Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. technique: T1080 ✕

Show ATT&CK heatmap
  • A user uploaded malware to SharePoint or OneDrive Low Identity Threat Module 2 variations

    A user uploaded a file that was classified as malware to SharePoint or OneDrive.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Taint Shared Content (T1080) User Execution: Malicious File (T1204.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may upload malware to a shared location to gain execution and move laterally.
    Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check the file that was uploaded for any malicious indicators. Follow further actions done by the account.

    Variations

    A user uploaded malware to SharePoint or OneDrive with suspicious characteristics

    Medium overridden

    A user uploaded a file that was classified as malware to SharePoint or OneDrive with some additional suspicious characteristics. overridden

    A user uploaded a malicious payload to SharePoint or OneDrive

    Informational overridden

    A user uploaded a file that was classified as malware to SharePoint or OneDrive. The file was labelled as malicious by Microsoft's file scanning engine. overridden