Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0007 ✕ technique: T1217 ✕

Show ATT&CK heatmap
  • Browser bookmark files accessed by a rare non-browser process Informational

    Browser bookmark files accessed by a rare non-browser process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Browser Information Discovery (T1217)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Accessing these files is done by attackers to collect information about the endpoint.
    Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity.
  • Unusual process accessed a web browser history file Low 1 variation

    An unusual process has accessed a web browser history file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Collection (TA0009)
    ATT&CK techniques: Browser Information Discovery (T1217) Data from Local System (T1005) Automated Collection (T1119)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to the user's browsing history and steal their contents.
    Investigative actions: Determine whether it is legitimate for the process to access web browser history. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above file.

    Variations

    Unusual process accessed a web browser history file on Linux

    Low overridden

    An unusual process has accessed a web browser history file. overridden