Analytics Alerts
Browse the Cortex analytics alert reference.
12 alerts match the current filters. technique: T1133 ✕
Show ATT&CK heatmapA Kubernetes dashboard service account was used outside the cluster Medium Cloud 1 variation
A Kubernetes dashboard service account was successfully used externally of the Kubernetes environment, which may indicate that the dashboard is exposed to the internet and does not require authentication.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: External Remote Services (T1133)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain initial access to the Kubernetes cluster.Investigative actions: Determine which Kubernetes resources were accessed through the dashboard. Check whether any changes were made to the Kubernetes cluster.Variations
A Kubernetes dashboard service account was unsuccessfully used outside the cluster
Low overridden
A Kubernetes dashboard service account was successfully used externally of the Kubernetes environment, which may indicate that the dashboard is exposed to the internet and does not require authentication.The operation was unsuccessful. overridden
AWS network ACL rule creation Informational Cloud
An AWS network ACL rule was created with a specific rule number.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Exfiltration (TA0010)ATT&CK techniques: External Remote Services (T1133) Exfiltration Over Alternative Protocol (T1048)Required data: AWS Audit LogAttacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.Investigative actions: Check the VPC affected by this change. Verify the rule number (as rules are applied in order). Determine whether the rule is ingress or egress.An operation was performed by an identity from a domain that was not seen in the organization Informational Cloud 1 variation
An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: External Remote Services (T1133)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Gain their initial foothold within the organization and explore the environment to achieve their target.Investigative actions: Investigate the external domain name. Check The cloud identity activity in the organization.Variations
An operation was performed by an identity from a domain that was not seen in the tenant
Low overridden
An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before. overridden
Azure Event Hub Authorization rule creation/modification Informational Cloud
An authorization rule is bound with specific rights, once created within a namespace, which has management permissions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133)Required data: Azure Audit LogAttacker's goals: Persistence using the created/updated rule.Investigative actions: Check the identity that created/updated the authorization rule. What actions were taken using the rule.Executable or Script file written by a web server process Low 3 variations
An uncommon executable or script file was created, written, or renamed by a web server process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gain the ability to execute commands on the host and establish persistence.Investigative actions: Review web server access logs for suspicious requests or uploads. Inspect the dropped file to determine whether it contains malicious content.Variations
A driver was written by a web server process
Low overridden
An uncommon driver file was created, written, or renamed by a web server process. overridden
Executable or Script file written by a web server process in an internet facing server
Low overridden
An uncommon executable or script file was created, written, or renamed by a web server process. overridden
Executable or Script file written by a web server process with connections from various sources and high web traffic
Low overridden
An uncommon executable or script file was created, written, or renamed by a web server process. overridden
Modification or Deletion of an Azure Application Gateway Detected Informational Cloud
Modification or Deletion of an Azure Application Gateway Detected. A change has been detected in an Azure Application Gateway. This may indicate unauthorized access or malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133)Required data: Azure Audit LogAttacker's goals: Gain access to the resources behind the Azure Application Gateway.Investigative actions: Check the Azure Application Gateway to identify the changes made. Verify whether the identity should be making this action.Possible webshell file written by a web server process Low 3 variations
An uncommon file with a web file extension was created, written or renamed by a web server process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.Variations
Possible webshell file written by a node web server process
Informational overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
Possible webshell file written by a web server process in an internet facing server
Low overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
Possible webshell file written by a web server process with connections from various sources and high web traffic
Low overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
SaaS suspicious external domain user activity Informational Identity Threat Module 1 variation
An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization before.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: External Remote Services (T1133)Required data: Google Workspace Audit Logs Office 365 AuditAttacker's goals: Gain their initial foothold within the organization and explore the environment to achieve their target.Investigative actions: Investigate the external domain name. Check the identity activity in the organization.Variations
Suspicious external user activity detected from a domain first seen in the organization
Low overridden
An operation was performed by an identity. This identity belongs to a domain that was not seen in the organization, both in cloud and SaaS environments. overridden
Suspicious External RDP Login Informational Identity Analytics
An unusual successful RDP connection by a user from an external IP.This may be indicative of using stolen credentials or malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: External Remote Services (T1133)Required data: XDR AgentAttacker's goals: The attacker attempts to gain access to the accounts through RDP from an external source.Investigative actions: Identify the user performing RDP and check that it is authorized. Check whether this IP has a malicious reputation. Reset the user's password. Follow further actions done by the user.Suspicious HTTP parameters detected Medium
The endpoint received suspicious HTTP parameters via an HTTP request, which may indicate attempts to exploit server components or web shell activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: Webshell AnalyticsAttacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.Investigative actions: Inspect the legitimacy of the URI path and the parameters values sent to the server. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.Suspicious successful RDP connection to localhost Informational Identity Analytics 2 variations
An unusual process created a successful RDP connection to localhost. This may indicate the use of a tunnel to bypass a firewall.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001)ATT&CK techniques: External Remote Services (T1133)Required data: XDR AgentDetector tags: Enhanced RDP AnalyticsAttacker's goals: The attacker attempts to gain access to the accounts through RDP from an external source.Investigative actions: Investigate the actor process to determine if it was used for legitimate purposes or malicious activity. Identify the user performing RDP and check that it is authorized. Follow further actions done by the user.Variations
Suspicious successful RDP connection to localhost via reverse SSH tunnel
Low overridden
An unusual process created a successful RDP connection to localhost.The command line indicates the usage of SSH tunnel to bypass the firewall. overridden
Suspicious successful RDP connection to localhost on DC server
Low overridden
An unusual process created a successful RDP connection to localhost on a DC server. This may indicate the use of a tunnel to bypass a firewall. overridden
Web server CGO executed an uncommon process Informational 1 variation
An uncommon process was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR AgentDetector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the executed process is malicious or executes a suspicious action.Variations
Web server CGO executed a LOLBIN process with direct IP in the command line
High overridden
A LOLBIN process with a direct IP in the command line was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit. overridden