Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

5 alerts match the current filters. tactic: TA0011 ✕ technique: T1219 ✕

Show ATT&CK heatmap
  • An app was added to Google Marketplace Informational Identity Threat Module 3 variations

    An app was added to the Google Workspace Marketplace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Remote Access Tools (T1219)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An adversary may add a malicious application to an organization's Google Workspace domain to maintain a presence in their target's organization and steal data.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new app that was added to Google workspace Marketplace. Follow further actions done by the account.

    Variations

    An app was added to Google Marketplace by a non-administrative identity

    Informational overridden

    An app was added to the Google Workspace Marketplace. overridden

    An app was added to Google Marketplace from an unusual ASN

    Low overridden

    An app was added to the Google Workspace Marketplace. overridden

    An unusual app was added to Google Marketplace

    Low overridden

    An app was added to the Google Workspace Marketplace. overridden

  • Rare process with VNC server capabilities started Low

    A rare process with VNC server capabilities was started.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)
    ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)
    Required data: XDR Agent
    Attacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.
    Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.
  • Uncommon VNC server communication Low 4 variations

    Uncommon VNC server network traffic was observed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)
    ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)
    Required data: XDR Agent
    Attacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.
    Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.

    Variations

    Uncommon VNC scanning activity detected from a scanning tool

    Medium overridden

    An uncommon VNC scanning network traffic was observed from a scanning tool. overridden

    Uncommon VNC server communication from an unmanaged previously unseen external host

    Low overridden

    Uncommon VNC server network traffic was observed from an unmanaged, previously unseen external host. overridden

    Partially uncommon VNC server communication

    Informational overridden

    Uncommon VNC server network traffic was observed. overridden

    Uncommon VNC server connection

    Informational overridden

    An uncommon VNC Server network connection was observed. overridden

  • Uncommon recurring rare external host access Informational 6 variations

    A process has established recurring connections to an uncommon external host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over C2 Channel (T1041) Remote Access Tools (T1219)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.
    Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the same external host. Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.

    Variations

    Uncommon recurring rare external host access by an automated penetration testing tool

    High overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access to a dynamic DNS domain

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access initiated by a cron job

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access with a rare top-level domain

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access using an exfiltration tool

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

    Uncommon recurring rare external host access with a sensitive file in actor or causality command line

    Low overridden

    A process has established recurring connections to an uncommon external host. overridden

  • Uncommon remote monitoring and management tool Low 4 variations

    An uncommon Remote Monitoring and Management (RMM) product was observed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Remote Access Tools (T1219)
    Required data: XDR Agent
    Attacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.
    Investigative actions: Check if the product usage is approved. Ask the owners of the machine if they knowingly used this software. Investigate why the software was being used. Check if it was executed remotely or locally.

    Variations

    Uncommon renamed remote monitoring and management tool

    Medium overridden

    An uncommon renamed Remote Monitoring and Management (RMM) product was observed. overridden

    Uncommon remote monitoring and management tool (browser origin)

    Informational overridden

    An uncommon Remote Monitoring and Management (RMM) product was observed. (browser origin). overridden

    Uncommon remote monitoring and management tool extracted from an internet-downloaded archive and executed

    Low overridden

    An uncommon Remote Monitoring and Management (RMM) product extracted from an internet-downloaded archive and executed. overridden

    Uncommon remote monitoring and management tool downloaded from an uncommon source and executed

    Medium overridden

    An uncommon Remote Monitoring and Management (RMM) product downloaded from an uncommon source and executed. overridden