Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

14 alerts match the current filters. tactic: TA0043 ✕

Show ATT&CK heatmap
  • A user accessed multiple time-consuming websites Informational Identity Threat Module

    A user was observed visiting multiple domains for personal reasons. Time theft happens when an employee is paid to work but did not actually work during that time. It might affect your business as it reduces the employee's efficiency.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Search Open Websites/Domains (T1593)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: A user may utilize work time for personal reasons.
    Investigative actions: Investigate the domains accessed and how popular they are in the organization. Verify that the user is not part of a department that visits these websites as part of their daily operations.
  • Abnormal RPC traffic to multiple hosts Low 1 variation

    The endpoint performed unfamiliar RPC activity to multiple hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Active Scanning (T1595) Active Scanning: Vulnerability Scanning (T1595.002)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.
    Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.

    Variations

    Abnormal RPC traffic to multiple IPs

    Informational overridden

    The endpoint performed unfamiliar RPC activity to multiple hosts. overridden

  • Abnormal SMB scanning activity to multiple hosts Informational 4 variations

    An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    20 Minutes
    Deduplication:
    2 Days
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Active Scanning (T1595)
    Required data: XDR Agent
    Attacker's goals: An adversary may use different protocols to enumerate and plan its lateral movement over the network.
    Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts or periodic network mapping services. Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.

    Variations

    Highly rare SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, and highly rare, SMB scanning activity to multiple hosts on the network. overridden

    Highly rare SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, and highly rare SMB scanning activity to multiple hosts on the network. overridden

    Abnormal SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden

    Abnormal SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden

  • Email marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values Informational Email 4 variations

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Detector tags: Spam
    Attacker's goals: Achieve financial gain, distribute malware, or phish for sensitive information through mass unsolicited emails.
    Investigative actions: Examine email headers to trace origins and check for signs of spoofing. Analyze the email content for spam indicators like suspicious links and aggressive marketing language. Monitor further actions taken, such as file downloads or access to potentially malicious links.

    Variations

    Email with high Spam Confidence Level and Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with high Spam Confidence Level or Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with medium Spam Confidence Level and Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

    Email with medium Spam Confidence Level or Bulk Complaint Level values

    Informational overridden

    The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) values, detected in the email's antispam headers, indicate that a message is more likely to be spam. overridden

  • Email was received from an unknown address using a public provider domain Informational Email

    The email was received from an unknown address, that was seen for the first time in the organization in the past month, and registered under a public provider.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Email was received from an unknown sender using a disposable domain Low Email

    The email was received from an unknown sender using a disposable email provider, first seen in the organization in the past month.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Increase in Job-Related Site Visits Informational Identity Threat Module

    A user has visited multiple job-related sites in the past day.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Search Open Websites/Domains (T1593)
    Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: This may be an early indicator of an insider threat.
    Investigative actions: Investigate the domains accessed and how popular they are in the organization. Check how long the user has been part of the organization. Verify that the user is not part of a department that accesses job sites as part of daily operations.
  • Near-empty email from an external sender Informational Email 3 variations

    The email was sent from an external sender and contains minimal content.Near-empty emails from external sources are uncommon and may be used to bypass content-based detection or prompt user interaction without clear context.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Gather Victim Identity Information (T1589)
    Required data: Microsoft 365 Emails
    Detector tags: Reconnaissance
    Attacker's goals: Attackers send reconnaissance emails to explore an organization's email security by verifying email address validity and testing spam filter effectiveness. The gathered information enables them to craft more precise and effective attacks, such as phishing or business email compromise (BEC).
    Investigative actions: Check the content of the body and whether it has any relevance to the recipients. Check the email address for any unusual spellings. Check the email address for any missing letters. Verify the sender's address to confirm its legitimacy. Check for previous emails from the sender's address. Verify whether the sender's IP address has appeared in different log sources before.

    Variations

    Blank email with an inline attachment from an external sender

    Informational overridden

    This email was sent from an external sender and contains no readable message content, but includes an inline attachment.Empty emails with embedded content are often used to obscure the intent of the message and may be associated with phishing or malware delivery attempts. overridden

    Blank email with an attachment from an external sender

    Informational overridden

    The email was sent from an external sender and contains no message content while including an attachment.Attachment-only emails from external sources can be used to entice recipients into opening potentially malicious files without contextual information. overridden

    Empty email from an external sender

    Informational overridden

    The email was sent from an external sender and contains no subject or message content.While not always malicious, completely empty emails are unusual and may be part of reconnaissance, delivery testing, or social engineering activity. overridden

  • Rarely seen sender address in the organization Informational Email

    An email was received from a sender that has not been observed in the organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Rarely seen sender domain in the organization Informational Email

    An email was received from a domain that has not been observed in the organization in the last 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Trick recipients into downloading harmful payloads Aim to gain unauthorized access to the organization's systems.
    Investigative actions: Check the email address for any unusual spellings, missing letters, or unknown domains. If the message contains attachments or links, scrutinize them for any suspicious indications. Monitor further actions taken, such as file downloads or access to potentially malicious links.
  • Subdomain Fuzzing Low 1 variation

    The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    20 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Active Scanning: Wordlist Scanning (T1595.003)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Scan a known external facing asset to gain knowledge about the organization.
    Investigative actions: Verify that the domain doesn't host numerous subdomains. Verify that the source of the scan is not a known external scanner.

    Variations

    Subdomain Fuzzing To a Rare Destination

    Medium overridden

    The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network. overridden

  • Suspicious access of the System Management Container Low Identity Analytics

    A user accessed the System Management container, which may be an indication of a reconnaissance for site servers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Gather Victim Network Information (T1590)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: An attacker is attempting to enumerate Microsoft Configuration Manager and identify accessible site servers.
    Investigative actions: Look for the suspicious LDAP query that may trigger this event. Check if the process executes LDAP search queries as part of its normal behavior. Investigate any other potentially suspicious behavior from the compromised user. Looking for suspicious activity or logins to the Microsoft Configuration Manager site server.
  • Unusual display name in From header Informational Email 2 variations

    An email was detected with an unusual display name in the From header.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043) Initial Access (TA0001)
    ATT&CK techniques: Phishing for Information (T1598) Phishing (T1566)
    Required data: Microsoft 365 Emails
    Attacker's goals: Evade defenses and hide potential malicious data inside the email display name.
    Investigative actions: Analyze the email further to determine the source of the anomaly and what can be done about it.

    Variations

    Unusual display name in the From header containing an embedded URL

    Low overridden

    An email was detected with an unusual sender display name in the From header containing an embedded URL. overridden

    Unusual display name in the From header that is identical to the email address

    Informational overridden

    An email was detected where the display name in the From header is unusual and matches the sender email address. overridden

  • Unusual process accessed a messaging app's files Low

    An unusual process has accessed files belonging to a messaging app.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Reconnaissance (TA0043)
    ATT&CK techniques: Data from Local System (T1005) Gather Victim Host Information (T1592)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to the user's message history and steal their contents.
    Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may have been associated with the above messaging app.