Analytics Alerts
Browse the Cortex analytics alert reference.
6 alerts match the current filters. tactic: TA0010 ✕ technique: T1074 ✕
Show ATT&CK heatmapA user connected a USB storage device for the first time Informational Identity Threat Module
A user connected a USB storage device for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.A user connected a new USB storage device to a host Informational Identity Threat Module
A user connected a new USB storage device that was not seen for this user and host in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device-related process and file events to determine if it was used for legitimate purposes or malicious activity.A user connected a new USB storage device to multiple hosts Low Identity Threat Module
A user connected a new USB storage device to multiple endpoints.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data Staged (T1074) Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: The attacker may use a USB storage device connection for data exfiltration or data collection.Investigative actions: Investigate the USB storage device related process and file events to determine if it was used for legitimate purposes or malicious activity.Massive upload to SaaS service Informational Identity Threat Module 1 variation
A user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Data Staged: Remote Data Staging (T1074.002)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker may upload files to a SaaS service to stage and exfiltrate data from the organization.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were uploaded to determine if they contain sensitive data. Verify if the user account that uploaded the files is authorized to access them. Analyze the file types that were uploaded. Monitor the account for any further suspicious actions.Variations
Massive upload to SaaS service by suspicious user
Low overridden
A suspicious user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged. overridden
Possible data exfiltration over a USB storage device Informational Identity Threat Module
A process generated massive file creation, renaming and write activity to a USB storage device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.Possible internal data exfiltration over a USB storage device Informational Identity Threat Module 1 variation
A user generated abnormal massive file activity to a connected USB storage device.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Physical Medium: Exfiltration over USB (T1052.001) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether the process that created the massive file activity creates network connections as well. Check whether the USB storage device is new to the organization. Check whether other users in the organization used the same process for massive file activity.Variations
Possible internal data exfiltration of over 500 MB via USB storage device
Low overridden
A user generated abnormal massive file activity to a connected USB storage device. overridden