Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

11 alerts match the current filters. tactic: TA0007 ✕ technique: T1016 ✕

Show ATT&CK heatmap
  • A user executed multiple LDAP enumeration queries Informational Identity Analytics 1 variation

    A user executed multiple LDAP enumeration queries.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server)
    Attacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.
    Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.

    Variations

    A user executed suspicious LDAP enumeration queries

    Low overridden

    A user executed multiple LDAP enumeration queries. overridden

  • Multiple discovery commands Low 4 variations

    The alerted causality performed multiple discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery commands from a web server CGO

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from an SQL server CGO

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from an unsigned causality

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from a standard IT tool

    Informational overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

  • Multiple discovery commands on a Linux host by the same process Informational 2 variations

    The alerted process performed multiple consecutive discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery commands on a Linux host by the same process

    Medium overridden

    The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Linux host by the same process

    Low overridden

    The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden

  • Multiple discovery commands on a Windows host by the same process Low 5 variations

    The alerted process performed multiple discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Remote Multiple discovery commands on a Windows host by the same IP

    High overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from a web server CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from an SQL server CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from a remote CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Rare Multiple discovery commands on a Windows host by the same process

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

  • Multiple discovery-like commands Informational 3 variations

    The alerted process performed multiple consecutive discovery commands in a short time frame.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery-like commands by web server process

    Low overridden

    The web server process performed multiple consecutive discovery commands in a short time frame. overridden

    Multiple discovery-like commands on a Linux host

    Informational overridden

    The alerted process performed multiple consecutive discovery commands in a short time frame. overridden

    Multiple discovery-like commands

    Informational overridden

    The alerted process performed multiple consecutive discovery commands in a short time frame. overridden

  • Possible LDAP Enumeration Tool Usage Informational Identity Analytics 3 variations

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Possible admin enumeration via LDAP

    Informational overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

    A user executed an LDAP enumeration query with suspicious characteristics

    Medium overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

    Rare LDAP enumeration query executed by a user

    Low overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

  • Suspicious container reconnaissance activity in a Kubernetes pod Informational 2 variations

    A process performed multiple consecutive container discovery commands from within a Kubernetes Pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Suspicious container reconnaissance activity in a Kubernetes pod

    Medium overridden

    A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden

    Suspicious container reconnaissance activity in a Kubernetes pod

    Low overridden

    A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden

  • Uncommon ARP cache listing via arp.exe Low

    The arp.exe command is used to display and modify entries in the Address Resolution Protocol (ARP) cache. Adversaries may attempt to use the command to discover remote systems they could compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: System Network Configuration Discovery (T1016)
    Required data: XDR Agent
    Attacker's goals: Adversaries may attempt to use the command to discover remote systems they could compromise.
    Investigative actions: Check whether the initiating process is allowed in your organization. (If the parent process is cmd.exe, check the process that spawned it).
  • Uncommon IP Configuration Listing via ipconfig.exe Low

    The 'ipconfig' command is used to display TCP/IP network configuration information and refresh the Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Adversaries may use the command to discover network configuration details.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: System Network Configuration Discovery (T1016)
    Required data: XDR Agent
    Attacker's goals: Attackers can use the ipconfig command to discover network configuration details.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional discovery commands were executed from the same process.
  • Uncommon attempt at discovering a sensitive file Informational 8 variations

    A process made an uncommon attempt to access a file that may contain sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083) Process Discovery (T1057) System Service Discovery (T1007) System Network Configuration Discovery (T1016) System Owner/User Discovery (T1033) System Network Connections Discovery (T1049) System Information Discovery (T1082)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Discovery Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon attempt at discovering /etc/hosts

    Informational overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a security testing tool

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a potential Webshell

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a script that was executed by a rare causality

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a rare process that was executed by cron

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a non-GTFOBIN process

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

  • Uncommon routing table listing via route.exe Low

    The route.exe command is used to display and modify entries in the local IP routing table. Adversaries may attempt to use the command to discover remote systems they could compromise.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: System Network Configuration Discovery (T1016)
    Required data: XDR Agent
    Attacker's goals: Attackers can attempt to use the command to discover remote systems they could compromise.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it (e.g. an IT script).