Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

11 alerts match the current filters. technique: T1090 ✕

Show ATT&CK heatmap
  • A Successful VPN connection from TOR High Identity Analytics 1 variation

    A successful VPN connection from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: Palo Alto Networks Global Protect Third-Party VPNs
    Attacker's goals: Gain initial access to organization and hiding itself.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.

    Variations

    A Successful VPN connection from TOR via Mobile Device

    Medium overridden

    A successful VPN connection from a TOR exit node. overridden

  • A Successful login from TOR High Identity Analytics

    A successful login from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: XDR Agent
    Attacker's goals: Gain initial access to the organization while anonymizing the source of the activity.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.
  • A successful SSO sign-in from TOR High Identity Analytics 1 variation

    A successful sign-in from a TOR exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: AzureAD Azure SignIn Log Idira Duo Okta OneLogin PingOne
    Attacker's goals: Gain initial access to organization and hiding itself.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes. Search for additional logins from the same user around the alert timestamp.

    Variations

    A successful SSO sign-in from TOR via Mobile Device

    Medium overridden

    A successful sign-in from a TOR exit node. overridden

  • Cloud activity from a high-risk IP address Informational Cloud 1 variation

    An identity executed a cloud API from a high-risk IP address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Gain initial access using a compromised identity while obfuscating origin.
    Investigative actions: Verify if the user is authorized to use anonymizing services. Review subsequent actions by the user for suspicious activity. Check for other users accessing from the same IP or tunnel operator.

    Variations

    Cloud activity from an unusual high-risk IP

    Low overridden

    An identity executed a cloud API from a high-risk IP address. overridden

  • Netcat makes or gets connections High

    Malicious actors can use Netcat for privilege escalation, remote code execution, data exfiltration and protocol tunneling to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)
    Required data: XDR Agent
    Attacker's goals: Establish command and control channel. Propagate in the victim network.
    Investigative actions: Verify that the usage of Netcat/Netcat64 is from an authorized personnel and that user has the right to access the remote host.
  • Suspicious AI model usage from a Tor exit node High Cloud 1 variation

    A cloud identity invoked an AI model from a Tor exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Conceal information about malicious activities, such as location and network usage.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.

    Variations

    Failed AI model usage from a Tor exit node

    Informational overridden

    A cloud identity invoked an AI model from a Tor exit node. overridden

  • Suspicious API call from a Tor exit node High Cloud 2 variations

    A cloud API was called from a Tor exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003) Valid Accounts: Cloud Accounts (T1078.004)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Conceal information about malicious activities, such as location and network usage.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.

    Variations

    Suspicious Kubernetes API call from a Tor exit node

    High overridden

    A Kubernetes API was called from a Tor exit node. overridden

    A Failed API call from a Tor exit node

    Informational overridden

    A cloud API was called from a Tor exit node. overridden

  • Suspicious SaaS API call from a Tor exit node High Identity Threat Module 2 variations

    A SaaS API was called from a Tor exit node.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Multi-hop Proxy (T1090.003)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: Conceal information about malicious activities, such as location and network usage.
    Investigative actions: Block all web traffic to and from public Tor entry and exit nodes.

    Variations

    A Failed API call from a Tor exit node

    Informational overridden

    A SaaS API was called from a Tor exit node. overridden

    Suspicious SaaS API call from a Tor exit node via Mobile Device

    Medium overridden

    A SaaS API was called from a Tor exit node. overridden

  • Suspicious proxy environment variable setting Informational

    Suspicious proxy environment variable change or definition with a rare command line.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Internal Proxy (T1090.001)
    Required data: XDR Agent
    Attacker's goals: Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.
    Investigative actions: Investigate the process activities and try to understand the network impact os the new proxy setting.
  • Unusual Netsh PortProxy rule Low 2 variations

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004) Proxy: Internal Proxy (T1090.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.
    Investigative actions: Check the connect address and if it's a known IP/domain. Check whether the causality group owner (CGO) process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unusual Netsh PortProxy rule by non-netsh process

    Medium overridden

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden

    Unusual Netsh PortProxy rule by an unsigned causality actor

    Medium overridden

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden

  • Unusual SSH activity that resembles SSH proxy Informational 3 variations

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Proxy: Internal Proxy (T1090.001)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Attackers aim to establish a covert command and control channel or relay communications through a compromised SSH connection.
    Investigative actions: Review the SSH connections to identify any unusual proxy activity or traffic patterns. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised. Additionally, examine logs for any unexpected data transfers or commands that may indicate malicious intent.

    Variations

    High Volume Unusual SSH activity that resembles SSH proxy

    Low overridden

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden

    Suspicious SSH activity that resembles SSH proxy

    Low overridden

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden

    Unusual SSH activity that resembles SSH proxy detected

    Low overridden

    A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data. overridden