Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0006 ✕ technique: T1539 ✕

Show ATT&CK heatmap
  • Unusual process accessed web browser cookies Informational 1 variation

    An unusual process has accessed a web browser's session cookie store.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal Web Session Cookie (T1539)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Credentials Grabbing Analytics
    Attacker's goals: Obtain access to or hijack sessions to websites stored in the web browser's cookies.
    Investigative actions: Determine whether it is legitimate for the process to access session cookies directly. Analyze the process/application that accessed the cookie store. Check for any other suspicious actions that were performed by the process. Look for unusual access to resources using credentials cached in the web browser/cookie store.

    Variations

    Unusual unsigned process accessed web browser cookies

    Low overridden

    An unusual process has accessed a web browser's session cookie store. overridden