Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

5 alerts match the current filters. tactic: TA0009 ✕ technique: T1119 ✕

Show ATT&CK heatmap
  • A user performed suspiciously massive file activity Informational Identity Threat Module 1 variation

    A user generated massive file activity by size or distinct file count.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001) Data Staged: Remote Data Staging (T1074.002)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.

    Variations

    A user performed suspiciously large file activities over 1 GB in a short period of time

    Low overridden

    A user generated massive file activity by size or distinct file count. overridden

  • Massive file activity abnormal to process Informational Identity Threat Module 1 variation

    A user generated massive file activity by size or distinct file count.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Automated Collection (T1119) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check which files the process performed the activity on. Check whether other users in the organization used the same process for file activity.

    Variations

    Massive file activity over 500 MB abnormal to process

    Low overridden

    A user generated massive file activity by size or distinct file count. overridden

  • Potential Okta access limit breach Informational Identity Threat Module 1 variation

    A user surpassed Okta's rate limit, leading to an access limit violation. This could suggest a potential account takeover attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Initial Access (TA0001)
    ATT&CK techniques: Automated Collection (T1119) Valid Accounts (T1078)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An adversary may attempt to use a compromised account in an unusual way to harvest as much data as possible, which could result in exceeding the access limit policy.
    Investigative actions: Reach out to the user responsible for the alert to confirm the legitimacy of the activity. Examine the user's actions preceding and following the activation of the alert. Investigate abnormal logins, reported suspicious activities, new processes run, and recent configuration changes for any indicators of potential compromise. Assess the reputation of the IP address along with that of the Autonomous System Number (ASN).

    Variations

    A breach in access limits within Okta, accompanied by suspicious characteristics

    Low overridden

    The user exceeded the access threshold in Okta, triggering a violation alert. overridden

  • Retrieval of cloud compute EC2 instance user data Informational Cloud 1 variation

    A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Automated Collection (T1119)
    Required data: AWS Audit Log
    Attacker's goals: Access sensitive instance metadata or startup scripts.
    Investigative actions: Verify whether this action is expected. Inspect the user data script for sensitive data.

    Variations

    Unusual Retrieval of cloud compute instance user data

    Low overridden

    A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance. overridden

  • Unusual process accessed a web browser history file Low 1 variation

    An unusual process has accessed a web browser history file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Collection (TA0009)
    ATT&CK techniques: Browser Information Discovery (T1217) Data from Local System (T1005) Automated Collection (T1119)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to the user's browsing history and steal their contents.
    Investigative actions: Determine whether it is legitimate for the process to access web browser history. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above file.

    Variations

    Unusual process accessed a web browser history file on Linux

    Low overridden

    An unusual process has accessed a web browser history file. overridden