Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

12 alerts match the current filters. tactic: TA0009 ✕ technique: T1114 ✕

Show ATT&CK heatmap
  • A Google Workspace identity used the security investigation tool Informational Identity Threat Module 1 variation

    A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Email Collection (T1114)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Access sensitive data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Determine what data was accessed using the security investigation tool.

    Variations

    A suspicious Google Workspace identity used the security investigation tool

    Low overridden

    A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data. overridden

  • A mail forwarding rule was configured in Google Workspace Medium Identity Threat Module 1 variation

    A rule was set up to forward emails outside the Google Workspace domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.
    Investigative actions: Check if the identity intended to preform this action, and look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Follow further actions done by the account.

    Variations

    A mail forwarding rule was configured in Google Workspace to an uncommon domain

    High overridden

    A rule was set up to forward emails outside the Google Workspace domain. overridden

  • Azure mailbox rule creation Informational Cloud 1 variation

    A Mailbox rule in Azure was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009) Defense Evasion (TA0005)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Indicator Removal: Clear Mailbox Data (T1070.008)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Intercept or exfiltrate sensitive information.
    Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.

    Variations

    Unusual Azure mailbox rule creation

    Low overridden

    A Mailbox rule in Azure was created. overridden

  • Exchange compliance search created Informational Identity Threat Module Email 2 variations

    A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is searching mailboxes to access sensitive information.
    Investigative actions: Follow further actions done by the account. Check to see if the search contained sensitive information. Check if any data was exfiltrated after the search. Look for suspicious search terms.

    Variations

    Suspicious Exchange compliance search created

    Low overridden

    A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization. The query contains potentially suspicious keywords, which could indicate an attempt of sensitive data collection. overridden

    Exchange compliance search created for the first time

    Low overridden

    A user created an Exchange compliance search. This feature enables Administrators to search mailboxes in an organization. overridden

  • Exchange inbox forwarding rule configured Informational Identity Threat Module Email 3 variations

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Create an inbox rule using a compromised user account to automatically forward emails containing specific conditions to an external recipient.
    Investigative actions: Check what conditions are met in the inbox rule (e.g. specific keywords in the subject or body). Determine if any of the conditions and keywords look suspicious. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.

    Variations

    Exchange inbox forwarding rule configured by a delegate user

    Informational overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange inbox forwarding rule configured

    Medium overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. overridden

    External Exchange inbox forwarding rule configured

    Low overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The rule forwards emails to a public domain, which may be a sign of compromise. overridden

  • Exchange transport forwarding rule configured Low Identity Threat Module Email 2 variations

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.
    Investigative actions: Check what mailboxes are affected by the transport rule. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.

    Variations

    Exchange transport forwarding rule configured by a delegate user

    Informational overridden

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange transport forwarding rule configured

    Medium overridden

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. overridden

  • Exchange user mailbox forwarding Low Identity Threat Module Email 2 variations

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Leverage a compromised user account to modify a mailbox's settings to forward emails to an external recipient and collect sensitive information.
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain. Investigate the IP address associated with the rule. Follow further actions done by the account.

    Variations

    Exchange user mailbox forwarding by a delegate user

    Informational overridden

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange user mailbox forwarding

    Medium overridden

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. overridden

  • Gmail routing settings changed Informational Identity Threat Module 1 variation

    Gmail routing settings were modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged (T1074) Email Collection (T1114)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Email Collection.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the new routing settings look suspicious. Investigate the IP address associated with the routing settings. Follow further actions done by the account.

    Variations

    Gmail routing settings changed by a non-administrative Google Workspace identity

    Low overridden

    Gmail routing settings were modified. overridden

  • Outlook files accessed by an unsigned process Low

    An attacker may use an uncommon and unsigned process to access Outlook data files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data Staged: Local Data Staging (T1074.001) Email Collection: Local Email Collection (T1114.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Gain access to the data in the compromised mailbox.
    Investigative actions: Examine the process command and file activity to identify the mailbox. Check if the process performed any other suspicious file activity. Check if the process generated network connections.
  • Possible Email collection using Outlook RPC Informational

    Outlook was executed using RPC by an uncommon parent process, this may be an indication of email collection activities.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Email Collection: Local Email Collection (T1114.001)
    Required data: XDR Agent
    Attacker's goals: An attacker is trying to perform email collection or manipulation using Outlook.
    Investigative actions: Investigate the endpoint to determine if it's a legitimate process that is supposed to use Outlook in its operation to send or extract emails.
  • SAAS - Email was reported by the user or administrator as a phishing attempt Informational Email 2 variations

    An email reported by the user or administrator as a phishing attempt has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Trick the user into interacting with a malicious email by disguising it as legitimate, potentially leading to credential theft, malware infection, or data exfiltration.
    Investigative actions: Analyze the sender's IP address and domain reputation. Check if the sender has appeared in other logs or alerts across the organization. Review any URLs or attachments for signs of phishing, malware, or command-and-control communication. Correlate user actions (e.g., link clicks, file downloads) to assess potential compromise. Determine whether similar emails were sent to other users to identify a broader campaign.

    Variations

    SAAS - Phishing report with suspicious verdict on an internal user's email

    Low overridden

    An email sent by an internal user was reported by a recipient or administrator as a phishing attempt.This may indicate a compromised account. overridden

    SAAS - Phishing report with with suspicious verdict

    Low overridden

    An email with a Malware/Block verdict reported by the user or administrator has been detected. overridden

  • Sensitive Exchange mail sent to external users Informational Identity Threat Module Email 2 variations

    A user sent sensitive email messages to external users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection (T1114) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to collect sensitive email information.
    Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.

    Variations

    Exchange mail to external account matching high severity DLP rules

    Low overridden

    A user sent sensitive email messages to external users. overridden

    Sensitive Exchange mail sent to an external user

    Low overridden

    A user sent sensitive email messages to external users. overridden