Analytics Alerts
Browse the Cortex analytics alert reference.
20 alerts match the current filters. technique: T1048 ✕
Show ATT&CK heatmapA Torrent client was detected on a host Informational 1 variation
The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Exfiltrate data or as a phishing entry point.Investigative actions: Check the host for torrent client software. Look at the download's folder for foreign files or Torrent files. Examine the client's network traffic for uploaded or downloaded file hashes.Variations
A Torrent client was detected on a host
Informational overridden
The host produced traffic consistent with the BitTorrent protocol.Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data. overridden
A compressed file was exfiltrated over SSH Informational 1 variation
Exfiltration of a compressed file over SSH.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may try to exfiltrate data over encrypted network protocol.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
A compressed file was exfiltrated over SSH from a Kubernetes pod
Informational overridden
Exfiltration of a compressed file over SSH. overridden
AWS network ACL rule creation Informational Cloud
An AWS network ACL rule was created with a specific rule number.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: External Remote Services (T1133) Exfiltration Over Alternative Protocol (T1048)Required data: AWS Audit LogAttacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.Investigative actions: Check the VPC affected by this change. Verify the rule number (as rules are applied in order). Determine whether the rule is ingress or egress.DNS Tunneling Low 1 variation
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines.Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.Variations
DNS Tunneling
Medium overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The endpoint may be remotely controlled by an attacker, and/or an attacker may have exfiltrated data from it. This detector is not supported when networking events arrive solely from Cortex XDR Linux agents. overridden
First-seen email from mailbox owner to external recipient's address in the last 30 days Informational Email 6 variations
Internal sender initiated first-time communication with an external recipient in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Microsoft 365 EmailsDetector tags: Exfiltration, Account TakeoverAttacker's goals: Extracting valuable information outside the company.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
First-time email to the disposable domain
Low overridden
Internal sender emailed to external address(es) with disposable domain. overridden
First-time email from organization's domain with the external recipient's domain in the last 30 days
Informational overridden
Internal sender emailed an external address belonging to a domain seen for the first time by the organization domain in the last 30 days. overridden
First-time email from organization with the external recipient in the last 30 days
Informational overridden
Internal sender emailed to external address(es) that first-seen by the the whole organization in the last 30 days. overridden
First-time email from organization's domain to the external recipient in the last 30 days
Informational overridden
Internal sender emailed to external address(es) that first-seen by the organization domain in the last 30 days. overridden
First-time email from mailbox owner to the external recipient's domain in the last 30 days
Informational overridden
Internal sender emailed to external address(es) with domain that first-seen by that sender in the last 30 days. overridden
First-time outbound email from mailbox owner to multiple external recipients without any internal recipients in the last 30 days
Informational overridden
Internal sender emailed first-time to multiple external recipients with no internal recipients included in the last 30 days. overridden
Large Upload (FTP) Low 1 variation
The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Exfiltrate stolen data from the victim network to an attacker's controllable resource.Investigative actions: Verify that the source is not an FTP server. If Cortex XDR Analytics has failed to identify the entity as a valid FTP server, this alert is likely to be a false positive. Identify the entity performing the data transfer to determine if the transfer is sanctioned. Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or loaded modules.Variations
Large Upload (FTP)
Informational overridden
The endpoint transferred an excessively large amounts of data to a single destination over FTP.Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.For that reason, Cortex XDR detected this abnormal behavior of a large data upload.An attacker may be exfiltrating data directly to the internet using this protocol. overridden
Large Upload (Generic) Low 3 variations
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: Transfer data he has stolen from your network to a location that is convenient and useful to him.Investigative actions: Check if the traffic is related to SSH activity, it can trigger this alert. It is possible that someone on your network is legitimately engaged in SSH activity. Check if the traffic is to/from a misconfigured network. Check if the traffic is to a new external service or server that has recently been adopted for use by an organization in your enterprise. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.Variations
Large Upload (Generic)
Informational overridden
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (Generic) Lower than 100 MB
Informational overridden
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (Generic) to a Frequently Used Upload Target
Informational overridden
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.)Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low.For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (HTTPS) Low 2 variations
The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Transfer data she has stolen from your network to a location that is convenient and useful to her.Investigative actions: Check if this alert has been falsely triggered by DNS load balancers. If an endpoint routinely uploads data to a site that uses load balancers, the transfer might ordinarily be split into multiple sessions and across multiple subdomains, which can cause the baseline measurement to be incorrect. In that situation, a routine upload that randomly places the bulk of the data in a single session to a single subdomain can look excessive to the Cortex XDR Analytics detector. Check if the device performing the data transfer is a mobile phone performing a backup. Cortex XDR Analytics will not always measure the baseline properly for mobile devices, especially if the backups are performed infrequently and contain a great deal of data. If the data transfer is a mobile device running a backup, check to ensure that only appropriate data is included in the backup. Identify the process/user performing the data transfer to determine if the transfer is sanctioned.Variations
Large Upload (HTTPS)
Informational overridden
The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (HTTPS) to non-standard port
Low overridden
The endpoint transferred an excessive amount of data to an external site over HTTPS.The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site.The upload is considered excessive based on comparison to baseline measurements of HTTPS data transfers on your network.An attacker may be exfiltrating data directly to the internet. overridden
Large Upload (SMTP) Low 1 variation
The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Transfer data they have stolen from your network to a location that is convenient and useful to him.Investigative actions: Identify the process/user performing the data transfer to determine if the transfer is sanctioned. Verify that the source is not a mail server. Check if the target address represents a mail service that rarely used in the organization. If so, this might indicate on file exfiltration attempt.Variations
