Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0010 ✕ technique: T1102 ✕
Show ATT&CK heatmapAbnormal communication with a rare combination of TLS and HTTP User Agent Low 2 variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred. Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.Variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server. overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain. overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server Informational 1 variation
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare combination of HTTP User Agent with the external HTTP Server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare
Low overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address. overridden
HTTP with suspicious characteristics Low 3 variations
Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this uncommon connection. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
HTTP with suspicious characteristics which is repetitive
Low overridden
Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics to an IP address
Low overridden
Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics that always fails
Informational overridden
Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden