Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0002 ✕ technique: T1080 ✕
Show ATT&CK heatmapA user uploaded malware to SharePoint or OneDrive Low Identity Threat Module 2 variations
A user uploaded a file that was classified as malware to SharePoint or OneDrive.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)ATT&CK techniques: Taint Shared Content (T1080) User Execution: Malicious File (T1204.002)Required data: Office 365 AuditAttacker's goals: An attacker may upload malware to a shared location to gain execution and move laterally.Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the file that was uploaded for any malicious indicators. Follow further actions done by the account.Variations
A user uploaded malware to SharePoint or OneDrive with suspicious characteristics
Medium overridden
A user uploaded a file that was classified as malware to SharePoint or OneDrive with some additional suspicious characteristics. overridden
A user uploaded a malicious payload to SharePoint or OneDrive
Informational overridden
A user uploaded a file that was classified as malware to SharePoint or OneDrive. The file was labelled as malicious by Microsoft's file scanning engine. overridden