Analytics Alerts
Browse the Cortex analytics alert reference.
83 alerts match the current filters. tactic: TA0010 ✕
Show ATT&CK heatmapA Backup vault policy was modified Low Cloud
A cloud identity has modified backup vault access policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Manipulate access to a backup vault.Investigative actions: Check if the {identity_name} intended to modify the backup vault policy. Check additional activity by {identity_name}.A Cloud DB instance was exported to an unknown destination Informational Cloud
A Cloud DB instance was exported to a foreign storage destination.The destination storage has not been seen in the organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Gcp Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate sensitive database content to an external or attacker-controlled bucket.Investigative actions: Verify if the destination bucket is authorized for data export. Investigate the identity performing the action for unusual behavior or lack of authorization. Assess the sensitivity of the data within the source Cloud DB instance to determine impact.A GCP Cloud SQL DB instance was exported from a production account Informational Cloud
A GCP Cloud SQL DB instance was exported to a storage bucket.The DB instance was exported from a production account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Gcp Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source Cloud DB instance. Review further actions performed by the identity.A Torrent client was detected on a host Informational 1 variation
The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Exfiltrate data or as a phishing entry point.Investigative actions: Check the host for torrent client software. Look at the download's folder for foreign files or Torrent files. Examine the client's network traffic for uploaded or downloaded file hashes.Variations
A Torrent client was detected on a host
Informational overridden
The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data. overridden
A cloud snapshot of AWS database or storage was modified or shared Informational Cloud 2 variations
A cloud identity has shared a snapshot of an AWS database or storage instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.Variations
Cloud snapshot of a database or storage instance was shared public
Low overridden
A cloud identity has shared a snapshot of an AWS database or storage instance. overridden
Cloud snapshot of a database or storage instance was shared with an unknown AWS account
Low overridden
A cloud identity has shared a snapshot of an AWS database or storage instance. overridden
A cloud storage object was copied to a foreign cloud account Medium Cloud 2 variations
A cloud storage object was copied or moved to a foreign cloud storage account.The destination account was either not monitored or not seen within your tenant for the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit Log Azure Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate data to a foreign account.Investigative actions: Check the legitimacy of the copy operation. Review further actions performed by the identity.Variations
A cloud storage object from a sensitive bucket was copied to a foreign cloud account from a production account
High overridden
A cloud storage object was copied or moved to a foreign cloud storage account from a production account.The destination account was either not monitored or not seen within your tenant for the last 30 days. overridden
A cloud storage object was copied to a foreign cloud account from a production account
Medium overridden
A cloud storage object was copied or moved to a foreign cloud storage account from a production account.The destination account was either not monitored or not seen within your tenant for the last 30 days. overridden
A compressed file was exfiltrated over SSH Informational 1 variation
Exfiltration of a compressed file over SSH.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to exfiltrate data over encrypted network protocol.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
A compressed file was exfiltrated over SSH from a Kubernetes pod
Informational overridden
Exfiltration of a compressed file over SSH. overridden
A mail forwarding rule was configured in Google Workspace Medium Identity Threat Module 1 variation
A rule was set up to forward emails outside the Google Workspace domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.Investigative actions: Check if the identity intended to preform this action, and look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Follow further actions done by the account.Variations
A mail forwarding rule was configured in Google Workspace to an uncommon domain
High overridden
A rule was set up to forward emails outside the Google Workspace domain. overridden
A process connected to a rare cloud resource Informational 3 variations
A process connected to a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Investigate the actor process connected to the cloud resource. Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.Variations
A browser process connected to a rare cloud resource
Informational overridden
A browser process connected to a rare cloud resource. overridden
A process connected to an atypical rare cloud resource
Informational overridden
A process connected to an atypical rare cloud resource. overridden
A process connected to a rare cloud resource atypical to this agent
Informational overridden
A process connected to a rare cloud resource atypical to this agent. overridden
A user accessed an uncommon AppID Informational Identity Threat Module 5 variations
A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to exfiltrate sensitive data.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Variations
A user accessed an uncommon external peer-to-peer service
Informational overridden
A user accessed an uncommon external peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon external file-sharing service
Informational overridden
A user accessed an uncommon external file-sharing service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon peer-to-peer service
Informational overridden
A user accessed an uncommon peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon file-sharing service
Informational overridden
A user accessed an uncommon file-sharing service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon VPN service
Informational overridden
A user connected to an unusual VPN service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to hide their online activity. overridden
