Analytics Alerts
Browse the Cortex analytics alert reference.
6 alerts match the current filters. tactic: TA0009 ✕ technique: T1560 ✕
Show ATT&CK heatmapA user created an abnormal password-protected archive Informational Identity Threat Module
A user created an abnormal password-protected archive using an archive program.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the command line executed is normal for the process and user performing it. Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for password-protected archive file creation.An unusual archive file creation by a user Informational Identity Threat Module 1 variation
An archive file was created by a user who doesn't usually create such files. This might indicate an attempt to stage data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Stage data on an endpoint in the organization.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Variations
A user created an archive file for the first time
Informational overridden
A user created an archive file for the first time. This might indicate an attempt to stage data before exfiltration. overridden
Compressing data using python Low
Usage of a Python module to compress files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Library (T1560.002)Required data: XDR AgentAttacker's goals: Collecting and staging data before exfiltration.Investigative actions: Investigate the process and command line for access to sensitive files.Massive file compression by user Informational Identity Threat Module
Multiple archive files were created by a user. This might indicate an attempt to stage data before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Stage data on an endpoint in the organization.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Unusual compressed file password protection Low 1 variation
An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Exfiltrate or hide sensitive data.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Variations
Unusual compressed file password protection in a Kubernetes pod
Low overridden
An adversary might compress sensitive files with password protection to bypass security mitigations when attempting to exfiltrate them. overridden
User collected remote shared files in an archive Low Identity Threat Module
Multiple files from remote shares were archived in a local file. This may indicate collection of data and staging before exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Archive Collected Data: Archive via Utility (T1560.001) Data Staged (T1074)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the archive creates network connections as well. Check whether other users in the organization used the same process for remote archive file activity.