Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

83 alerts match the current filters. tactic: TA0010 ✕

Show ATT&CK heatmap
  • A Backup vault policy was modified Low Cloud

    A cloud identity has modified backup vault access policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Manipulate access to a backup vault.
    Investigative actions: Check if the {identity_name} intended to modify the backup vault policy. Check additional activity by {identity_name}.
  • A Cloud DB instance was exported to an unknown destination Informational Cloud

    A Cloud DB instance was exported to a foreign storage destination.The destination storage has not been seen in the organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Gcp Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate sensitive database content to an external or attacker-controlled bucket.
    Investigative actions: Verify if the destination bucket is authorized for data export. Investigate the identity performing the action for unusual behavior or lack of authorization. Assess the sensitivity of the data within the source Cloud DB instance to determine impact.
  • A GCP Cloud SQL DB instance was exported from a production account Informational Cloud

    A GCP Cloud SQL DB instance was exported to a storage bucket.The DB instance was exported from a production account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Gcp Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source Cloud DB instance. Review further actions performed by the identity.
  • A Torrent client was detected on a host Informational 1 variation

    The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Exfiltrate data or as a phishing entry point.
    Investigative actions: Check the host for torrent client software. Look at the download's folder for foreign files or Torrent files. Examine the client's network traffic for uploaded or downloaded file hashes.

    Variations

    A Torrent client was detected on a host

    Informational overridden

    The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data. overridden

  • A cloud snapshot of AWS database or storage was modified or shared Informational Cloud 2 variations

    A cloud identity has shared a snapshot of an AWS database or storage instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the snapshot.
    Investigative actions: Check if the identity intended to modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.

    Variations

    Cloud snapshot of a database or storage instance was shared public

    Low overridden

    A cloud identity has shared a snapshot of an AWS database or storage instance. overridden

    Cloud snapshot of a database or storage instance was shared with an unknown AWS account

    Low overridden

    A cloud identity has shared a snapshot of an AWS database or storage instance. overridden

  • A cloud storage object was copied to a foreign cloud account Medium Cloud 2 variations

    A cloud storage object was copied or moved to a foreign cloud storage account.The destination account was either not monitored or not seen within your tenant for the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log Azure Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate data to a foreign account.
    Investigative actions: Check the legitimacy of the copy operation. Review further actions performed by the identity.

    Variations

    A cloud storage object from a sensitive bucket was copied to a foreign cloud account from a production account

    High overridden

    A cloud storage object was copied or moved to a foreign cloud storage account from a production account.The destination account was either not monitored or not seen within your tenant for the last 30 days. overridden

    A cloud storage object was copied to a foreign cloud account from a production account

    Medium overridden

    A cloud storage object was copied or moved to a foreign cloud storage account from a production account.The destination account was either not monitored or not seen within your tenant for the last 30 days. overridden

  • A compressed file was exfiltrated over SSH Informational 1 variation

    Exfiltration of a compressed file over SSH.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to exfiltrate data over encrypted network protocol.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    A compressed file was exfiltrated over SSH from a Kubernetes pod

    Informational overridden

    Exfiltration of a compressed file over SSH. overridden

  • A mail forwarding rule was configured in Google Workspace Medium Identity Threat Module 1 variation

    A rule was set up to forward emails outside the Google Workspace domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.
    Investigative actions: Check if the identity intended to preform this action, and look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Follow further actions done by the account.

    Variations

    A mail forwarding rule was configured in Google Workspace to an uncommon domain

    High overridden

    A rule was set up to forward emails outside the Google Workspace domain. overridden

  • A process connected to a rare cloud resource Informational 3 variations

    A process connected to a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Investigate the actor process connected to the cloud resource. Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.

    Variations

    A browser process connected to a rare cloud resource

    Informational overridden

    A browser process connected to a rare cloud resource. overridden

    A process connected to an atypical rare cloud resource

    Informational overridden

    A process connected to an atypical rare cloud resource. overridden

    A process connected to a rare cloud resource atypical to this agent

    Informational overridden

    A process connected to a rare cloud resource atypical to this agent. overridden

  • A user accessed an uncommon AppID Informational Identity Threat Module 5 variations

    A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to exfiltrate sensitive data.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.

