Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

20 alerts match the current filters. tactic: TA0010 ✕ technique: T1048 ✕

Show ATT&CK heatmap
  • A Torrent client was detected on a host Informational 1 variation

    The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Exfiltrate data or as a phishing entry point.
    Investigative actions: Check the host for torrent client software. Look at the download's folder for foreign files or Torrent files. Examine the client's network traffic for uploaded or downloaded file hashes.

    Variations

    A Torrent client was detected on a host

    Informational overridden

    The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data. overridden

  • A compressed file was exfiltrated over SSH Informational 1 variation

    Exfiltration of a compressed file over SSH.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may try to exfiltrate data over encrypted network protocol.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    A compressed file was exfiltrated over SSH from a Kubernetes pod

    Informational overridden

    Exfiltration of a compressed file over SSH. overridden

  • AWS network ACL rule creation Informational Cloud

    An AWS network ACL rule was created with a specific rule number.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Exfiltration (TA0010)
    ATT&CK techniques: External Remote Services (T1133) Exfiltration Over Alternative Protocol (T1048)
    Required data: AWS Audit Log
    Attacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.
    Investigative actions: Check the VPC affected by this change. Verify the rule number (as rules are applied in order). Determine whether the rule is ingress or egress.
  • DNS Tunneling Low 1 variation

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.
    Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.

    Variations

    DNS Tunneling

    Medium overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents. overridden

  • First-seen email from mailbox owner to external recipient's address in the last 30 days Informational Email 6 variations

    Internal sender initiated first-time communication with an external recipient in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration, Account Takeover
    Attacker's goals: Extracting valuable information outside the company.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    First-time email to the disposable domain

    Low overridden

    Internal sender emailed to external address(es) with disposable domain. overridden

    First-time email from organization's domain with the external recipient's domain in the last 30 days

    Informational overridden

    Internal sender emailed an external address belonging to a domain seen for the first time by the organization domain in the last 30 days. overridden

    First-time email from organization with the external recipient in the last 30 days

    Informational overridden

    Internal sender emailed to external address(es) that first-seen by the the whole organization in the last 30 days. overridden

    First-time email from organization's domain to the external recipient in the last 30 days

    Informational overridden

    Internal sender emailed to external address(es) that first-seen by the organization domain in the last 30 days. overridden

    First-time email from mailbox owner to the external recipient's domain in the last 30 days

    Informational overridden

    Internal sender emailed to external address(es) with domain that first-seen by that sender in the last 30 days. overridden

    First-time outbound email from mailbox owner to multiple external recipients without any internal recipients in the last 30 days

    Informational overridden

    Internal sender emailed first-time to multiple external recipients with no internal recipients included in the last 30 days. overridden

  • Large Upload (FTP) Low 1 variation

    The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Exfiltrate stolen data from the victim network to an attacker's controllable resource.
    Investigative actions: Verify that the source is not an FTP server. If Cortex XDR Analytics has failed to identify the entity as a valid FTP server, this alert is likely to be a false positive. Identify the entity performing the data transfer to determine if the transfer is sanctioned. Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or loaded modules.

    Variations

    Large Upload (FTP)

    Informational overridden

    The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol. overridden

  • Large Upload (Generic) Low 3 variations

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Transfer data he has stolen from your network to a location that is convenient and useful to him.
    Investigative actions: Check if the traffic is related to SSH activity, it can trigger this alert. It is possible that someone on your network is legitimately engaged in SSH activity. Check if the traffic is to/from a misconfigured network. Check if the traffic is to a new external service or server that has recently been adopted for use by an organization in your enterprise. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

    Variations

    Large Upload (Generic)

    Informational overridden

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden

    Large Upload (Generic) Lower than 100 MB

    Informational overridden

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden

    Large Upload (Generic) to a Frequently Used Upload Target

    Informational overridden

    The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden

  • Large Upload (HTTPS) Low 2 variations

    The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Transfer data she has stolen from your network to a location that is convenient and useful to her.
    Investigative actions: Check if this alert has been falsely triggered by DNS load balancers. If an endpoint routinely uploads data to a site that uses load balancers, the transfer might ordinarily be split into multiple sessions and across multiple subdomains, which can cause the baseline measurement to be incorrect. In that situation, a routine upload that randomly places the bulk of the data in a single session to a single subdomain can look excessive to the Cortex XDR Analytics detector. Check if the device performing the data transfer is a mobile phone performing a backup. Cortex XDR Analytics will not always measure the baseline properly for mobile devices, especially if the backups are performed infrequently and contain a great deal of data. If the data transfer is a mobile device running a backup, check to ensure that only appropriate data is included in the backup. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

    Variations

    Large Upload (HTTPS)

    Informational overridden

    The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden

    Large Upload (HTTPS) to non-standard port

    Low overridden

    The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden

  • Large Upload (SMTP) Low 1 variation

    The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Transfer data they have stolen from your network to a location that is convenient and useful to him.
    Investigative actions: Identify the process/user performing the data transfer to determine if the transfer is sanctioned. Verify that the source is not a mail server. Check if the target address represents a mail service that rarely used in the organization. If so, this might indicate on file exfiltration attempt.

