Analytics Alerts
Browse the Cortex analytics alert reference.
7 alerts match the current filters. technique: T1102 ✕
Show ATT&CK heatmapA non-browser process accessed a website UI Informational 3 variations
An uncommon network communication between a non-browser process and a website UI.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Web Service (T1102)Required data: Palo Alto Networks Url LogsAttacker's goals: Data exfiltration or attack tool staging.Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.Variations
Suspicious content upload to a known text share website by Non browser process
High overridden
Uncommon data upload to a known text share website through a Non-browser process. overridden
Uncommon data upload to a website through a Non-browser process
Low overridden
Uncommon data upload to a website through a Non browser process. overridden
Uncommon data download from a known text share website through a Non-browser process
Medium overridden
Uncommon content download from a known text share website through a Non browser process. overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent Low 2 variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred. Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.Variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server. overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain. overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server Informational 1 variation
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare combination of HTTP User Agent with the external HTTP Server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare
Low overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address. overridden
HTTP with suspicious characteristics Low 3 variations
Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this uncommon connection. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
HTTP with suspicious characteristics which is repetitive
Low overridden
Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics to an IP address
Low overridden
Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics that always fails
Informational overridden
Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden
Non-browser access to a pastebin-like site Low 4 variations
Non-browser access to a pastebin-like site.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Web Service (T1102)Required data: Palo Alto Networks Url LogsAttacker's goals: Data exfiltration or attack tool staging.Investigative actions: Examine the host to verify that the host was not part of infiltration or data exfiltration from the organization. Verify that the host doesn't have sensitive company data that can be easily exfiltrated.Variations
Non-browser or an uncommon browser access to a pastebin-like site
Informational overridden
Non-browser or an uncommon browser access to a pastebin-like site. overridden
Non-browser access to google sheets API
Low overridden
Non-browser access to google sheets API. overridden
Non-browser failed access to a pastebin-like site
Low overridden
Non-browser failed access to a pastebin-like site. overridden
Rare non-browser access to a pastebin-like site
Medium overridden
Rare non-browser access to a pastebin-like site. overridden
Suspicious process accessed a site masquerading as Google Informational 1 variation
A suspicious process accessed a site masquerading as Google.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Defense Evasion (TA0005)ATT&CK techniques: Web Service: Bidirectional Communication (T1102.002) Masquerading (T1036)Required data: XDR AgentAttacker's goals: Masquerade legitimate looking Google services for defense evasion and C&C.Investigative actions: See whether this site has a malicious reputation. Follow process activities. Monitor traffic to the site.Variations
Suspicious process resolved the DNS name of a site masquerading as Google
Informational overridden
A suspicious process resolved the DNS name of a site masquerading as Google. overridden
Uncommon communication to an instant messaging server Informational 2 variations
A rare communication between a process to a known instant messaging server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Web Service (T1102)Required data: XDR AgentAttacker's goals: Data exfiltration or attack tool staging through a trusted service.Investigative actions: Examine the legitimacy of the application that made the communication with the provider's server. Examine the parent process of this application. Check for anomalies regarding the time frame where the communication occurred.Variations
Uncommon communication to an instant messaging server by a suspicious process
Low overridden
A rare communication by a suspicious process to a known instant messaging server. overridden
Uncommon communication to an instant messaging server by an uncommon scripting engine execution
Low overridden
A rare communication by an uncommon execution of a scripting engine to a known instant messaging server. overridden