Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

5 alerts match the current filters. tactic: TA0009 ✕ technique: T1052 ✕

Show ATT&CK heatmap
  • A user connected a USB storage device for the first time Informational Identity Threat Module

    A user connected a USB storage device for the first time in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • A user connected a new USB storage device to a host Informational Identity Threat Module

    A user connected a new USB storage device that was not seen for this user and host in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device-related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • A user connected a new USB storage device to multiple hosts Low Identity Threat Module

    A user connected a new USB storage device to multiple endpoints.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • Possible data exfiltration over a USB storage device Informational Identity Threat Module

    A process generated massive file creation, renaming and write activity to a USB storage device.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.
  • Possible internal data exfiltration over a USB storage device Informational Identity Threat Module 1 variation

    A user generated abnormal massive file activity to a connected USB storage device.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.

    Variations

    Possible internal data exfiltration of over 500 MB via USB storage device

    Low overridden

    A user generated abnormal massive file activity to a connected USB storage device. overridden