Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0003 ✕ technique: T1195 ✕
Show ATT&CK heatmapChrome Extension Installed By User Informational Identity Threat Module
A Chrome extension was installed or updated by a Google Workspace user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) Software Extensions: Browser Extensions (T1176.001)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may leverage browser extensions installation to gain Initial Access and Persistence, enabling them to intercept credentials and hijack active web sessions.Investigative actions: Review the extension installed, it's OAuth scopes, reputation and permissions. Analyze subsequent network traffic from the user's device or browser for connections to newly registered domains. Investigate the source IP and identity for previous malicious activity or anomalies.