    Variations

    A user accessed an uncommon external peer-to-peer service

    Informational overridden

    A user accessed an uncommon external peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon external file-sharing service

    Informational overridden

    A user accessed an uncommon external file-sharing service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon peer-to-peer service

    Informational overridden

    A user accessed an uncommon peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon file-sharing service

    Informational overridden

    A user accessed an uncommon file-sharing service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon VPN service

    Informational overridden

    A user connected to an unusual VPN service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to hide their online activity. overridden

  • A user connected a USB storage device for the first time Informational Identity Threat Module

    A user connected a USB storage device for the first time in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • A user connected a new USB storage device to a host Informational Identity Threat Module

    A user connected a new USB storage device that was not seen for this user and host in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device-related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • A user connected a new USB storage device to multiple hosts Low Identity Threat Module

    A user connected a new USB storage device to multiple endpoints.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.
    Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.
  • A user printed an unusual number of files Informational Identity Threat Module

    A user printed an unusual number of files. This may be indicative of malicious activity and an attempt to exfiltrate data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Physical Medium (T1052)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: In an attempt to exfiltrate data, a malicious insider might print an unusual number of files.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.
  • AWS EC2 instance exported into S3 Informational Cloud

    A running or stopped instance was exported to an Amazon S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Data Detection & Response
    Attacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.
    Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.
  • AWS Transfer Family server created Informational Cloud 1 variation

    A cloud identity created server using AWS Transfer Family service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Attacker is trying to exfiltrate data out of AWS storage services.
    Investigative actions: Check if the AWS Transfer Family service is used by your organization. Check if {identity_name} created a server using this service before. Check which storage instances were affected by {transfer_server_id} server.

    Variations

    Unusual cloud transfer service activity

    Low overridden

    A cloud identity created server using AWS Transfer Family service. overridden

  • AWS network ACL rule creation Informational Cloud

    An AWS network ACL rule was created with a specific rule number.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Exfiltration (TA0010)
    ATT&CK techniques: External Remote Services (T1133) Exfiltration Over Alternative Protocol (T1048)
    Required data: AWS Audit Log
    Attacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.
    Investigative actions: Check the VPC affected by this change. Verify the rule number (as rules are applied in order). Determine whether the rule is ingress or egress.
  • Abnormal communication with a rare combination of TLS and HTTP User Agent Low 2 variations

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred. Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.

    Variations

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server

    Low overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server. overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain

    Low overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain. overridden

  • Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server Informational 1 variation

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this rare combination of HTTP User Agent with the external HTTP Server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.

    Variations

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare

    Low overridden

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address. overridden

  • An AWS EC2 instance containing sensitive data was exported Informational Cloud

    A EC2 instance was exported to an S3 bucket.The instance was found to contain sensitive data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Data Detection & Response
    Attacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.
    Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.
  • An AWS EC2 instance was exported from a production account Informational Cloud

    An EC2 instance was exported from a production account to an S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Data Detection & Response
    Attacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.
    Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.
  • An AWS EC2 instance was exported into an unknown S3 bucket Informational Cloud

    An EC2 instance was exported to an unknown S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Data Detection & Response
    Attacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.
    Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.
  • An AWS RDS instance was created from a snapshot Informational Cloud

    A new AWS RDS instance was created from a publicly available RDS snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Gain access to the RDS instance. Access confidential data stored in the RDS instance.
    Investigative actions: Check the RDS instance status in the AWS console. Verify if the instance is publicly accessible.
  • An Azure SQL database was exported from a production subscription Informational Cloud

    An Azure SQL database export was initiated.The database was exported from a production subscription.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Azure Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source SQL instance. Review further actions performed by the identity.
  • An Azure VM snapshot SAS URL was generated for export from a production subscription Informational Cloud

    A SAS URL for an Azure VM snapshot was generated.The operation was performed within a production subscription.SAS URLs allow others to download or export the snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Azure Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate the VM disk image to access sensitive data stored on the disk.
    Investigative actions: Verify if the identity is authorized to generate SAS URLs for VM snapshots. Check if the snapshot export aligns with scheduled maintenance or backup procedures. Review further actions performed by the identity to see if the snapshot was downloaded or accessed.
  • An EBS snapshot block was downloaded Informational Cloud 2 variations

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data from the cloud environment.
    Investigative actions: Check the accessed snapshot and corresponding volume. Monitor additional snapshot blocks downloads from the snapshot. Verify that the identity did not download any sensitive information that it shouldn't.

