Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. technique: T1057 ✕

Show ATT&CK heatmap
  • Suspicious PowerShell Enumeration of Running Processes Low

    Attackers often enumerate running processes to find and disable security tools.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Process Discovery (T1057)
    Required data: XDR Agent
    Attacker's goals: Understand the type of host according to the processes running on it; find and disable security tools.
    Investigative actions: Verify whether the command that was executed is benign or normal for the host and/or user performing it (for example, it may be an IT script).
  • Uncommon attempt at discovering a sensitive file Informational 8 variations

    A process made an uncommon attempt to access a file that may contain sensitive information.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: File and Directory Discovery (T1083) Process Discovery (T1057) System Service Discovery (T1007) System Network Configuration Discovery (T1016) System Owner/User Discovery (T1033) System Network Connections Discovery (T1049) System Information Discovery (T1082)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: EDR Discovery Analytics
    Attacker's goals: Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.
    Investigative actions: Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access. Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

    Variations

    Uncommon attempt at discovering /etc/hosts

    Informational overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a security testing tool

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a potentially known credential dumper or enumeration script

    Medium overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a potential Webshell

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a script that was executed by a rare causality

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file from temporary or world writable directories

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a rare process that was executed by cron

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden

    Uncommon attempt at discovering a sensitive file by a non-GTFOBIN process

    Low overridden

    A process made an uncommon attempt to access a file that may contain sensitive information. overridden