Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0009 ✕ technique: T1048 ✕

Show ATT&CK heatmap
  • Sensitive Exchange mail sent to external users Informational Identity Threat Module Email 2 variations

    A user sent sensitive email messages to external users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection (T1114) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to collect sensitive email information.
    Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.

    Variations

    Exchange mail to external account matching high severity DLP rules

    Low overridden

    A user sent sensitive email messages to external users. overridden

    Sensitive Exchange mail sent to an external user

    Low overridden

    A user sent sensitive email messages to external users. overridden