Analytics Alerts
Browse the Cortex analytics alert reference.
4 alerts match the current filters. tactic: TA0011 ✕ technique: T1572 ✕
Show ATT&CK heatmapSuspicious ICMP packet Low 1 variation
An ICMP router advertisement was sent by a host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Make the victim change his routing table.Investigative actions: Investigate why the source host sent an ICMP router advertisement and if it changed the destination target routing table.Variations
Suspicious ICMP packet that resemble an ICMP redirect attack
Informational overridden
ICMP redirect was sent by a user. overridden
Uncommon network tunnel creation Informational 3 variations
An uncommon network tunnel was established.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 12 Hours
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: Palo Alto Networks Url LogsAttacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.Variations
Uncommon network tunnel creation
Informational overridden
An uncommon network tunnel was established using ACS_ssh.exe. overridden
Uncommon SSH tunnel to unpopular IP address
Low overridden
An uncommon SSH tunnel was established to an unpopular remote IP address at the organization. overridden
An uncommon network tunnel was established over the default SSH port
Low overridden
An unpopular process and command line created a network tunnel over the default SSH port. overridden
Uncommon reverse SSH tunnel to external domain/ip Low 1 variation
An uncommon reverse SSH tunnel might have been created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Attackers may use SSH to create an encrypted tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the external ip/domain. Investigate the causality of the process.Variations
Uncommon reverse SSH tunnel to external domain/ip using a sensitive port
Low overridden
An uncommon reverse SSH tunnel might have been created. overridden
Unusual SSH Activity Informational 2 variations
Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Protocol Tunneling (T1572)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the client IP/Agent for using known intelligence tools. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised, Additionally examine logs for any unexpected data transfers or commands that may indicate malicious intent.Variations
Unusual, long SSH activity with tunnel characteristics
Low overridden
Unusual SSH activity was detected that involved a high volume of data transfer and abnormal session duration. overridden
Unusual SSH activity with tunnel characteristics to external destination
Low overridden
Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session. overridden