Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. tactic: TA0001 ✕ technique: T1562 ✕

Show ATT&CK heatmap
  • Exchange DKIM signing configuration disabled Low Identity Threat Module Email 1 variation

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    A recently configured Exchange DKIM signing configuration was disabled

    Informational overridden

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed. overridden

  • Exchange Safe Attachment policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Attachment policy, which provides phishing protection to email attachments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Attachment (T1566.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may attempt to disable the Safe Attachment policy to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.
  • Exchange Safe Link policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Link policy, which provides phishing protection to emails that contain hyperlinks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Link (T1566.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to bypass security measures associated with hyperlinks in email messages.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for email messages received with hyperlinks. Check for a possible phishing campaign on the organization.
  • Exchange anti-phish policy disabled or removed Low Identity Threat Module Email 1 variation

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    Recently configured Exchange anti-phish policy disabled or removed

    Informational overridden

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign. overridden