Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

6 alerts match the current filters. tactic: TA0009 ✕ technique: T1560 ✕

Show ATT&CK heatmap
  • A user created an abnormal password-protected archive Informational Identity Threat Module

    A user created an abnormal password-protected archive using an archive program.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the command line executed is normal for the process and user performing it. Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for password-protected archive file creation.
  • An unusual archive file creation by a user Informational Identity Threat Module 1 variation

    An archive file was created by a user who doesn't usually create such files. This might indicate an attempt to stage data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Stage data on an endpoint in the organization.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.

    Variations

    A user created an archive file for the first time

    Informational overridden

    A user created an archive file for the first time. This might indicate an attempt to stage data before exfiltration. overridden

  • Compressing data using python Low

    Usage of a Python module to compress files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Library (T1560.002)
    Required data: XDR Agent
    Attacker's goals: Collecting and staging data before exfiltration.
    Investigative actions: Investigate the process and command line for access to sensitive files.
  • Massive file compression by user Informational Identity Threat Module

    Multiple archive files were created by a user. This might indicate an attempt to stage data before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Stage data on an endpoint in the organization.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.
  • Unusual compressed file password protection Low 1 variation

    An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Exfiltrate or hide sensitive data.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.

    Variations

    Unusual compressed file password protection in a Kubernetes pod

    Low overridden

    An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them. overridden

  • User collected remote shared files in an archive Low Identity Threat Module

    Multiple files from remote shares were archived in a local file. This may indicate collection of data and staging before exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for remote archive file activity.