    Variations

    An EBS snapshot block was downloaded from a snapshot with sensitive data

    Medium overridden

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The snapshot contains sensitive data. overridden

    An unusual download of EBS snapshot block

    Low overridden

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The operation was not performed by this identity in the last 30 days. overridden

  • An RDS snapshot containing sensitive data was exported Informational Cloud

    An RDS snapshot containing sensitive data was exported to an S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.
  • An RDS snapshot was exported from a production account Informational Cloud

    An RDS snapshot was exported from a production account to an S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.
  • An RDS snapshot was exported to an unknown S3 bucket Low Cloud 3 variations

    An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source snapshot ID. Review further actions performed by the identity and role.

    Variations

    An RDS snapshot was exported to an unknown S3 bucket by an admin identity

    Informational overridden

    An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days.The identity has an administrative behavior. overridden

    An RDS snapshot was exported to an unknown S3 bucket with suspicious indicators

    Medium overridden

    An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days. overridden

    An RDS snapshot was exported to an unknown S3 bucket - denied attempt

    Informational overridden

    A denied attempt to export an RDS snapshot to an unknown S3 bucket. overridden

  • An RDS snapshot was exported to an unknown bucket Informational Cloud 1 variation

    An RDS snapshot was exported to an unknown S3 bucket.The destination bucket has not been seen in your tenant in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response, Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.

    Variations

    Failed RDS snapshot export attempt to an unknown bucket

    Informational overridden

    A failed attempt to export an RDS snapshot to an unknown bucket. overridden

  • An S3 replication policy to an unknown bucket was created Low Cloud 3 variations

    An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate data to an unknown bucket.
    Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source bucket. Review further actions performed by the identity.

    Variations

    Unusual S3 replication policy to an unknown bucket was created

    Low overridden

    An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.The operation was not performed in your organization in the last 30 days. overridden

    An S3 replication policy to an unknown bucket was created by an admin identity

    Informational overridden

    An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.The identity has an administrative behavior. overridden

    An S3 replication policy to an unknown bucket was created - denied attempt

    Low overridden

    A denied attempt to create an S3 replication policy to an unknown bucket. overridden

  • An identity accessed a backup cloud storage Informational Cloud 1 variation

    An identity accessed a backup cloud storage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.

    Variations

    An identity accessed a backup cloud storage which wasn't read recently

    Low overridden

    An identity accessed a backup cloud storage. overridden

  • An identity accessed a cloud storage for the first time Informational Cloud

    An identity accessed a cloud storage resource for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Review the identity that invoked the operation. Verify the accessed resource and ensure it does not contain sensitive data.
  • An identity accessed cloud storage containing sensitive data Informational Cloud

    An identity accessed cloud storage containing sensitive data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.
  • An identity initiated a download of multiple cloud objects Informational Cloud 2 variations

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operations. Check the accessed resource and verify it doesn't contain sensitive data.

    Variations

    An identity initiated a download of multiple cloud objects in large volume compared to the project's usual volume

    Medium overridden

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been in this project for the last 30 days. overridden

    An identity initiated a download of multiple cloud objects in large volume compared to the bucket's usual volume

    Low overridden

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been seen in this bucket for the last 30 days. overridden

  • An identity performed a suspicious download of multiple cloud storage objects Informational Cloud 4 variations

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data from the cloud environment.
    Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.

    Variations

    An identity performed a suspicious download of multiple cloud storage objects from an internal IP

    Informational overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden

    An identity performed a suspicious download of multiple cloud storage objects

    High overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen across all projects for the last 30 days. overridden

    An identity performed a suspicious download of multiple cloud storage objects

    Medium overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen in this project for the last 30 days. overridden

    An identity performed a suspicious download of multiple cloud storage objects from multiple buckets

    Medium overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects from several buckets had not been seen for the last 30 days. overridden

  • An unusual cloud identity was granted permissions to a BigQuery resource Informational Cloud 1 variation

    An unusual cloud identity was granted permissions to a BigQuery table or dataset.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578)
    Required data: Gcp Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides inside BigQuery tables or datasets.
    Investigative actions: Check if {cloud_best_identity_match} intended to change BigQuery resource policy. Verify if the affected tables or datasets did not contain any sensitive information.

