Analytics Alerts
Browse the Cortex analytics alert reference.
11 alerts match the current filters. tactic: TA0011 ✕ technique: T1090 ✕
Show ATT&CK heatmapA Successful VPN connection from TOR High Identity Analytics 1 variation
A successful VPN connection from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: Palo Alto Networks Global Protect Third-Party VPNsAttacker's goals: Gain initial access to organization and hiding itself.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.Variations
A Successful VPN connection from TOR via Mobile Device
Medium overridden
A successful VPN connection from a TOR exit node. overridden
A Successful login from TOR High Identity Analytics
A successful login from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: XDR AgentAttacker's goals: Gain initial access to the organization while anonymizing the source of the activity.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.A successful SSO sign-in from TOR High Identity Analytics 1 variation
A successful sign-in from a TOR exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOneAttacker's goals: Gain initial access to organization and hiding itself.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.Variations
A successful SSO sign-in from TOR via Mobile Device
Medium overridden
A successful sign-in from a TOR exit node. overridden
Cloud activity from a high-risk IP address Informational Cloud 1 variation
An identity executed a cloud API from a high-risk IP address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Gain initial access using a compromised identity while obfuscating origin.Investigative actions: Verify if the user is authorized to use anonymizing services. Review subsequent actions by the user for suspicious activity. Check for other users accessing from the same IP or tunnel operator.Variations
Cloud activity from an unusual high-risk IP
Low overridden
An identity executed a cloud API from a high-risk IP address. overridden
Netcat makes or gets connections High
Malicious actors can use Netcat for privilege escalation, remote code execution, data exfiltration and protocol tunneling to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)Required data: XDR AgentAttacker's goals: Establish command and control channel. Propagate in the victim network.Investigative actions: Verify that the usage of Netcat/Netcat64 is from an authorized personnel and that user has the right to access the remote host.Suspicious AI model usage from a Tor exit node High Cloud 1 variation
A cloud identity invoked an AI model from a Tor exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Conceal information about malicious activities, such as location and network usage.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.Variations
Failed AI model usage from a Tor exit node
Informational overridden
A cloud identity invoked an AI model from a Tor exit node. overridden
Suspicious API call from a Tor exit node High Cloud 2 variations
A cloud API was called from a Tor exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts: Cloud Accounts (T1078.004)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Conceal information about malicious activities, such as location and network usage.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.Variations
Suspicious Kubernetes API call from a Tor exit node
High overridden
A Kubernetes API was called from a Tor exit node. overridden
A Failed API call from a Tor exit node
Informational overridden
A cloud API was called from a Tor exit node. overridden
Suspicious SaaS API call from a Tor exit node High Identity Threat Module 2 variations
A SaaS API was called from a Tor exit node.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: Conceal information about malicious activities, such as location and network usage.Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.Variations
A Failed API call from a Tor exit node
Informational overridden
A SaaS API was called from a Tor exit node. overridden
Suspicious SaaS API call from a Tor exit node via Mobile Device
Medium overridden
A SaaS API was called from a Tor exit node. overridden
Suspicious proxy environment variable setting Informational
Suspicious proxy environment variable change or definition with a rare command line.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Internal Proxy (T1090.001)Required data: XDR AgentAttacker's goals: Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.Investigative actions: Investigate the process activities and try to understand the network impact os the new proxy setting.Unusual Netsh PortProxy rule Low 2 variations
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004) Proxy: Internal Proxy (T1090.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.Investigative actions: Check the connect address and if it's a known IP/domain. Check whether the causality group owner (CGO) process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unusual Netsh PortProxy rule by non-netsh process
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden
Unusual Netsh PortProxy rule by an unsigned causality actor
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden
Unusual SSH activity that resembles SSH proxy Informational 3 variations
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Proxy: Internal Proxy (T1090.001)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Attackers aim to establish a covert command and control channel or relay communications through a compromised SSH connection.Investigative actions: Review the SSH connections to identify any unusual proxy activity or traffic patterns. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised. Additionally, examine logs for any unexpected data transfers or commands that may indicate malicious intent.Variations
High Volume Unusual SSH activity that resembles SSH proxy
Low overridden
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden
Suspicious SSH activity that resembles SSH proxy
Low overridden
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden
Unusual SSH activity that resembles SSH proxy detected
Low overridden
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden