Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

7 alerts match the current filters. technique: T1102 ✕

Show ATT&CK heatmap
  • A non-browser process accessed a website UI Informational 3 variations

    An uncommon network communication between a non-browser process and a website UI.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Web Service (T1102)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Data exfiltration or attack tool staging.
    Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.

    Variations

    Suspicious content upload to a known text share website by Non browser process

    High overridden

    Uncommon data upload to a known text share website through a Non-browser process. overridden

    Uncommon data upload to a website through a Non-browser process

    Low overridden

    Uncommon data upload to a website through a Non browser process. overridden

    Uncommon data download from a known text share website through a Non-browser process

    Medium overridden

    Uncommon content download from a known text share website through a Non browser process. overridden

  • Abnormal communication with a rare combination of TLS and HTTP User Agent Low 2 variations

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred. Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.

    Variations

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server

    Low overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server. overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain

    Low overridden

    Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain. overridden

  • Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server Informational 1 variation

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this rare combination of HTTP User Agent with the external HTTP Server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.

    Variations

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare

    Low overridden

    Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address. overridden

  • HTTP with suspicious characteristics Low 3 variations

    Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)
    ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.
    Investigative actions: Examine the legitimacy of the application that produced this uncommon connection. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.

    Variations

    HTTP with suspicious characteristics which is repetitive

    Low overridden

    Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities. overridden

    HTTP with suspicious characteristics to an IP address

    Low overridden

    Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden

    HTTP with suspicious characteristics that always fails

    Informational overridden

    Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden

  • Non-browser access to a pastebin-like site Low 4 variations

    Non-browser access to a pastebin-like site.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Web Service (T1102)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Data exfiltration or attack tool staging.
    Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.

    Variations

    Non-browser or an uncommon browser access to a pastebin-like site

    Informational overridden

    Non-browser or an uncommon browser access to a pastebin-like site. overridden

    Non-browser access to google sheets API

    Low overridden

    Non-browser access to google sheets API. overridden

    Non-browser failed access to a pastebin-like site

    Low overridden

    Non-browser failed access to a pastebin-like site. overridden

    Rare non-browser access to a pastebin-like site

    Medium overridden

    Rare non-browser access to a pastebin-like site. overridden

  • Suspicious process accessed a site masquerading as Google Informational 1 variation

    A suspicious process accessed a site masquerading as Google.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)
    ATT&CK techniques: Web Service: Bidirectional Communication (T1102.002) Masquerading (T1036)
    Required data: XDR Agent
    Attacker's goals: Masquerade legitimate looking Google services for defense evasion and C&C.
    Investigative actions: See whether this site has a malicious reputation. Follow process activities. Monitor traffic to the site.

    Variations

    Suspicious process resolved the DNS name of a site masquerading as Google

    Informational overridden

    A suspicious process resolved the DNS name of a site masquerading as Google. overridden

  • Uncommon communication to an instant messaging server Informational 2 variations

    A rare communication between a process to a known instant messaging server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Web Service (T1102)
    Required data: XDR Agent
    Attacker's goals: Data exfiltration or attack tool staging through a trusted service.
    Investigative actions: Examine the legitimacy of the application that made the communication with the provider's server. Examine the parent process of this application. Check for anomalies regarding the time frame where the communication occurred.

    Variations

    Uncommon communication to an instant messaging server by a suspicious process

    Low overridden

    A rare communication by a suspicious process to a known instant messaging server. overridden

    Uncommon communication to an instant messaging server by an uncommon scripting engine execution

    Low overridden

    A rare communication by an uncommon execution of a scripting engine to a known instant messaging server. overridden