    Variations

    Cloud admin granted an unknown identity permissions to a BigQuery resource

    Informational overridden

    An unusual cloud identity was granted permissions to a BigQuery table or dataset. overridden

  • An unusual read activity of cloud object Informational Cloud

    An identity accessed a cloud object filetype for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.
  • Azure storage account cross-tenant object replication was enabled Informational Cloud 1 variation

    Azure cross-tenant object replication in a storage account was enabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Enable unauthorized data transfer to an external or attacker-controlled environment. Establish a persistent channel for ongoing data exfiltration. Conceal malicious activity by utilizing legitimate cross-tenant object replication functionality.
    Investigative actions: Confirm that the identity intended to enable cross-tenant replication. Follow further actions done by the identity. Monitor the storage account for other suspicious activities.

    Variations

    Azure storage account cross-tenant object replication was enabled for the first time in a subscription

    Low overridden

    Azure cross-tenant object replication in a storage account was enabled for the first time in a subscription. overridden

  • Bedrock model shared with a foreign account Low Cloud

    A bedrock model was shared with a foreign account through AWS resource access manager.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Exfiltrate the proprietary model to a foreign account and establish persistent access to it.
    Investigative actions: Investigate the foreign cloud accounts that gained access to the models. Assess the sensitivity of the shared models to determine the potential impact of this exposure. Identify the actor and investigate their identity for compromise.
  • BigQuery table or query results exfiltrated to a foreign project Informational Cloud 2 variations

    A cloud identity exfiltrated BigQuery table data to a foreign storage service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Gcp Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides inside BigQuery table.
    Investigative actions: Check if {cloud_best_identity_match} intended to transfer data from BigQuery table. Verify if the affected table did not contain any sensitive information.

    Variations

    BigQuery table or query results exfiltrated to a foreign project by cloud admin identity

    Informational overridden

    A cloud identity exfiltrated BigQuery table data to a foreign storage service. overridden

    BigQuery table or query results exfiltrated to a foreign project by an unknown identity

    Low overridden

    A cloud identity exfiltrated BigQuery table data to a foreign storage service. overridden

  • Bucket's block public access setting turned off Informational Cloud

    S3 bucket block public access setting turned off.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Expose bucket to the public and maintain access to bucket's resources avoiding detection.
    Investigative actions: Check if {cloud_best_identity_match} intended to modify block public access settings. Check if the {bucket_name} bucket contains any sensitive information.
  • Bucket's object ownership controls were modified Informational Cloud

    S3 bucket object ownership controls were modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Maintain control and access to data that resides inside the S3 bucket.
    Investigative actions: Check if {cloud_best_identity_match} intended to modify bucket's object ownership. Check if the {aws_s3bucket_identifier} bucket contains any sensitive information.
  • Cloud snapshot created or modified Informational Cloud 3 variations

    A cloud identity has created or modified a cloud snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the snapshot.
    Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.

    Variations

    Cloud snapshot was configured for public access

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Cloud snapshot was shared with an unusual AWS account(s)

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Previously unseen GCP principal was bound to cloud snapshot

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

  • Cloud snapshot of a database or storage instance was publicly shared Medium Cloud

    A cloud identity has publicly shared a snapshot of a database or storage instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the snapshot.
    Investigative actions: Check if the identity intended to share the snapshot publicly. Check if the identity performed additional malicious operations within the cloud environment.
  • Commonly abused AutoIT script connects to an external domain Medium

    AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Execution (TA0002)
    ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Automated Exfiltration (T1020)
    Required data: XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context. Identify the process contacting the remote domain and determine whether the traffic is malicious.
  • DNS Tunneling Low 1 variation

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.

    Variations

    DNS Tunneling

    Medium overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents. overridden

  • Data exfiltration from cloud database Low Cloud 2 variations

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation.

