious HTTP request was received, possibly as part of a Spring4Shell exploitation attempt. overridden
Unusual DB process spawning a shell Informational 3 variations
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Lateral Movement (TA0008)ATT&CK techniques: Exploit Public-Facing Application (T1190) Exploitation of Remote Services (T1210)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: Obtain access to either the database or its hosting machine for various purposes like privilege escalation, lateral movement, and data theft.Investigative actions: Review the commands/processes executed by the shell for malicious actions. Check if and what else the DB process has executed. Check for any additional alerts raised in the context of the DB process. Audit the query/access logs of the DB for suspicious actions (Such as SQL injection or similar).Variations
Unusual DB process spawning a shell with a possible reconnaissance command
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden
Unusual DB process spawning a shell with a possible web download/access command
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden
Unusual DB process spawning a shell with an unusual command line
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden
Unusual Process Spawned by Nginx in Ingress-Nginx pod Low 1 variation
Unusual Process Spawned by Nginx in Ingress-Nginx pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: Command and Scripting Interpreter (T1059) Exploit Public-Facing Application (T1190)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: An attacker attempts to use nginx for lateral movement or privilege escalation.Investigative actions: Investigate the child processes for malicious activity and network connections to an external host.Variations
Unusual process spawned by ingress-nginx with a critical-severity vulnerability found the workload
High overridden
Unusual Process Spawned by Nginx in Ingress-Nginx pod. overridden