Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0006 ✕ technique: T1539 ✕
Show ATT&CK heatmapUnusual process accessed web browser cookies Informational 1 variation
An unusual process has accessed a web browser's session cookie store.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006)ATT&CK techniques: Steal Web Session Cookie (T1539)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Credentials Grabbing AnalyticsAttacker's goals: Obtain access to or hijack sessions to websites stored in the web browser's cookies.Investigative actions: Determine whether it is legitimate for the process to access session cookies directly. Analyze the process/application that accessed the cookie store. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser/cookie store.Variations
Unusual unsigned process accessed web browser cookies
Low overridden
An unusual process has accessed a web browser's session cookie store. overridden