Analytics Alerts
Browse the Cortex analytics alert reference.
5 alerts match the current filters. technique: T1106 ✕
Show ATT&CK heatmapA suspicious direct syscall was executed Low 2 variations
A suspicious direct syscall was executed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Native API (T1106)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Direct Syscall AnalyticsAttacker's goals: An attacker might try to use direct syscalls to evade detection from a legitimate program.Investigative actions: Investigate the direct syscall-mapped image to verify if it is malicious. Check if this direct syscall is part of the process execution flow.Variations
A suspicious direct syscall was executed by unsigned process from a user folder
High overridden
A suspicious direct syscall was executed by unsigned process from a user folder. overridden
A suspicious direct syscall was executed by a DLL host application
Medium overridden
A suspicious direct syscall was executed by a DLL host application. overridden
AI-determined combination of risky alerts under the same actor process Informational 1 variation
Multiple alerts likely to be associated with an incident were identified under the same actor process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204) Native API (T1106)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsAttacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.Investigative actions: Investigate the actor process of these alerts. Track down other suspicious activity under this actor process.Variations
AI-determined combination of risky alerts under the same actor process: LDAP traffic from non-standard process with SMB traffic from non-standard process
Medium overridden
A non-standard process communicated over LDAP ports, combined with SMB traffic from a non-standard process under the same actor process. This combination may indicate an attacker performing Active Directory enumeration while leveraging SMB for lateral movement or discovery. overridden
AI-determined combination of risky alerts under the same causality Informational
Multiple alerts likely to be associated with an incident were identified under the same causality.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 12 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204) Native API (T1106)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsDetector tags: AI Insight Fusion AnalyticsAttacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.Investigative actions: Investigate the causality of these alerts. Track down other suspicious activity under this causality.Multiple alerts of different MITRE tactics were seen Low
Multiple alerts of different MITRE tactics were seen on the same host under the same causality.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: User Execution (T1204) Native API (T1106)Required data: Palo Alto Networks Platform Alerts Third-Party AlertsAttacker's goals: Execute multiple covert actions to circumvent detection.Investigative actions: Investigate the causality of all the linked alerts. It is visible in the bottom of the causality page. Assess whether it looks like a threat actor executing multiple tactics.Suspicious module load using direct syscall Low 1 variation
A module was loaded to a process using a direct syscall.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Native API (T1106)Required data: XDR AgentDetector tags: Direct Syscall AnalyticsAttacker's goals: An attacker might try to use direct syscalls to evade detection and load a malicious module to a legitimate program.Investigative actions: Investigate the direct syscall mapped image to verify if it is malicious. Investigate the loaded module to verify if it is malicious.Variations
A module was loaded to an unsigned process by using a direct syscall
Medium overridden
A module was loaded to an unsigned process using a direct syscall. overridden