A user connected a USB storage device for the first time Informational Identity Threat Module
A user connected a USB storage device for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.A user connected a new USB storage device to a host Informational Identity Threat Module
A user connected a new USB storage device that was not seen for this user and host in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device-related process and file events to determine if it was used for legitimate purposes or malicious activity.A user connected a new USB storage device to multiple hosts Low Identity Threat Module
A user connected a new USB storage device to multiple endpoints.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.A user printed an unusual number of files Informational Identity Threat Module
A user printed an unusual number of files. This may be indicative of malicious activity and an attempt to exfiltrate data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium (T1052)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: In an attempt to exfiltrate data, a malicious insider might print an unusual number of files.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.AWS EC2 instance exported into S3 Informational Cloud
A running or stopped instance was exported to an Amazon S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.AWS Transfer Family server created Informational Cloud 1 variation
A cloud identity created server using AWS Transfer Family service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Attacker is trying to exfiltrate data out of AWS storage services.Investigative actions: Check if the AWS Transfer Family service is used by your organization. Check if {identity_name} created a server using this service before. Check which storage instances were affected by {transfer_server_id} server.Variations
Unusual cloud transfer service activity
Low overridden
A cloud identity created server using AWS Transfer Family service. overridden
AWS network ACL rule creation Informational Cloud
An AWS network ACL rule was created with a specific rule number.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: External Remote Services (T1133) Exfiltration Over Alternative Protocol (T1048)Required data: AWS Audit LogAttacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.Investigative actions: Check the VPC affected by this change. Verify the rule number (as rules are applied in order). Determine whether the rule is ingress or egress.Abnormal communication with a rare combination of TLS and HTTP User Agent Low 2 variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred. Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.Variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server. overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain. overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server Informational 1 variation
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare combination of HTTP User Agent with the external HTTP Server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare
Low overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address. overridden
An AWS EC2 instance containing sensitive data was exported Informational Cloud
A EC2 instance was exported to an S3 bucket.The instance was found to contain sensitive data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.An AWS EC2 instance was exported from a production account Informational Cloud
An EC2 instance was exported from a production account to an S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.An AWS EC2 instance was exported into an unknown S3 bucket Informational Cloud
An EC2 instance was exported to an unknown S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.An AWS RDS instance was created from a snapshot Informational Cloud
A new AWS RDS instance was created from a publicly available RDS snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Gain access to the RDS instance. Access confidential data stored in the RDS instance.Investigative actions: Check the RDS instance status in the AWS console. Verify if the instance is publicly accessible.An Azure SQL database was exported from a production subscription Informational Cloud
An Azure SQL database export was initiated.The database was exported from a production subscription.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Azure Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source SQL instance. Review further actions performed by the identity.An Azure VM snapshot SAS URL was generated for export from a production subscription Informational Cloud
A SAS URL for an Azure VM snapshot was generated.The operation was performed within a production subscription.SAS URLs allow others to download or export the snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Azure Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate the VM disk image to access sensitive data stored on the disk.Investigative actions: Verify if the identity is authorized to generate SAS URLs for VM snapshots. Check if the snapshot export aligns with scheduled maintenance or backup procedures. Review further actions performed by the identity to see if the snapshot was downloaded or accessed.An EBS snapshot block was downloaded Informational Cloud 2 variations
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed snapshot and corresponding volume. Monitor additional snapshot blocks downloads from the snapshot. Verify that the identity did not download any sensitive information that it shouldn't.Variations
An EBS snapshot block was downloaded from a snapshot with sensitive data
Medium overridden
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The snapshot contains sensitive data. overridden
An unusual download of EBS snapshot block
Low overridden
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The operation was not performed by this identity in the last 30 days. overridden
An RDS snapshot containing sensitive data was exported Informational Cloud
An RDS snapshot containing sensitive data was exported to an S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.An RDS snapshot was exported from a production account Informational Cloud
An RDS snapshot was exported from a production account to an S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.An RDS snapshot was exported to an unknown S3 bucket Low Cloud 3 variations
An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source snapshot ID. Review further actions performed by the identity and role.Variations
An RDS snapshot was exported to an unknown S3 bucket by an admin identity
Informational overridden
