Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

10 alerts match the current filters. tactic: TA0009 ✕ technique: T1213 ✕

Show ATT&CK heatmap
  • A Google Workspace identity used the security investigation tool Informational Identity Threat Module 1 variation

    A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Email Collection (T1114)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Access sensitive data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Determine what data was accessed using the security investigation tool.

    Variations

    A suspicious Google Workspace identity used the security investigation tool

    Low overridden

    A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data. overridden

  • A rare FTP user has been detected on an existing FTP server Low 1 variation

    A rare or new FTP user has been detected on an existing FTP server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall EAL Logs
    Attacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.
    Investigative actions: Verify that the new username is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application. Check the logs on the FTP server for a new user creation.

    Variations

    Possible FTP User Scanning Detected

    Low overridden

    A rare or new FTP user has been detected on an existing FTP server. overridden

  • DLP sensitive data exposed to external users Informational Identity Threat Module Email 1 variation

    A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to access sensitive information.
    Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.

    Variations

    High-severity DLP sensitive data exposed to external users

    Low overridden

    A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information. overridden

  • Microsoft Teams messages were exported from conversation Informational Identity Threat Module 1 variation

    Microsoft Teams messages were exported from conversation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage message extraction from Microsoft Teams to obtain valuable information.
    Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.

    Variations

    Microsoft Teams messages were exported from conversation by a privileged user for the first time

    Low overridden

    Microsoft Teams messages were exported from conversation. overridden

  • New FTP Server Low 2 variations

    A new FTP server has been detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.
    Investigative actions: Verify that the new service is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application.

    Variations

    New FTP Server Accessed Via a Port Scan

    Informational overridden

    A new FTP server has been detected. overridden

    New FTP Server from an external source

    Low overridden

    A new FTP server has been detected. overridden

  • OneDrive file download Informational Cloud

    A file was downloaded from OneDrive using the Microsoft Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Exfiltrate sensitive data by downloading files from OneDrive.
    Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.
  • Rare DLP rule match by user Informational Identity Threat Module Email 1 variation

    A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to access sensitive information.
    Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.

    Variations

    DLP rule match by user for the first time

    Low overridden

    A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information. overridden

  • Unusual process accessed a macOS notes DB file Informational 1 variation

    An unusual process has accessed a user's notes DB file.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to user's notes and steal their contents.
    Investigative actions: Determine whether it is legitimate for the process to access user's notes. Analyze the process/application that accessed the DB file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above notes.

    Variations

    Unusual unsigned process accessed a macOS notes DB file

    Low overridden

    An unusual process has accessed a user's notes DB file. overridden

  • User accessed multiple O365 AIP sensitive files Informational Identity Threat Module

    A user accessed multiple O365 AIP sensitive files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories (T1213) Data from Local System (T1005)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to collect sensitive information.
    Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Check what sensitivity labels are detected and how suspicious they are. Examine the user's account history for suspicious behavior.
  • User exported multiple messages in Microsoft Teams via Graph API Informational Identity Threat Module 3 variations

    A user exported multiple messages in Microsoft Teams via Graph API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may leverage messages extraction from Microsoft Teams to collect sensitive data.
    Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.

    Variations

    User exported multiple chats in Microsoft Teams via Graph API

    Low overridden

    A user exported multiple messages in Microsoft Teams via Graph API. overridden

    User exported multiple messages in Microsoft Teams via Graph API by a privileged user for the first time

    Low overridden

    A user exported multiple messages in Microsoft Teams via Graph API. overridden

    User exported multiple messages in Microsoft Teams via Graph API from a first seen ASN

    Low overridden

    A user exported multiple messages in Microsoft Teams via Graph API. overridden