Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

7 alerts match the current filters. tactic: TA0010 ✕ technique: T1567 ✕

Show ATT&CK heatmap
  • A process connected to a rare cloud resource Informational 3 variations

    A process connected to a rare cloud resource.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.
    Investigative actions: Investigate the actor process connected to the cloud resource. Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.

    Variations

    A browser process connected to a rare cloud resource

    Informational overridden

    A browser process connected to a rare cloud resource. overridden

    A process connected to an atypical rare cloud resource

    Informational overridden

    A process connected to an atypical rare cloud resource. overridden

    A process connected to a rare cloud resource atypical to this agent

    Informational overridden

    A process connected to a rare cloud resource atypical to this agent. overridden

  • A user accessed an uncommon AppID Informational Identity Threat Module 5 variations

    A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to exfiltrate sensitive data.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.

    Variations

    A user accessed an uncommon external peer-to-peer service

    Informational overridden

    A user accessed an uncommon external peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon external file-sharing service

    Informational overridden

    A user accessed an uncommon external file-sharing service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon peer-to-peer service

    Informational overridden

    A user accessed an uncommon peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon file-sharing service

    Informational overridden

    A user accessed an uncommon file-sharing service that is rarely accessed by them or anyone else in the organization. overridden

    A user accessed an uncommon VPN service

    Informational overridden

    A user connected to an unusual VPN service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to hide their online activity. overridden

  • Abnormal communication with a rare combination of TLS and HTTP User Agent Low 2 variations

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred. Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.

    Variations

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server

    Low overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server. overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain

    Low overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain. overridden

  • Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server Informational 1 variation

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this rare combination of HTTP User Agent with the external HTTP Server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.

    Variations

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare

    Low overridden

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address. overridden

  • HTTP with suspicious characteristics Low 3 variations

    Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this uncommon connection. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.

    Variations

    HTTP with suspicious characteristics which is repetitive

    Low overridden

    Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities. overridden

    HTTP with suspicious characteristics to an IP address

    Low overridden

    Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden

    HTTP with suspicious characteristics that always fails

    Informational overridden

    Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden

  • Massive upload to SaaS service Informational Identity Threat Module 1 variation

    A user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Data Staged: Remote Data Staging (T1074.002)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker may upload files to a SaaS service to stage and exfiltrate data from the organization.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were uploaded to determine if they contain sensitive data. Verify if the user account that uploaded the files is authorized to access them. Analyze the file types that were uploaded. Monitor the account for any further suspicious actions.

    Variations

    Massive upload to SaaS service by suspicious user

    Low overridden

    A suspicious user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged. overridden

  • Massive upload to a rare storage or mail domain Informational Identity Threat Module 1 variation

    A large amount of data was transferred to an external site that is used for mail or storage. This behavior may indicate data exfiltration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010)
    ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR Agent
    Attacker's goals: A user uploaded an abnormal amount of data to a file sharing service. This activity might indicate an attempt to exfiltrate files and data from the organization.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Identify the user uploading the data to determine if the transfer is sanctioned.

    Variations

    A user uploaded over 500 MB to a rare storage or mail domain

    Low overridden

    A user uploaded over 500 MB to a file sharing service that is rarely accessed by them or anyone else in the organization. overridden