Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

5 alerts match the current filters. technique: T1106 ✕

Show ATT&CK heatmap
  • A suspicious direct syscall was executed Low 2 variations

    A suspicious direct syscall was executed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Native API (T1106)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Direct Syscall Analytics
    Attacker's goals: An attacker might try to use direct syscalls to evade detection from a legitimate program.
    Investigative actions: Investigate the direct syscall-mapped image to verify if it is malicious. Check if this direct syscall is part of the process execution flow.

    Variations

    A suspicious direct syscall was executed by unsigned process from a user folder

    High overridden

    A suspicious direct syscall was executed by unsigned process from a user folder. overridden

    A suspicious direct syscall was executed by a DLL host application

    Medium overridden

    A suspicious direct syscall was executed by a DLL host application. overridden

  • AI-determined combination of risky alerts under the same actor process Informational 1 variation

    Multiple alerts likely to be associated with an incident were identified under the same actor process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Attacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.
    Investigative actions: Investigate the actor process of these alerts. Track down other suspicious activity under this actor process.

    Variations

    AI-determined combination of risky alerts under the same actor process: LDAP traffic from non-standard process with SMB traffic from non-standard process

    Medium overridden

    A non-standard process communicated over LDAP ports, combined with SMB traffic from a non-standard process under the same actor process. This combination may indicate an attacker performing Active Directory enumeration while leveraging SMB for lateral movement or discovery. overridden

  • AI-determined combination of risky alerts under the same causality Informational

    Multiple alerts likely to be associated with an incident were identified under the same causality.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    12 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Detector tags: AI Insight Fusion Analytics
    Attacker's goals: Perform multiple activities to achieve the attacker's goals in the target environment.
    Investigative actions: Investigate the causality of these alerts. Track down other suspicious activity under this causality.
  • Multiple alerts of different MITRE tactics were seen Low

    Multiple alerts of different MITRE tactics were seen on the same host under the same causality.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: User Execution (T1204) Native API (T1106)
    Required data: Palo Alto Networks Platform Alerts Third-Party Alerts
    Attacker's goals: Execute multiple covert actions to circumvent detection.
    Investigative actions: Investigate the causality of all the linked alerts. It is visible in the bottom of the causality page. Assess whether it looks like a threat actor executing multiple tactics.
  • Suspicious module load using direct syscall Low 1 variation

    A module was loaded to a process using a direct syscall.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Native API (T1106)
    Required data: XDR Agent
    Detector tags: Direct Syscall Analytics
    Attacker's goals: An attacker might try to use direct syscalls to evade detection and load a malicious module to a legitimate program.
    Investigative actions: Investigate the direct syscall mapped image to verify if it is malicious. Investigate the loaded module to verify if it is malicious.

    Variations

    A module was loaded to an unsigned process by using a direct syscall

    Medium overridden

    A module was loaded to an unsigned process using a direct syscall. overridden