Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0009 ✕ technique: T1115 ✕

Show ATT&CK heatmap
  • Uncommon GetClipboardData API function invocation of a possible information stealer Informational

    An unpopular process accessed clipboard content by calling the GetClipboardData API function. This behavior may indicate potential threats such as a keylogger or a RAT.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Clipboard Data (T1115)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attackers can monitor the clipboard as another way for credential gathering or to collect more user data over time for espionage purposes.
    Investigative actions: Check if the process has a user interface (a visible window). Check if the process is a known user application that was updated recently.