    Variations

    Data exfiltration from cloud database containing sensitive data from a production account toa foreign account

    High overridden

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden

    Suspicious data exfiltration from cloud database

    High overridden

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden

  • EC2 instance Amazon machine image was created Informational Cloud

    Amazon machine image was created from elastic compute cloud instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Attacker's goals: Creating Amazon machine images might be part of elastic compute cloud instance exfiltration chain.
    Investigative actions: Check if {identity_name} to create Amazon machine image. Check if the {cloud_aws_instance_id} instance did not contain any sensitive data.
  • EC2 snapshot attribute has been modified Informational Cloud

    The snapshot's permissions were modified (added/removed).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate backup/stored information.
    Investigative actions: Check if the snapshot is shared with an unwanted account/actor.
  • Exchange inbox forwarding rule configured Informational Identity Threat Module Email 3 variations

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Create an inbox rule using a compromised user account to automatically forward emails containing specific conditions to an external recipient.
    Investigative actions: Check what conditions are met in the inbox rule (e.g. specific keywords in the subject or body). Determine if any of the conditions and keywords look suspicious. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.

    Variations

    Exchange inbox forwarding rule configured by a delegate user

    Informational overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange inbox forwarding rule configured

    Medium overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. overridden

    External Exchange inbox forwarding rule configured

    Low overridden

    A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The rule forwards emails to a public domain, which may be a sign of compromise. overridden

  • Exchange transport forwarding rule configured Low Identity Threat Module Email 2 variations

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.
    Investigative actions: Check what mailboxes are affected by the transport rule. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.

    Variations

    Exchange transport forwarding rule configured by a delegate user

    Informational overridden

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange transport forwarding rule configured

    Medium overridden

    A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. overridden

  • Exchange user mailbox forwarding Low Identity Threat Module Email 2 variations

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)
    Required data: Office 365 Audit
    Attacker's goals: Leverage a compromised user account to modify a mailbox's settings to forward emails to an external recipient and collect sensitive information.
    Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain. Investigate the IP address associated with the rule. Follow further actions done by the account.

    Variations

    Exchange user mailbox forwarding by a delegate user

    Informational overridden

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden

    Suspicious Exchange user mailbox forwarding

    Medium overridden

    A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. overridden

  • External Sharing was turned on for Google Drive Informational Identity Threat Module 3 variations

    An identity has modified Google Drive sharing settings and allowed external sharing.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may exfiltrate data, such as sensitive documents.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). check the new setting details. Follow further actions done by the account.

    Variations

    External Sharing was turned on for Google Drive by a non Google Workspace administrative user from an unusual ASN

    Low overridden

    An identity has modified Google Drive sharing settings and allowed external sharing. overridden

    External Sharing was turned on for Google Drive by a non Google Workspace administrative user

    Low overridden

    An identity has modified Google Drive sharing settings and allowed external sharing. overridden

    External Sharing was turned on for Google Drive from an unusual ASN

    Low overridden

    An identity has modified Google Drive sharing settings and allowed external sharing. overridden

  • First-seen email from mailbox owner to external recipient's address in the last 30 days Informational Email 6 variations

    Internal sender initiated first-time communication with an external recipient in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration, Account Takeover
    Attacker's goals: Extracting valuable information outside the company.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    First-time email to the disposable domain

    Low overridden

    Internal sender emailed to external address(es) with disposable domain. overridden

    First-time email from organization's domain with the external recipient's domain in the last 30 days

    Informational overridden

    Internal sender emailed an external address belonging to a domain seen for the first time by the organization domain in the last 30 days. overridden

    First-time email from organization with the external recipient in the last 30 days

    Informational overridden

    Internal sender emailed to external address(es) that first-seen by the the whole organization in the last 30 days. overridden

    First-time email from organization's domain to the external recipient in the last 30 days

    Informational overridden

    Internal sender emailed to external address(es) that first-seen by the organization domain in the last 30 days. overridden

    First-time email from mailbox owner to the external recipient's domain in the last 30 days

    Informational overridden

    Internal sender emailed to external address(es) with domain that first-seen by that sender in the last 30 days. overridden

