Analytics Alerts
Browse the Cortex analytics alert reference.
5 alerts match the current filters. tactic: TA0009 ✕ technique: T1005 ✕
Show ATT&CK heatmapCertutil pfx parsing Low
Certutil was used to parse a pfx certificate file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Local System (T1005)Required data: XDR AgentDetector tags: Active Directory Certificate Services AnalyticsAttacker's goals: Attackers want to check pfx details. If details suffice, the correct certificate can be used for authentication, persistence or NTLM extraction.Investigative actions: Check if the pfx parsing is legitimate for the user (Testing, IT, etc.). Follow further actions done by the user (ex. authentication using certificates).Unusual process accessed a crypto wallet's files Low
An unusual process has accessed files belonging to a cryptocurrency wallet.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Local System (T1005)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to cryptocurrency stored in the wallet.Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Audit the usage of the cryptocurrency stored in the wallet.Unusual process accessed a messaging app's files Low
An unusual process has accessed files belonging to a messaging app.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Reconnaissance (TA0043)ATT&CK techniques: Data from Local System (T1005) Gather Victim Host Information (T1592)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to the user's message history and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may have been associated with the above messaging app.Unusual process accessed a web browser history file Low 1 variation
An unusual process has accessed a web browser history file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007) Collection (TA0009)ATT&CK techniques: Browser Information Discovery (T1217) Data from Local System (T1005) Automated Collection (T1119)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to the user's browsing history and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access web browser history. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above file.Variations
Unusual process accessed a web browser history file on Linux
Low overridden
An unusual process has accessed a web browser history file. overridden
User accessed multiple O365 AIP sensitive files Informational Identity Threat Module
A user accessed multiple O365 AIP sensitive files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Data from Local System (T1005)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to collect sensitive information.Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Check what sensitivity labels are detected and how suspicious they are. Examine the user's account history for suspicious behavior.