Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. tactic: TA0009 ✕ technique: T1078 ✕

Show ATT&CK heatmap
  • A rare FTP user has been detected on an existing FTP server Low 1 variation

    A rare or new FTP user has been detected on an existing FTP server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.
    Investigative actions: Verify that the new username is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application. Check the logs on the FTP server for a new user creation.

    Variations

    Possible FTP User Scanning Detected

    Low overridden

    A rare or new FTP user has been detected on an existing FTP server. overridden

  • New FTP Server Low 2 variations

    A new FTP server has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.
    Investigative actions: Verify that the new service is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application.

    Variations

    New FTP Server Accessed Via a Port Scan

    Informational overridden

    A new FTP server has been detected. overridden

    New FTP Server from an external source

    Low overridden

    A new FTP server has been detected. overridden

  • Potential Okta access limit breach Informational Identity Threat Module 1 variation

    A user surpassed Okta's rate limit, leading to an access limit violation. This could suggest a potential account takeover attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Initial Access (TA0001)
    ATT&CK techniques: Automated Collection (T1119) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    A breach in access limits within Okta, accompanied by suspicious characteristics

    Low overridden

    The user exceeded the access threshold in Okta, triggering a violation alert. overridden