    First-time outbound email from mailbox owner to multiple external recipients without any internal recipients in the last 30 days

    Informational overridden

    Internal sender emailed first-time to multiple external recipients with no internal recipients included in the last 30 days. overridden

  • Foreign account was granted permissions to S3 bucket via resource-based policy Informational Cloud 1 variation

    Foreign account was granted access to S3 bucket.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: The attacker wants to maintain control over the resource.
    Investigative actions: Check if the {cloud_best_identity_match} intended to modify {aws_s3bucket_identifier} policy. Check the permissions that were granted to the {aws_grantee_project}. Restrict permissions for the {aws_grantee_project} if needed.

    Variations

    Foreign account was granted permissions to S3 bucket containing sensitive information via resource-based policy

    Low overridden

    Foreign account was granted access to S3 bucket. overridden

  • Google Workspace automation was created Informational Identity Threat Module 1 variation

    Google Workspace automation was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)
    ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.
    Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.

    Variations

    Google Workspace automation was created for a public document

    Low overridden

    The document that the automation was created for is publicly shared. overridden

  • HTTP with suspicious characteristics Low 3 variations

    Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this uncommon connection. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.

    Variations

    HTTP with suspicious characteristics which is repetitive

    Low overridden

    Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities. overridden

    HTTP with suspicious characteristics to an IP address

    Low overridden

    Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden

    HTTP with suspicious characteristics that always fails

    Informational overridden

    Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden

  • Large Upload (FTP) Low 1 variation

    The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Exfiltrate stolen data from the victim network to an attacker's controllable resource.
    Investigative actions: Verify that the source is not an FTP server. If Cortex XDR Analytics has failed to identify the entity as a valid FTP server, this alert is likely to be a false positive. Identify the entity performing the data transfer to determine if the transfer is sanctioned. Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or loaded modules.

    Variations

    Large Upload (FTP)

    Informational overridden

    The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol. overridden

  • Large Upload (Generic) Low 3 variations

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Transfer data he has stolen from your network to a location that is convenient and useful to him.
    Investigative actions: Check if the traffic is related to SSH activity, it can trigger this alert. It is possible that someone on your network is legitimately engaged in SSH activity. Check if the traffic is to/from a misconfigured network. Check if the traffic is to a new external service or server that has recently been adopted for use by an organization in your enterprise. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

    Variations

    Large Upload (Generic)

    Informational overridden

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden

    Large Upload (Generic) Lower than 100 MB

    Informational overridden

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden

    Large Upload (Generic) to a Frequently Used Upload Target

    Informational overridden

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden

  • Large Upload (HTTPS) Low 2 variations

    The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Transfer data she has stolen from your network to a location that is convenient and useful to her.
    Investigative actions: Check if this alert has been falsely triggered by DNS load balancers. If an endpoint routinely uploads data to a site that uses load balancers, the transfer might ordinarily be split into multiple sessions and across multiple subdomains, which can cause the baseline measurement to be incorrect. In that situation, a routine upload that randomly places the bulk of the data in a single session to a single subdomain can look excessive to the Cortex XDR Analytics detector. Check if the device performing the data transfer is a mobile phone performing a backup. Cortex XDR Analytics will not always measure the baseline properly for mobile devices, especially if the backups are performed infrequently and contain a great deal of data. If the data transfer is a mobile device running a backup, check to ensure that only appropriate data is included in the backup. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

    Variations

    Large Upload (HTTPS)

    Informational overridden

    The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden

    Large Upload (HTTPS) to non-standard port

    Low overridden

    The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden

  • Large Upload (SMTP) Low 1 variation

    The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Transfer data they have stolen from your network to a location that is convenient and useful to him.
    Investigative actions: Identify the process/user performing the data transfer to determine if the transfer is sanctioned. Verify that the source is not a mail server. Check if the target address represents a mail service that rarely used in the organization. If so, this might indicate on file exfiltration attempt.

    Variations

    Large Upload (SMTP)

    Informational overridden

    The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network. overridden

  • Massive upload to SaaS service Informational Identity Threat Module 1 variation

    A user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Data Staged: Remote Data Staging (T1074.002)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker may upload files to a SaaS service to stage and exfiltrate data from the organization.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were uploaded to determine if they contain sensitive data. Verify if the user account that uploaded the files is authorized to access them. Analyze the file types that were uploaded. Monitor the account for any further suspicious actions.