An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days.The identity has an administrative behavior. overridden
An RDS snapshot was exported to an unknown S3 bucket with suspicious indicators
Medium overridden
An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days. overridden
An RDS snapshot was exported to an unknown S3 bucket - denied attempt
Informational overridden
A denied attempt to export an RDS snapshot to an unknown S3 bucket. overridden
An RDS snapshot was exported to an unknown bucket Informational Cloud 1 variation
An RDS snapshot was exported to an unknown S3 bucket.The destination bucket has not been seen in your tenant in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.Variations
Failed RDS snapshot export attempt to an unknown bucket
Informational overridden
A failed attempt to export an RDS snapshot to an unknown bucket. overridden
An S3 replication policy to an unknown bucket was created Low Cloud 3 variations
An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source bucket. Review further actions performed by the identity.Variations
Unusual S3 replication policy to an unknown bucket was created
Low overridden
An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.The operation was not performed in your organization in the last 30 days. overridden
An S3 replication policy to an unknown bucket was created by an admin identity
Informational overridden
An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.The identity has an administrative behavior. overridden
An S3 replication policy to an unknown bucket was created - denied attempt
Low overridden
A denied attempt to create an S3 replication policy to an unknown bucket. overridden
An identity accessed a backup cloud storage Informational Cloud 1 variation
An identity accessed a backup cloud storage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.Variations
An identity accessed a backup cloud storage which wasn't read recently
Low overridden
An identity accessed a backup cloud storage. overridden
An identity accessed a cloud storage for the first time Informational Cloud
An identity accessed a cloud storage resource for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Review the identity that invoked the operation. Verify the accessed resource and ensure it does not contain sensitive data.An identity accessed cloud storage containing sensitive data Informational Cloud
An identity accessed cloud storage containing sensitive data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.An identity initiated a download of multiple cloud objects Informational Cloud 2 variations
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Transfer Data to Cloud Account (T1537)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operations. Check the accessed resource and verify it doesn't contain sensitive data.Variations
An identity initiated a download of multiple cloud objects in large volume compared to the project's usual volume
Medium overridden
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been in this project for the last 30 days. overridden
An identity initiated a download of multiple cloud objects in large volume compared to the bucket's usual volume
Low overridden
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been seen in this bucket for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects Informational Cloud 4 variations
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.Variations
An identity performed a suspicious download of multiple cloud storage objects from an internal IP
Informational overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
An identity performed a suspicious download of multiple cloud storage objects
High overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen across all projects for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects
Medium overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen in this project for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects from multiple buckets
Medium overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects from several buckets had not been seen for the last 30 days. overridden
An unusual cloud identity was granted permissions to a BigQuery resource Informational Cloud 1 variation
An unusual cloud identity was granted permissions to a BigQuery table or dataset.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578)Required data: Gcp Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides inside BigQuery tables or datasets.Investigative actions: Check if {cloud_best_identity_match} intended to change BigQuery resource policy. Verify if the affected tables or datasets did not contain any sensitive information.Variations
Cloud admin granted an unknown identity permissions to a BigQuery resource
Informational overridden
An unusual cloud identity was granted permissions to a BigQuery table or dataset. overridden
An unusual read activity of cloud object Informational Cloud
An identity accessed a cloud object filetype for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.Azure storage account cross-tenant object replication was enabled Informational Cloud 1 variation
Azure cross-tenant object replication in a storage account was enabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Azure Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Enable unauthorized data transfer to an external or attacker-controlled environment. Establish a persistent channel for ongoing data exfiltration. Conceal malicious activity by utilizing legitimate cross-tenant object replication functionality.Investigative actions: Confirm that the identity intended to enable cross-tenant replication. Follow further actions done by the identity. Monitor the storage account for other suspicious activities.Variations
Azure storage account cross-tenant object replication was enabled for the first time in a subscription
Low overridden
Azure cross-tenant object replication in a storage account was enabled for the first time in a subscription. overridden
Bedrock model shared with a foreign account Low Cloud
A bedrock model was shared with a foreign account through AWS resource access manager.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Exfiltrate the proprietary model to a foreign account and establish persistent access to it.Investigative actions: Investigate the foreign cloud accounts that gained access to the models. Assess the sensitivity of the shared models to determine the potential impact of this exposure. Identify the actor and investigate their identity for compromise.BigQuery table or query results exfiltrated to a foreign project Informational Cloud 2 variations
