Analytics Alerts
Browse the Cortex analytics alert reference.
18 alerts match the current filters. tactic: TA0009 ✕ technique: T1074 ✕
Show ATT&CK heatmapA user connected a USB storage device for the first time Informational Identity Threat Module
A user connected a USB storage device for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.A user connected a new USB storage device to a host Informational Identity Threat Module
A user connected a new USB storage device that was not seen for this user and host in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device-related process and file events to determine if it was used for legitimate purposes or malicious activity.A user connected a new USB storage device to multiple hosts Low Identity Threat Module
A user connected a new USB storage device to multiple endpoints.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.A user created an abnormal password-protected archive Informational Identity Threat Module
A user created an abnormal password-protected archive using an archive program.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the command line executed is normal for the process and user performing it. Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for password-protected archive file creation.A user performed suspiciously massive file activity Informational Identity Threat Module 1 variation
A user generated massive file activity by size or distinct file count.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001) Data Staged: Remote Data Staging (T1074.002)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.Variations
A user performed suspiciously large file activities over 1 GB in a short period of time
Low overridden
A user generated massive file activity by size or distinct file count. overridden
A user took numerous screenshots Informational Identity Threat Module
A user took numerous screenshots. A valuable organization's information may have been collected in this way.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Screen Capture (T1113) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether this activity fits the user profile. Check for any other suspicious activity related to the host and the user involved in the alert. Check if there was a suspicious file upload following the massive screenshot activity. Check whether other users in the organization used the same process for file activity.An unusual archive file creation by a user Informational Identity Threat Module 1 variation
An archive file was created by a user who doesn't usually create such files. This might indicate an attempt to stage data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Stage data on an endpoint in the organization.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Variations
A user created an archive file for the first time
Informational overridden
A user created an archive file for the first time. This might indicate an attempt to stage data before exfiltration. overridden
Gmail routing settings changed Informational Identity Threat Module 1 variation
Gmail routing settings were modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged (T1074) Email Collection (T1114)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Email Collection.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new routing settings look suspicious. Investigate the IP address associated with the routing settings. Follow further actions done by the account.Variations
Gmail routing settings changed by a non-administrative Google Workspace identity
Low overridden
Gmail routing settings were modified. overridden
Mailbox Client Access Setting (CAS) changed Medium
An attacker may use PowerShell to change the Client Access Settings (CAS) for a mailbox, hence gaining access to the data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Local Data Staging (T1074.001)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain access to the data in the compromised mailbox.Investigative actions: Examine the PowerShell command to identify which mailbox's access setting has been modified. Verify that the change in the client access setting was executed by a trusted source.Massive file activity abnormal to process Informational Identity Threat Module 1 variation
A user generated massive file activity by size or distinct file count.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.Variations
Massive file activity over 500 MB abnormal to process
Low overridden
A user generated massive file activity by size or distinct file count. overridden
Massive file compression by user Informational Identity Threat Module
Multiple archive files were created by a user. This might indicate an attempt to stage data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Stage data on an endpoint in the organization.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Massive upload to SaaS service Informational Identity Threat Module 1 variation
A user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Data Staged: Remote Data Staging (T1074.002)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker may upload files to a SaaS service to stage and exfiltrate data from the organization.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were uploaded to determine if they contain sensitive data. Verify if the user account that uploaded the files is authorized to access them. Analyze the file types that were uploaded. Monitor the account for any further suspicious actions.Variations
Massive upload to SaaS service by suspicious user
Low overridden
A suspicious user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged. overridden
OneDrive folder creation Informational Cloud
A folder was created in OneDrive using Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Remote Data Staging (T1074.002)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Establish persistence or prepare for data exfiltration by creating a storage location in OneDrive via the Microsoft Graph API, enabling them to later upload or manipulate files undetected.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Outlook files accessed by an unsigned process Low
An attacker may use an uncommon and unsigned process to access Outlook data files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Local Data Staging (T1074.001) Email Collection: Local Email Collection (T1114.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Gain access to the data in the compromised mailbox.Investigative actions: Examine the process command and file activity to identify the mailbox. Check if the process performed any other suspicious file activity. Check if the process generated network connections.Possible data exfiltration over a USB storage device Informational Identity Threat Module
A process generated massive file creation, renaming and write activity to a USB storage device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.Possible internal data exfiltration over a USB storage device Informational Identity Threat Module 1 variation
A user generated abnormal massive file activity to a connected USB storage device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.Variations
Possible internal data exfiltration of over 500 MB via USB storage device
Low overridden
A user generated abnormal massive file activity to a connected USB storage device. overridden
PowerShell used to export mailbox contents Medium
An attacker may use PowerShell to export the contents of a mailbox as part of the data staging before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data Staged: Local Data Staging (T1074.001)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Export the content of a mailbox, preparing for data exfiltration.Investigative actions: Examine the PowerShell command to identify which mailbox has been exported. Verify that this command was executed by a trusted source.User collected remote shared files in an archive Low Identity Threat Module
Multiple files from remote shares were archived in a local file. This may indicate collection of data and staging before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for remote archive file activity.