    Variations

    Massive upload to SaaS service by suspicious user

    Low overridden

    A suspicious user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged. overridden

  • Massive upload to a rare storage or mail domain Informational Identity Threat Module 1 variation

    A large amount of data was transferred to an external site that is used for mail or storage. This behavior may indicate data exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR Agent
    Attacker's goals: A user uploaded an abnormal amount of data to a file sharing service. This activity might indicate an attempt to exfiltrate files and data from the organization.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Identify the user uploading the data to determine if the transfer is sanctioned.

    Variations

    A user uploaded over 500 MB to a rare storage or mail domain

    Low overridden

    A user uploaded over 500 MB to a file sharing service that is rarely accessed by them or anyone else in the organization. overridden

  • Microsoft Teams external communication policy was modified Informational Identity Threat Module 1 variation

    Microsoft Teams external communication policy was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)
    ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.
    Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.

    Variations

    Microsoft Teams external communication policy was modified by an unusual user

    Low overridden

    Microsoft Teams external communication policy was modified. overridden

  • Multiple cloud snapshots export Informational Cloud 4 variations

    A cloud identity has downloaded multiple virtual machines or DB snapshots locally.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the disk.
    Investigative actions: Check if the identity intended to export the virtual machines or DB snapshots. Check if the identity performed additional operations in the cloud environment that might be malicious.

    Variations

    Multiple cloud snapshots export

    High overridden

    A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address. This action was unusual based on the cloud project history. overridden

    Multiple cloud snapshots export

    Medium overridden

    A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address. This action was unusual based on The cloud identity history. overridden

    Multiple cloud snapshots export

    Low overridden

    A cloud identity has downloaded multiple virtual machines or DB snapshots locally.This action was unusual based on the unsuccessful attempts rate. overridden

    Multiple cloud snapshots export

    Low overridden

    A cloud identity has downloaded multiple virtual machines or DB snapshots locally.This action was unusual based on the cloud project or identity history. overridden

  • Possible IPFS traffic was detected Informational

    The host attempted to access other nodes in an IPFS manner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.
    Investigative actions: Check the host for IPFS client software. Examine the client's network traffic for uploaded or downloaded file hashes.
  • Possible data exfiltration over a USB storage device Informational Identity Threat Module

    A process generated massive file creation, renaming and write activity to a USB storage device.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.
  • Possible internal data exfiltration over a USB storage device Informational Identity Threat Module 1 variation

    A user generated abnormal massive file activity to a connected USB storage device.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect data and stage it on an endpoint in the organization.
    Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.

    Variations

    Possible internal data exfiltration of over 500 MB via USB storage device

    Low overridden

    A user generated abnormal massive file activity to a connected USB storage device. overridden

  • Possible use of IPFS was detected Informational 1 variation

    The host produced traffic consistent with IPFS.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.
    Investigative actions: Check the host for IPFS client software. Look at the user's website history for IPFS url's and check the content ID (CID) for malicious indicators. Examine the client's network traffic for uploaded or downloaded file hashes.

    Variations

    Possible use of IPFS was detected

    Informational overridden

    The host produced traffic consistent with IPFS. overridden

  • Python HTTP server started Informational

    Python HTTP server started - possible exfiltration over HTTP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)
    Required data: XDR Agent
    Attacker's goals: Attackers might use a Python server as a C&C or exfiltration channel.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it.
  • Rare SMTP/S Session Informational

    The Simple Mail Transfer Protocol (SMTP) and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: SMTP and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.
  • Rare Unix process divided files by size Informational

    A file was divided into sub-files by size limit by a rare process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Data Transfer Size Limits (T1030)
    Required data: XDR Agent
    Attacker's goals: This may assist an attacker to exfiltrate sensitive information.
    Investigative actions: Check if the user normally uses this capability. Check if this capability is used often on this endpoint.
  • Sending unusual file(s) to an external address Low Email

    Unusual files sent to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)
    ATT&CK techniques: Phishing (T1566) Exfiltration Over Alternative Protocol (T1048)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Extracting sensitive credentials, potentially leading to account takeover or unauthorized access to internal services. Extracting valuable information outside the company.
    Investigative actions: Check the content of the unusual files that were sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further actions taken, such as accessing private keys, API tokens and sensitive data.
  • Sensitive Exchange mail sent to external users Informational Identity Threat Module Email 2 variations

    A user sent sensitive email messages to external users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection (T1114) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to collect sensitive email information.
    Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.