A cloud identity exfiltrated BigQuery table data to a foreign storage service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Gcp Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides inside BigQuery table.Investigative actions: Check if {cloud_best_identity_match} intended to transfer data from BigQuery table. Verify if the affected table did not contain any sensitive information.Variations
BigQuery table or query results exfiltrated to a foreign project by cloud admin identity
Informational overridden
A cloud identity exfiltrated BigQuery table data to a foreign storage service. overridden
BigQuery table or query results exfiltrated to a foreign project by an unknown identity
Low overridden
A cloud identity exfiltrated BigQuery table data to a foreign storage service. overridden
Bucket's block public access setting turned off Informational Cloud
S3 bucket block public access setting turned off.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Expose bucket to the public and maintain access to bucket's resources avoiding detection.Investigative actions: Check if {cloud_best_identity_match} intended to modify block public access settings. Check if the {bucket_name} bucket contains any sensitive information.Bucket's object ownership controls were modified Informational Cloud
S3 bucket object ownership controls were modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Maintain control and access to data that resides inside the S3 bucket.Investigative actions: Check if {cloud_best_identity_match} intended to modify bucket's object ownership. Check if the {aws_s3bucket_identifier} bucket contains any sensitive information.Cloud snapshot created or modified Informational Cloud 3 variations
A cloud identity has created or modified a cloud snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.Variations
Cloud snapshot was configured for public access
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Cloud snapshot was shared with an unusual AWS account(s)
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Previously unseen GCP principal was bound to cloud snapshot
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Cloud snapshot of a database or storage instance was publicly shared Medium Cloud
A cloud identity has publicly shared a snapshot of a database or storage instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to share the snapshot publicly. Check if the identity performed additional malicious operations within the cloud environment.Commonly abused AutoIT script connects to an external domain Medium
AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Automated Exfiltration (T1020)Required data: XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context. Identify the process contacting the remote domain and determine whether the traffic is malicious.DNS Tunneling Low 1 variation
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.Variations
DNS Tunneling
Medium overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents. overridden
Data exfiltration from cloud database Low Cloud 2 variations
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation.Variations
Data exfiltration from cloud database containing sensitive data from a production account toa foreign account
High overridden
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden
Suspicious data exfiltration from cloud database
High overridden
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden
EC2 instance Amazon machine image was created Informational Cloud
Amazon machine image was created from elastic compute cloud instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogAttacker's goals: Creating Amazon machine images might be part of elastic compute cloud instance exfiltration chain.Investigative actions: Check if {identity_name} to create Amazon machine image. Check if the {cloud_aws_instance_id} instance did not contain any sensitive data.EC2 snapshot attribute has been modified Informational Cloud
The snapshot's permissions were modified (added/removed).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate backup/stored information.Investigative actions: Check if the snapshot is shared with an unwanted account/actor.Exchange inbox forwarding rule configured Informational Identity Threat Module Email 3 variations
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Create an inbox rule using a compromised user account to automatically forward emails containing specific conditions to an external recipient.Investigative actions: Check what conditions are met in the inbox rule (e.g. specific keywords in the subject or body). Determine if any of the conditions and keywords look suspicious. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.Variations
Exchange inbox forwarding rule configured by a delegate user
Informational overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange inbox forwarding rule configured
Medium overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. overridden
External Exchange inbox forwarding rule configured
Low overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The rule forwards emails to a public domain, which may be a sign of compromise. overridden
Exchange transport forwarding rule configured Low Identity Threat Module Email 2 variations
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.Investigative actions: Check what mailboxes are affected by the transport rule. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.Variations
Exchange transport forwarding rule configured by a delegate user
Informational overridden
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange transport forwarding rule configured
Medium overridden
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. overridden
Exchange user mailbox forwarding Low Identity Threat Module Email 2 variations
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Leverage a compromised user account to modify a mailbox's settings to forward emails to an external recipient and collect sensitive information.Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain. Investigate the IP address associated with the rule. Follow further actions done by the account.Variations
Exchange user mailbox forwarding by a delegate user
Informational overridden
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange user mailbox forwarding
Medium overridden
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. overridden
External Sharing was turned on for Google Drive Informational Identity Threat Module 3 variations
