Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0009 ✕ technique: T1039 ✕

Show ATT&CK heatmap
  • A user accessed an abnormal number of remote shared folders Informational Identity Threat Module 1 variation

    A user accessed an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Network Shared Drive (T1039)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect valuable data about the organization for exfiltration purposes.
    Investigative actions: Check for other suspicious activity made by the user at the time of the event. Inspect the shared folder and verify if the user should have accessed to that folder. Go over the list of files and check if such user should have access to those files.

    Variations

    A user accessed an abnormal number of remote shared folders for the first time

    Low overridden

    A user accessed for the first time to an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration. overridden