Large Upload (SMTP)
Informational overridden
The endpoint, which is not an internal SMTP server, emailed an excessive amount of data from your network. overridden
Microsoft Teams external communication policy was modified Informational Identity Threat Module 1 variation
Microsoft Teams external communication policy was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.Variations
Microsoft Teams external communication policy was modified by an unusual user
Low overridden
Microsoft Teams external communication policy was modified. overridden
Possible IPFS traffic was detected Informational
The host attempted to access other nodes in an IPFS manner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.Investigative actions: Check the host for IPFS client software. Examine the client's network traffic for uploaded or downloaded file hashes.Possible use of IPFS was detected Informational 1 variation
The host produced traffic consistent with IPFS.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Initial Access (TA0001)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: IPFS access may expose your organization to new malware or allow attackers/ malicious insiders to exfiltrate data.Investigative actions: Check the host for IPFS client software. Look at the user's website history for IPFS url's and check the content ID (CID) for malicious indicators. Examine the client's network traffic for uploaded or downloaded file hashes.Variations
Possible use of IPFS was detected
Informational overridden
The host produced traffic consistent with IPFS. overridden
Python HTTP server started Informational
Python HTTP server started - possible exfiltration over HTTP.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)Required data: XDR AgentAttacker's goals: Attackers might use a Python server as a C&C or exfiltration channel.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it.Rare SMTP/S Session Informational
The Simple Mail Transfer Protocol (SMTP) and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: SMTP and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.Sending unusual file(s) to an external address Low Email
Unusual files sent to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Initial Access (TA0001) Exfiltration (TA0010)ATT&CK techniques: Phishing (T1566) Exfiltration Over Alternative Protocol (T1048)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Extracting sensitive credentials, potentially leading to account takeover or unauthorized access to internal services. Extracting valuable information outside the company.Investigative actions: Check the content of the unusual files that were sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further actions taken, such as accessing private keys, API tokens and sensitive data.Sensitive Exchange mail sent to external users Informational Identity Threat Module Email 2 variations
A user sent sensitive email messages to external users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Email Collection (T1114) Exfiltration Over Alternative Protocol (T1048)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to collect sensitive email information.Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.Variations
Exchange mail to external account matching high severity DLP rules
Low overridden
A user sent sensitive email messages to external users. overridden
Sensitive Exchange mail sent to an external user
Low overridden
A user sent sensitive email messages to external users. overridden
Suspicious DNS traffic Informational 2 variations
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over Alternative Protocol (T1048)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: DNS tunneling, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked. An attacker may also use this protocol to exfiltrated data from the compromised endpoint outside the network.Investigative actions: Verify that the source device or process is not an approved security solution. Verify if the DNS query types are non-standard. DNS tunnels use uncommon query types that enable encoding of more data. Examples include: INIT, PRIVATE, NULL, SRV, KEY, and TXT. If the affected endpoint is operating Windows, verify that the DNS traffic is coming from svchost.exe and search for other processes that ran when the alert triggered. On Windows, the DNS requests go through svchost.exe. Verify the responses per DNS query. Many responses per query may indicate a tool being downloaded. Verify the destination domain details and compare the number of endpoints in your network that access the domain over time to see if this is an uncommonly contacted domain. Verify the source web-browser traffic to determine if the process was generated by user action, if the user did not initiate the traffic it can be indicative of malicious activity. Verify non-DNS traffic to the domain. Any traffic except DNS queries to the destination domain may indicate a legitimate domain and not used solely for command-and-control or data exfiltration.Variations
Suspicious DNS traffic with a rarely seen domain
Low overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.This domain was rarely seen in this tenant. overridden
Suspicious DNS traffic with a globally rare DNS query length
Low overridden
10 KB or more were sent encoded in subdomain names during a 10-minute window. All subdomains queried were under a single suspicious domain.DNS tunneling encodes data in DNS queries and responses, allowing an attacker to bypass firewalls and proxies to reach his or her command and control server, even when HTTP/S traffic is blocked.The combination of the DNS queries along with this root domain is globally rare. overridden
Uncommon increase in Azure Microsoft Graph API request sizes Informational Cloud 3 variations
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Exfiltrate data over Microsoft Graph API.Investigative actions: Check the identity's role designation in the organization.Check if there are additional calls executed by the identity.Variations
Unusual Azure high-volume data transfer
Medium overridden
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden
Suspicious Azure data transfer by identity
Medium overridden
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden
Unusual data transfer from multiple Azure tenants
Low overridden
An identity executed multiple Microsoft Graph actions, leading to an uncommon increase in API request sizes. overridden
Unusual attachment volume in outbound emails Informational Email 2 variations
Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Hour
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: Microsoft 365 EmailsDetector tags: ExfiltrationAttacker's goals: Extracting valuable information outside the company. Bypass Data Loss Prevention (DLP) by splitting data across multiple emails.Investigative actions: Check the content of the email that was sent. Review the external recipient address and assess its reputation. Review past emails sent from this mailbox for any suspicious activity. Check for unusual emails sent to this recipient's address. Monitor further action taken, such as accessing to private keys, API tokens and sensitive data.Variations
Unusual attachment volume in outbound emails to a single external recipient
Informational overridden
Numerous emails with substantial attachments sent by internal sender to one external recipient within a short timeframe. overridden
Unusual attachment amount and size in outbound emails
Informational overridden
Numerous emails with substantial attachments sent by an internal sender to one or more external recipients within a short timeframe. overridden
WebDAV drive mounted from net.exe over HTTPS Informational
Attackers may mount a WebDAV drive over HTTPS to upload files to and download files from a compromised machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Alternative Protocol (T1048)Required data: XDR AgentAttacker's goals: Attackers might use WebDAV as a C&C or exfiltration channel to evade detection and firewall rules.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.