An identity has modified Google Drive sharing settings and allowed external sharing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may exfiltrate data, such as sensitive documents.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). check the new setting details. Follow further actions done by the account.Variations
External Sharing was turned on for Google Drive by a non Google Workspace administrative user from an unusual ASN
Low overridden
An identity has modified Google Drive sharing settings and allowed external sharing. overridden
External Sharing was turned on for Google Drive by a non Google Workspace administrative user
Low overridden
An identity has modified Google Drive sharing settings and allowed external sharing. overridden
External Sharing was turned on for Google Drive from an unusual ASN
Low overridden
An identity has modified Google Drive sharing settings and allowed external sharing. overridden
First-seen email from mailbox owner to external recipient's address in the last 30 days Informational Email 6 variations
Internal sender initiated first-time communication with an external recipient in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Microsoft 365 EmailsDetector tags: Exfiltration, Account TakeoverAttacker's goals: Extracting valuable information outside the company.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
First-time email to the disposable domain
Low overridden
Internal sender emailed to external address(es) with disposable domain. overridden
First-time email from organization's domain with the external recipient's domain in the last 30 days
Informational overridden
Internal sender emailed an external address belonging to a domain seen for the first time by the organization domain in the last 30 days. overridden
First-time email from organization with the external recipient in the last 30 days
Informational overridden
Internal sender emailed to external address(es) that first-seen by the the whole organization in the last 30 days. overridden
First-time email from organization's domain to the external recipient in the last 30 days
Informational overridden
Internal sender emailed to external address(es) that first-seen by the organization domain in the last 30 days. overridden
First-time email from mailbox owner to the external recipient's domain in the last 30 days
Informational overridden
Internal sender emailed to external address(es) with domain that first-seen by that sender in the last 30 days. overridden
First-time outbound email from mailbox owner to multiple external recipients without any internal recipients in the last 30 days
Informational overridden
Internal sender emailed first-time to multiple external recipients with no internal recipients included in the last 30 days. overridden
Foreign account was granted permissions to S3 bucket via resource-based policy Informational Cloud 1 variation
Foreign account was granted access to S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: The attacker wants to maintain control over the resource.Investigative actions: Check if the {cloud_best_identity_match} intended to modify {aws_s3bucket_identifier} policy. Check the permissions that were granted to the {aws_grantee_project}. Restrict permissions for the {aws_grantee_project} if needed.Variations
Foreign account was granted permissions to S3 bucket containing sensitive information via resource-based policy
Low overridden
Foreign account was granted access to S3 bucket. overridden
Google Workspace automation was created Informational Identity Threat Module 1 variation
Google Workspace automation was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.Variations
Google Workspace automation was created for a public document
Low overridden
The document that the automation was created for is publicly shared. overridden
HTTP with suspicious characteristics Low 3 variations
Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this uncommon connection. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
HTTP with suspicious characteristics which is repetitive
Low overridden
Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics to an IP address
Low overridden
Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics that always fails
Informational overridden
Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden
Large Upload (FTP) Low 1 variation
The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Exfiltrate stolen data from the victim network to an attacker's controllable resource.Investigative actions: Verify that the source is not an FTP server. If Cortex XDR Analytics has failed to identify the entity as a valid FTP server, this alert is likely to be a false positive. Identify the entity performing the data transfer to determine if the transfer is sanctioned. Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or loaded modules.Variations
Large Upload (FTP)
Informational overridden
The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol. overridden
Large Upload (Generic) Low 3 variations
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Transfer data he has stolen from your network to a location that is convenient and useful to him.Investigative actions: Check if the traffic is related to SSH activity, it can trigger this alert. It is possible that someone on your network is legitimately engaged in SSH activity. Check if the traffic is to/from a misconfigured network. Check if the traffic is to a new external service or server that has recently been adopted for use by an organization in your enterprise. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.Variations
Large Upload (Generic)
Informational overridden
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (Generic) Lower than 100 MB
Informational overridden
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (Generic) to a Frequently Used Upload Target
Informational overridden
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (HTTPS) Low 2 variations
The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Transfer data she has stolen from your network to a location that is convenient and useful to her.Investigative actions: Check if this alert has been falsely triggered by DNS load balancers. If an endpoint routinely uploads data to a site that uses load balancers, the transfer might ordinarily be split into multiple sessions and across multiple subdomains, which can cause the baseline measurement to be incorrect. In that situation, a routine upload that randomly places the bulk of the data in a single session to a single subdomain can look excessive to the Cortex XDR Analytics detector. Check if the device performing the data transfer is a mobile phone performing a backup. Cortex XDR Analytics will not always measure the baseline properly for mobile devices, especially if the backups are performed infrequently and contain a great deal of data. If the data transfer is a mobile device running a backup, check to ensure that only appropriate data is included in the backup. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.Variations
