Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0043 ✕ technique: T1005 ✕

Show ATT&CK heatmap
  • Unusual process accessed a messaging app's files Low

    An unusual process has accessed files belonging to a messaging app.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Reconnaissance (TA0043)
    ATT&CK techniques: Data from Local System (T1005) Gather Victim Host Information (T1592)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Sensitive Information Stealing Analytics
    Attacker's goals: Obtain access to the user's message history and steal their contents.
    Investigative actions: Determine whether it is legitimate for the process to access such files. Analyze the process/application that accessed the file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may have been associated with the above messaging app.