Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0008 ✕ technique: T1562 ✕
Show ATT&CK heatmapChrome OS Remote Access policy was modified in Google Workspace Informational Identity Threat Module 1 variation
A user modified Chrome OS Remote Access configuration in Google Workspace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Lateral Movement (TA0008)ATT&CK techniques: Impair Defenses (T1562) Remote Services (T1021)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may modify remote access settings to maintain persistent access and bypass security controls.Investigative actions: Verify if the configuration change was authorized. Investigate the source IP address and account involved for malicious activity. Follow further actions performed by the account and Remote Access connections performed.Variations
Suspicious Chrome OS Remote Access policy was modified in Google Workspace
Low overridden
This is the first time the user performs this operation in the last 30 days. overridden
Suspicious SSH Downgrade Low 2 variations
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Defense Evasion (TA0005)ATT&CK techniques: Remote Services (T1021) Impair Defenses: Downgrade Attack (T1562.010)Required data: Palo Alto Networks Firewall EAL LogsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in a lower version of SSH.Investigative actions: Audit the authentication attempts in the SSH server from the alerted host.If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.Variations
A Host Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the source host used in the past. overridden
A Target Server Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the remote host used in the past. overridden