Large Upload (HTTPS)
Informational overridden
The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (HTTPS) to non-standard port
Low overridden
The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (SMTP) Low 1 variation
The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Transfer data they have stolen from your network to a location that is convenient and useful to him.Investigative actions: Identify the process/user performing the data transfer to determine if the transfer is sanctioned. Verify that the source is not a mail server. Check if the target address represents a mail service that rarely used in the organization. If so, this might indicate on file exfiltration attempt.Variations
Large Upload (SMTP)
Informational overridden
The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network. overridden
Massive upload to SaaS service Informational Identity Threat Module 1 variation
A user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Data Staged: Remote Data Staging (T1074.002)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker may upload files to a SaaS service to stage and exfiltrate data from the organization.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were uploaded to determine if they contain sensitive data. Verify if the user account that uploaded the files is authorized to access them. Analyze the file types that were uploaded. Monitor the account for any further suspicious actions.Variations
Massive upload to SaaS service by suspicious user
Low overridden
A suspicious user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged. overridden
Massive upload to a rare storage or mail domain Informational Identity Threat Module 1 variation
A large amount of data was transferred to an external site that is used for mail or storage. This behavior may indicate data exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR AgentAttacker's goals: A user uploaded an abnormal amount of data to a file sharing service. This activity might indicate an attempt to exfiltrate files and data from the organization.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Identify the user uploading the data to determine if the transfer is sanctioned.Variations
A user uploaded over 500 MB to a rare storage or mail domain
Low overridden
A user uploaded over 500 MB to a file sharing service that is rarely accessed by them or anyone else in the organization. overridden
Microsoft Teams external communication policy was modified Informational Identity Threat Module 1 variation
Microsoft Teams external communication policy was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.Variations
Microsoft Teams external communication policy was modified by an unusual user
Low overridden
Microsoft Teams external communication policy was modified. overridden
Multiple cloud snapshots export Informational Cloud 4 variations
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the disk.Investigative actions: Check if the identity intended to export the virtual machines or DB snapshots. Check if the identity performed additional operations in the cloud environment that might be malicious.Variations
Multiple cloud snapshots export
High overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address. This action was unusual based on the cloud project history. overridden
Multiple cloud snapshots export
Medium overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address. This action was unusual based on The cloud identity history. overridden
Multiple cloud snapshots export
Low overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.This action was unusual based on the unsuccessful attempts rate. overridden
Multiple cloud snapshots export
Low overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.This action was unusual based on the cloud project or identity history. overridden
Possible IPFS traffic was detected Informational
The host attempted to access other nodes in an IPFS manner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.Investigative actions: Check the host for IPFS client software. Examine the client's network traffic for uploaded or downloaded file hashes.Possible data exfiltration over a USB storage device Informational Identity Threat Module
A process generated massive file creation, renaming and write activity to a USB storage device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.Possible internal data exfiltration over a USB storage device Informational Identity Threat Module 1 variation
A user generated abnormal massive file activity to a connected USB storage device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.Variations
Possible internal data exfiltration of over 500 MB via USB storage device
Low overridden
A user generated abnormal massive file activity to a connected USB storage device. overridden
Possible use of IPFS was detected Informational 1 variation
The host produced traffic consistent with IPFS.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.Investigative actions: Check the host for IPFS client software. Look at the user's website history for IPFS url's and check the content ID (CID) for malicious indicators. Examine the client's network traffic for uploaded or downloaded file hashes.Variations
Possible use of IPFS was detected
Informational overridden
The host produced traffic consistent with IPFS. overridden
Python HTTP server started Informational
Python HTTP server started - possible exfiltration over HTTP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)Required data: XDR AgentAttacker's goals: Attackers might use a Python server as a C&C or exfiltration channel.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it.Rare SMTP/S Session Informational
The Simple Mail Transfer Protocol (SMTP) and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: SMTP and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.Rare Unix process divided files by size Informational
A file was divided into sub-files by size limit by a rare process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Data Transfer Size Limits (T1030)Required data: XDR AgentAttacker's goals: This may assist an attacker to exfiltrate sensitive information.Investigative actions: Check if the user normally uses this capability. Check if this capability is used often on this endpoint.Sending unusual file(s) to an external address Low Email
