Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0009 ✕ technique: T1592 ✕
Show ATT&CK heatmapUnusual process accessed a messaging app's files Low
An unusual process has accessed files belonging to a messaging app.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Reconnaissance (TA0043)ATT&CK techniques: Data from Local System (T1005) Gather Victim Host Information (T1592)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to the user's message history and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may have been associated with the above messaging app.