Analytics Alerts
Browse the Cortex analytics alert reference.
14 alerts match the current filters. tactic: TA0043 ✕
Show ATT&CK heatmapA user accessed multiple time-consuming websites Informational Identity Threat Module
A user was observed visiting multiple domains for personal reasons. Time theft happens when an employee is paid to work but did not actually work during that time. It might affect your business as it reduces the employee's efficiency.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Search Open Websites/Domains (T1593)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: A user may utilize work time for personal reasons.Investigative actions: Investigate the domains accessed and how popular they are in the organization. Verify that the user is not part of a department that visits these websites as part of their daily operations.Abnormal RPC traffic to multiple hosts Low 1 variation
The endpoint performed unfamiliar RPC activity to multiple hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Active Scanning (T1595) Active Scanning: Vulnerability Scanning (T1595.002)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.Variations
Abnormal RPC traffic to multiple IPs
Informational overridden
The endpoint performed unfamiliar RPC activity to multiple hosts. overridden
Abnormal SMB scanning activity to multiple hosts Informational 4 variations
An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 20 Minutes
- Deduplication:
- 2 Days
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Active Scanning (T1595)Required data: XDR AgentAttacker's goals: An adversary may use different protocols to enumerate and plan its lateral movement over the network.Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts or periodic network mapping services. Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.Variations
Highly rare SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, and highly rare, SMB scanning activity to multiple hosts on the network. overridden
Highly rare SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, and highly rare SMB scanning activity to multiple hosts on the network. overridden
Abnormal SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden
Abnormal SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden
Email marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values Informational Email 4 variations
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsDetector tags: SpamAttacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.Variations
Email with high Spam Confidence Level and Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with high Spam Confidence Level or Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with medium Spam Confidence Level and Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email with medium Spam Confidence Level or Bulk Complaint Level values
Informational overridden
The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden
Email was received from an unknown address using a public provider domain Informational Email
The email was received from an unknown address, that was seen for the first time in the organization in the past month, and registered under a public provider.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Email was received from an unknown sender using a disposable domain Low Email
The email was received from an unknown sender using a disposable email provider, first seen in the organization in the past month.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Increase in Job-Related Site Visits Informational Identity Threat Module
A user has visited multiple job-related sites in the past day.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Search Open Websites/Domains (T1593)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: This may be an early indicator of an insider threat.Investigative actions: Investigate the domains accessed and how popular they are in the organization. Check how long the user has been part of the organization. Verify that the user is not part of a department that accesses job sites as part of daily operations.Near-empty email from an external sender Informational Email 3 variations
The email was sent from an external sender and contains minimal content.Near-empty emails from external sources are uncommon and may be used to bypass content-based detection or prompt user interaction without clear context.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Gather Victim Identity Information (T1589)Required data: Microsoft 365 EmailsDetector tags: ReconnaissanceAttacker's goals: Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).Investigative actions: Check the content of the body and whether it has any relevance to the recipients. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address. Verify whether the sender's IP address has appeared in different log sources before.Variations
Blank email with an inline attachment from an external sender
Informational overridden
This email was sent from an external sender and contains no readable message content, but includes an inline attachment.Empty emails with embedded content are often used to obscure the intent of the message and may be associated with phishing or malware delivery attempts. overridden
Blank email with an attachment from an external sender
Informational overridden
The email was sent from an external sender and contains no message content while including an attachment.Attachment-only emails from external sources can be used to entice recipients into opening potentially malicious files without contextual information. overridden
Empty email from an external sender
Informational overridden
The email was sent from an external sender and contains no subject or message content.While not always malicious, completely empty emails are unusual and may be part of reconnaissance, delivery testing, or social engineering activity. overridden
Rarely seen sender address in the organization Informational Email
An email was received from a sender that has not been observed in the organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Rarely seen sender domain in the organization Informational Email
An email was received from a domain that has not been observed in the organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.Subdomain Fuzzing Low 1 variation
The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 20 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Active Scanning: Wordlist Scanning (T1595.003)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Scan a known external facing asset to gain knowledge about the organization.Investigative actions: Verify that the domain doesn't host numerous subdomains. Verify that the source of the scan is not a known external scanner.Variations
Subdomain Fuzzing To a Rare Destination
Medium overridden
The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network. overridden
Suspicious access of the System Management Container Low Identity Analytics
A user accessed the System Management container, which may be an indication of a reconnaissance for site servers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Gather Victim Network Information (T1590)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: An attacker is attempting to enumerate Microsoft Configuration Manager and identify accessible site servers.Investigative actions: Look for the suspicious LDAP query that may trigger this event. Check if the process executes LDAP search queries as part of its normal behavior. Investigate any other potentially suspicious behavior from the compromised user. Looking for suspicious activity or logins to the Microsoft Configuration Manager site server.Unusual display name in From header Informational Email 2 variations
An email was detected with an unusual display name in the From header.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)Required data: Microsoft 365 EmailsAttacker's goals: Evade defenses and hide potential malicious data inside the email display name.Investigative actions: Analyze the email further to determine the source of the anomaly and what can be done about it.Variations
Unusual display name in the From header containing an embedded URL
Low overridden
An email was detected with an unusual sender display name in the From header containing an embedded URL. overridden
Unusual display name in the From header that is identical to the email address
Informational overridden
An email was detected where the display name in the From header is unusual and matches the sender email address. overridden
Unusual process accessed a messaging app's files Low
An unusual process has accessed files belonging to a messaging app.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Reconnaissance (TA0043)ATT&CK techniques: Data from Local System (T1005) Gather Victim Host Information (T1592)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to the user's message history and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may have been associated with the above messaging app.