Analytics Alerts
Browse the Cortex analytics alert reference.
16 alerts match the current filters. tactic: TA0010 ✕ technique: T1020 ✕
Show ATT&CK heatmapA mail forwarding rule was configured in Google Workspace Medium Identity Threat Module 1 variation
A rule was set up to forward emails outside the Google Workspace domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim's organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.Investigative actions: Check if the identity intended to preform this action, and look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Follow further actions done by the account.Variations
A mail forwarding rule was configured in Google Workspace to an uncommon domain
High overridden
A rule was set up to forward emails outside the Google Workspace domain. overridden
An EBS snapshot block was downloaded Informational Cloud 2 variations
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed snapshot and corresponding volume. Monitor additional snapshot blocks downloads from the snapshot. Verify that the identity did not download any sensitive information that it shouldn't.Variations
An EBS snapshot block was downloaded from a snapshot with sensitive data
Medium overridden
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The snapshot contains sensitive data. overridden
An unusual download of EBS snapshot block
Low overridden
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The operation was not performed by this identity in the last 30 days. overridden
An identity accessed a backup cloud storage Informational Cloud 1 variation
An identity accessed a backup cloud storage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.Variations
An identity accessed a backup cloud storage which wasn't read recently
Low overridden
An identity accessed a backup cloud storage. overridden
An identity accessed a cloud storage for the first time Informational Cloud
An identity accessed a cloud storage resource for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Review the identity that invoked the operation. Verify the accessed resource and ensure it does not contain sensitive data.An identity accessed cloud storage containing sensitive data Informational Cloud
An identity accessed cloud storage containing sensitive data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.An identity performed a suspicious download of multiple cloud storage objects Informational Cloud 4 variations
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.Variations
An identity performed a suspicious download of multiple cloud storage objects from an internal IP
Informational overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
An identity performed a suspicious download of multiple cloud storage objects
High overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen across all projects for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects
Medium overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen in this project for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects from multiple buckets
Medium overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects from several buckets had not been seen for the last 30 days. overridden
An unusual read activity of cloud object Informational Cloud
An identity accessed a cloud object filetype for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.Commonly abused AutoIT script connects to an external domain Medium
AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Execution (TA0002)ATT&CK techniques: Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010) Automated Exfiltration (T1020)Required data: XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: AutoIT scripts have legitimate uses, but are often abused by malware to execute in a signed process context. Identify the process contacting the remote domain and determine whether the traffic is malicious.Data exfiltration from cloud database Low Cloud 2 variations
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation.Variations
Data exfiltration from cloud database containing sensitive data from a production account toa foreign account
High overridden
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden
Suspicious data exfiltration from cloud database
High overridden
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden
Exchange inbox forwarding rule configured Informational Identity Threat Module Email 3 variations
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Create an inbox rule using a compromised user account to automatically forward emails containing specific conditions to an external recipient.Investigative actions: Check what conditions are met in the inbox rule (e.g. specific keywords in the subject or body). Determine if any of the conditions and keywords look suspicious. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.Variations
Exchange inbox forwarding rule configured by a delegate user
Informational overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange inbox forwarding rule configured
Medium overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. overridden
External Exchange inbox forwarding rule configured
Low overridden
A user configured an Exchange inbox forwarding rule, which forwards emails that meet specific conditions. The rule forwards emails to a public domain, which may be a sign of compromise. overridden
Exchange transport forwarding rule configured Low Identity Threat Module Email 2 variations
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Forward all emails in the organization that match specific criteria to an external recipient to collect sensitive information.Investigative actions: Check what mailboxes are affected by the transport rule. Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain and look up its reputation. Investigate the IP address associated with the rule. Follow further actions done by the account. Check for a possible phishing campaign on the organization. Look for emails sent to this recipient by other users.Variations
Exchange transport forwarding rule configured by a delegate user
Informational overridden
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange transport forwarding rule configured
Medium overridden
A user configured an Exchange transport (mail flow) forwarding rule, which is applied to all emails that match certain conditions in the organization. overridden
Exchange user mailbox forwarding Low Identity Threat Module Email 2 variations
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Automated Exfiltration (T1020) Email Collection (T1114)Required data: Office 365 AuditAttacker's goals: Leverage a compromised user account to modify a mailbox's settings to forward emails to an external recipient and collect sensitive information.Investigative actions: Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Check if the forwarding domain is an unknown external domain. Investigate the IP address associated with the rule. Follow further actions done by the account.Variations
Exchange user mailbox forwarding by a delegate user
Informational overridden
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. The user who set the forwarding is a delegated user, who performed this action on behalf of another user. overridden
Suspicious Exchange user mailbox forwarding
Medium overridden
A user configured Exchange SMTP forwarding on a mailbox, which forwards all emails sent to that mailbox to a specified recipient. overridden
Google Workspace automation was created Informational Identity Threat Module 1 variation
Google Workspace automation was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: Command and Scripting Interpreter (T1059) Event Triggered Execution (T1546) Automated Exfiltration (T1020)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may create automations to maintain persistence, execute malicious code, or exfiltrate data automatically.Investigative actions: Verify if the automation creation was authorized and expected for this user. Investigate the automation logic to determine if it is malicious. Investigate other suspicious activities performed by the user around the same timeframe.Variations
Google Workspace automation was created for a public document
Low overridden
The document that the automation was created for is publicly shared. overridden
Suspicious access to Kubernetes API with kubelet credentials Low Cloud 1 variation
A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Suspicious access to Kubernetes API with kubelet credentials from unusual pod
Medium overridden
A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster. overridden
Suspicious identity downloaded multiple objects from a bucket Low Cloud 3 variations
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.Variations
Suspicious identity with DevOps behavior downloaded multiple objects from a bucket
Informational overridden
An identity with DevOps behavior downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
Suspicious identity downloaded multiple objects from a bucket that contains sensitive files
Medium overridden
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. The bucket contains sensitive files. overridden
Suspicious identity downloaded multiple objects from a backup storage bucket
Medium overridden
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
User signed in to an application via Power Automate for the first time Informational Identity Threat Module 1 variation
A user signed in to an application via Power Automate for the first time. This may be indicative of a compromised account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)ATT&CK techniques: Valid Accounts (T1078) Automated Exfiltration (T1020)Required data: AzureADAttacker's goals: Use automation flows to automate data exfiltration, C2 communication, lateral movement and evade DLP solutions.Investigative actions: Check if this was a desired behavior as part of the automation flow. Analyze the actions taken by the user during the session and verify that this is a legitimate session. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Look for signs of different data exfiltration via email, shared links or uploads to online storage.Variations
User signed in to an uncommon application via Power Automate for the first time
Low overridden
A user signed in to an uncommon application via Power Automate for the first time. This may be indicative of a compromised account. overridden