    Variations

    Exchange mail to external account matching high severity DLP rules

    Low overridden

    A user sent sensitive email messages to external users. overridden

    Sensitive Exchange mail sent to an external user

    Low overridden

    A user sent sensitive email messages to external users. overridden

  • Suspicious DNS traffic Informational 2 variations

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: DNS tunneling, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked. An attacker may also use this protocol to exfiltrated data from the compromised endpoint outside the network.
    Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.

    Variations

    Suspicious DNS traffic with a rarely seen domain

    Low overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.This domain was rarely seen in this tenant. overridden

    Suspicious DNS traffic with a globally rare DNS query length

    Low overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The combination of the DNS queries along with this root domain is globally rare. overridden

  • Suspicious access to Kubernetes API with kubelet credentials Low Cloud 1 variation

    A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Suspicious access to Kubernetes API with kubelet credentials from unusual pod

    Medium overridden

    A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster. overridden

  • Suspicious identity downloaded multiple objects from a bucket Low Cloud 3 variations

    An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data from the cloud environment.
    Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.

    Variations

    Suspicious identity with DevOps behavior downloaded multiple objects from a bucket

    Informational overridden

    An identity with DevOps behavior downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden

    Suspicious identity downloaded multiple objects from a bucket that contains sensitive files

    Medium overridden

    An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. The bucket contains sensitive files. overridden

    Suspicious identity downloaded multiple objects from a backup storage bucket

    Medium overridden

    An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden

  • Uncommon increase in Azure Microsoft Graph API request sizes Informational Cloud 3 variations

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Exfiltrate data over Microsoft Graph API.
    Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.

    Variations

    Unusual Azure high-volume data transfer

    Medium overridden

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden

    Suspicious Azure data transfer by identity

    Medium overridden

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden

    Unusual data transfer from multiple Azure tenants

    Low overridden

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden

  • Uncommon recurring rare external host access Informational 6 variations

    A process has established recurring connections to an uncommon external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over C2 Channel (T1041) Remote Access Tools (T1219)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.
    Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the same external host. Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.

    Variations

    Uncommon recurring rare external host access by an automated penetration testing tool

    High overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access to a dynamic DNS domain

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access initiated by a cron job

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access with a rare top-level domain

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access using an exfiltration tool

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access with a sensitive file in actor or causality command line

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

  • Unusual attachment volume in outbound emails Informational Email 2 variations

    Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Unusual attachment volume in outbound emails to a single external recipient

    Informational overridden

    Numerous emails with substantial attachments sent by internal sender to one external recipient within a short timeframe. overridden

    Unusual attachment amount and size in outbound emails

    Informational overridden

    Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe. overridden

  • User signed in to an application via Power Automate for the first time Informational Identity Threat Module 1 variation

    A user signed in to an application via Power Automate for the first time. This may be indicative of a compromised account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)
    ATT&CK techniques: Valid Accounts (T1078) Automated Exfiltration (T1020)
    Required data: AzureAD
    Attacker's goals: Use automation flows to automate data exfiltration, C2 communication, lateral movement and evade DLP solutions.
    Investigative actions: Check if this was a desired behavior as part of the automation flow. Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Look for signs of different data exfiltration via email, shared links or uploads to online storage.

    Variations

    User signed in to an uncommon application via Power Automate for the first time

    Low overridden

    A user signed in to an uncommon application via Power Automate for the first time. This may be indicative of a compromised account. overridden

  • WebDAV drive mounted from net.exe over HTTPS Informational

    Attackers may mount a WebDAV drive over HTTPS to upload files to and download files from a compromised machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: XDR Agent
    Attacker's goals: Attackers might use WebDAV as a C&C or exfiltration channel to evade detection and firewall rules.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.