    Variations

    Large Upload (SMTP)

    Informational overridden

    The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network. overridden

  • Microsoft Teams external communication policy was modified Informational Identity Threat Module 1 variation

    Microsoft Teams external communication policy was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)
    ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.
    Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.

    Variations

    Microsoft Teams external communication policy was modified by an unusual user

    Low overridden

    Microsoft Teams external communication policy was modified. overridden

  • Possible IPFS traffic was detected Informational

    The host attempted to access other nodes in an IPFS manner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.
    Investigative actions: Check the host for IPFS client software. Examine the client's network traffic for uploaded or downloaded file hashes.
  • Possible use of IPFS was detected Informational 1 variation

    The host produced traffic consistent with IPFS.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.
    Investigative actions: Check the host for IPFS client software. Look at the user's website history for IPFS url's and check the content ID (CID) for malicious indicators. Examine the client's network traffic for uploaded or downloaded file hashes.

    Variations

    Possible use of IPFS was detected

    Informational overridden

    The host produced traffic consistent with IPFS. overridden

  • Python HTTP server started Informational

    Python HTTP server started - possible exfiltration over HTTP.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)
    Required data: XDR Agent
    Attacker's goals: Attackers might use a Python server as a C&C or exfiltration channel.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it.
  • Rare SMTP/S Session Informational

    The Simple Mail Transfer Protocol (SMTP) and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: SMTP and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.
  • Sending unusual file(s) to an external address Low Email

    Unusual files sent to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)
    ATT&CK techniques: Phishing (T1566) Exfiltration Over Alternative Protocol (T1048)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Extracting sensitive credentials, potentially leading to account takeover or unauthorized access to internal services. Extracting valuable information outside the company.
    Investigative actions: Check the content of the unusual files that were sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further actions taken, such as accessing private keys, API tokens and sensitive data.
  • Sensitive Exchange mail sent to external users Informational Identity Threat Module Email 2 variations

    A user sent sensitive email messages to external users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Email Collection (T1114) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: O365 DLP Analytics
    Attacker's goals: An attacker is attempting to collect sensitive email information.
    Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.

    Variations

    Exchange mail to external account matching high severity DLP rules

    Low overridden

    A user sent sensitive email messages to external users. overridden

    Sensitive Exchange mail sent to an external user

    Low overridden

    A user sent sensitive email messages to external users. overridden

  • Suspicious DNS traffic Informational 2 variations

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: DNS tunneling, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked. An attacker may also use this protocol to exfiltrated data from the compromised endpoint outside the network.
    Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.

    Variations

    Suspicious DNS traffic with a rarely seen domain

    Low overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.This domain was rarely seen in this tenant. overridden

    Suspicious DNS traffic with a globally rare DNS query length

    Low overridden

    10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The combination of the DNS queries along with this root domain is globally rare. overridden

  • Uncommon increase in Azure Microsoft Graph API request sizes Informational Cloud 3 variations

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: Exfiltrate data over Microsoft Graph API.
    Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.

    Variations

    Unusual Azure high-volume data transfer

    Medium overridden

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden

    Suspicious Azure data transfer by identity

    Medium overridden

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden

    Unusual data transfer from multiple Azure tenants

    Low overridden

    An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden

  • Unusual attachment volume in outbound emails Informational Email 2 variations

    Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: Microsoft 365 Emails
    Detector tags: Exfiltration
    Attacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.
    Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.

    Variations

    Unusual attachment volume in outbound emails to a single external recipient

    Informational overridden

    Numerous emails with substantial attachments sent by internal sender to one external recipient within a short timeframe. overridden

    Unusual attachment amount and size in outbound emails

    Informational overridden

    Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe. overridden

  • WebDAV drive mounted from net.exe over HTTPS Informational

    Attackers may mount a WebDAV drive over HTTPS to upload files to and download files from a compromised machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)
    Required data: XDR Agent
    Attacker's goals: Attackers might use WebDAV as a C&C or exfiltration channel to evade detection and firewall rules.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.