Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0002 ✕ technique: T1082 ✕

Show ATT&CK heatmap
  • System profiling WMI query execution Informational

    Attackers or malware may use WMI queries to identify the system and evade execution in sandbox environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Windows Management Instrumentation (T1047) System Information Discovery (T1082)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attacker or malware can use WMI queries to identify system components and prevent execution in sandbox \ virtualized environments to evade detection.
    Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.