Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

13 alerts match the current filters. technique: T1018 ✕

Show ATT&CK heatmap
  • A user executed multiple LDAP enumeration queries Informational Identity Analytics 1 variation

    A user executed multiple LDAP enumeration queries.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server)
    Attacker's goals: An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.
    Investigative actions: Where possible, check the legitimacy of the process that executed these LDAP queries. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.

    Variations

    A user executed suspicious LDAP enumeration queries

    Low overridden

    A user executed multiple LDAP enumeration queries. overridden

  • Abnormal ICMP echo (PING) to multiple hosts Low

    An endpoint performed an abnormal ICMP echo (PING) to multiple hosts on the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    5 Hours
    Deduplication:
    2 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: XDR Agent
    Attacker's goals: An adversary may use the ICMP protocol to map IP addresses, hostnames and segments to plan its lateral movement over the network.
    Investigative actions: Verify if the host is a newly deployed host. Verify if newly services or applications that require network mapping were installed on the initiating host.
  • Abnormal connections to a dormant host from a newly seen endpoint Informational 1 variation

    The endpoint has performed multiple connections to an endpoint that is relatively inactive on the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    6 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: While probing the network, an attacker may discover dormant hosts. These inactive systems can then be used for lateral movement or privilege escalation.
    Investigative actions: Validate that the source is not a sanctioned port scanner. Check for suspicious artifacts in the endpoint profile.

    Variations

    Abnormal connections to a dormant host

    Low overridden

    The endpoint has performed multiple connections to an endpoint that is relatively inactive on the network. overridden

  • Failed Connections Low 2 variations

    The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: An attacker does not know your network and is exploring it for new or unknown subnets.
    Investigative actions: Validate that the source is not a sanctioned port scanner. Check for suspicious artifacts in the endpoint profile.

    Variations

    Failed Connections

    Informational overridden

    The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network. overridden

    Failed Connections with a rare causality and actor processes relations

    Informational overridden

    The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.These failed connections originated from a rare relation between an actor process and its causality. overridden

  • Multiple discovery commands Low 4 variations

    The alerted causality performed multiple discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery commands from a web server CGO

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from an SQL server CGO

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from an unsigned causality

    Medium overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands from a standard IT tool

    Informational overridden

    The alerted causality performed multiple discovery commands in a short timeframe. overridden

  • Multiple discovery commands on a Linux host by the same process Informational 2 variations

    The alerted process performed multiple consecutive discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery commands on a Linux host by the same process

    Medium overridden

    The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Linux host by the same process

    Low overridden

    The alerted process performed multiple consecutive discovery commands in a short timeframe. overridden

  • Multiple discovery commands on a Windows host by the same process Low 5 variations

    The alerted process performed multiple discovery commands in a short timeframe.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Remote Multiple discovery commands on a Windows host by the same IP

    High overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from a web server CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from an SQL server CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Multiple discovery commands on a Windows host by the same process from a remote CGO

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

    Rare Multiple discovery commands on a Windows host by the same process

    Medium overridden

    The alerted process performed multiple discovery commands in a short timeframe. overridden

  • Multiple discovery-like commands Informational 3 variations

    The alerted process performed multiple consecutive discovery commands in a short time frame.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007)
    Required data: XDR Agent
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Multiple discovery-like commands by web server process

    Low overridden

    The web server process performed multiple consecutive discovery commands in a short time frame. overridden

    Multiple discovery-like commands on a Linux host

    Informational overridden

    The alerted process performed multiple consecutive discovery commands in a short time frame. overridden

    Multiple discovery-like commands

    Informational overridden

    The alerted process performed multiple consecutive discovery commands in a short time frame. overridden

  • Possible LDAP Enumeration Tool Usage Informational Identity Analytics 3 variations

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Account Discovery (T1087) Permission Groups Discovery: Domain Groups (T1069.002) Domain Trust Discovery (T1482) Remote System Discovery (T1018) System Network Configuration Discovery (T1016)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Possible admin enumeration via LDAP

    Informational overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

    A user executed an LDAP enumeration query with suspicious characteristics

    Medium overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

    Rare LDAP enumeration query executed by a user

    Low overridden

    A user sent a suspicious enumeration query via LDAP. The query is associated with an LDAP enumeration tool that may be used during attacks against the organization. overridden

  • Suspicious PowerSploit's recon module (PowerView) net function was executed Medium

    An attacker may use PowerSploit to reconnaissance the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify that the relevant function was indeed run by PowerSploit (https://powersploit.readthedocs.io/#recon). Understand what information the attacker had gathered from the command and investigate relevant assets.
  • Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts Medium

    An attacker may use PowerSploit to reconnaissance the network for exposed hosts to move laterally to.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify that the relevant function was indeed run by PowerSploit (https://powersploit.readthedocs.io/#recon). Understand what information the attacker had gathered from the command and investigate relevant assets.
  • Suspicious container reconnaissance activity in a Kubernetes pod Informational 2 variations

    A process performed multiple consecutive container discovery commands from within a Kubernetes Pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Suspicious container reconnaissance activity in a Kubernetes pod

    Medium overridden

    A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden

    Suspicious container reconnaissance activity in a Kubernetes pod

    Low overridden

    A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden

  • Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet Informational

    An attacker may use one of Microsoft's Active Directory PowerShell module remote discovery cmdlet to reconnaissance the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Understand what information the attacker had gathered from the command and investigate relevant assets.