Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0007 ✕ technique: T1110 ✕

Show ATT&CK heatmap
  • Interactive local account enumeration Low Identity Analytics

    Multiple non-existing accounts attempted interactive local logins to a host within a short period.This may indicate that an attacker has physical access to the host and is trying to enumerate accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Discover valid accounts to gain credentials.
    Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.
  • Remote account enumeration Informational Identity Analytics 2 variations

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Brute Force (T1110)
    Required data: XDR Agent
    Attacker's goals: Discover valid accounts to gain credentials.
    Investigative actions: Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.

    Variations

    Suspicious Remote domain account enumeration

    Medium overridden

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden

    Remote account enumeration on domain accounts

    Low overridden

    Multiple non-existing accounts failed to remotely log in to a host in a short period of time.This may indicate an attacker is trying to remotely enumerate accounts. overridden