Unusual files sent to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)ATT&CK techniques: Phishing (T1566) Exfiltration Over Alternative Protocol (T1048)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Extracting sensitive credentials, potentially leading to account takeover or unauthorized access to internal services. Extracting valuable information outside the company.Investigative actions: Check the content of the unusual files that were sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further actions taken, such as accessing private keys, API tokens and sensitive data.Sensitive Exchange mail sent to external users Informational Identity Threat Module Email 2 variations
A user sent sensitive email messages to external users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection (T1114) Exfiltration Over Alternative Protocol (T1048)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to collect sensitive email information.Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.Variations
Exchange mail to external account matching high severity DLP rules
Low overridden
A user sent sensitive email messages to external users. overridden
Sensitive Exchange mail sent to an external user
Low overridden
A user sent sensitive email messages to external users. overridden
Suspicious DNS traffic Informational 2 variations
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: DNS tunneling, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked. An attacker may also use this protocol to exfiltrated data from the compromised endpoint outside the network.Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.Variations
Suspicious DNS traffic with a rarely seen domain
Low overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.This domain was rarely seen in this tenant. overridden
Suspicious DNS traffic with a globally rare DNS query length
Low overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The combination of the DNS queries along with this root domain is globally rare. overridden
Suspicious access to Kubernetes API with kubelet credentials Low Cloud 1 variation
A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Suspicious access to Kubernetes API with kubelet credentials from unusual pod
Medium overridden
A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster. overridden
Suspicious identity downloaded multiple objects from a bucket Low Cloud 3 variations
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.Variations
Suspicious identity with DevOps behavior downloaded multiple objects from a bucket
Informational overridden
An identity with DevOps behavior downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
Suspicious identity downloaded multiple objects from a bucket that contains sensitive files
Medium overridden
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. The bucket contains sensitive files. overridden
Suspicious identity downloaded multiple objects from a backup storage bucket
Medium overridden
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
Uncommon increase in Azure Microsoft Graph API request sizes Informational Cloud 3 variations
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Exfiltrate data over Microsoft Graph API.Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.Variations
Unusual Azure high-volume data transfer
Medium overridden
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden
Suspicious Azure data transfer by identity
Medium overridden
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden
Unusual data transfer from multiple Azure tenants
Low overridden
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden
Uncommon recurring rare external host access Informational 6 variations
A process has established recurring connections to an uncommon external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over C2 Channel (T1041) Remote Access Tools (T1219)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the same external host. Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.Variations
Uncommon recurring rare external host access by an automated penetration testing tool
High overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access to a dynamic DNS domain
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access initiated by a cron job
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access with a rare top-level domain
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access using an exfiltration tool
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access with a sensitive file in actor or causality command line
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Unusual attachment volume in outbound emails Informational Email 2 variations
Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Unusual attachment volume in outbound emails to a single external recipient
Informational overridden
Numerous emails with substantial attachments sent by internal sender to one external recipient within a short timeframe. overridden
Unusual attachment amount and size in outbound emails
Informational overridden
Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe. overridden
User signed in to an application via Power Automate for the first time Informational Identity Threat Module 1 variation
A user signed in to an application via Power Automate for the first time. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)ATT&CK techniques: Valid Accounts (T1078) Automated Exfiltration (T1020)Required data: AzureADAttacker's goals: Use automation flows to automate data exfiltration, C2 communication, lateral movement and evade DLP solutions.Investigative actions: Check if this was a desired behavior as part of the automation flow. Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Look for signs of different data exfiltration via email, shared links or uploads to online storage.Variations
User signed in to an uncommon application via Power Automate for the first time
Low overridden
A user signed in to an uncommon application via Power Automate for the first time. This may be indicative of a compromised account. overridden
WebDAV drive mounted from net.exe over HTTPS Informational
Attackers may mount a WebDAV drive over HTTPS to upload files to and download files from a compromised machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: XDR AgentAttacker's goals: Attackers might use WebDAV as a C&C or exfiltration channel to evade detection and firewall rules.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.