Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

6 alerts match the current filters. technique: T1190 ✕

Show ATT&CK heatmap
  • An unusual process in ingress-nginx has accessed a service-account token file High Cloud

    An unusual process in ingress-nginx has read a service-account token.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: An attacker is attempting to gain unauthorized access by leveraging valid credentials.
    Investigative actions: Check if the process is intended to preform these actions.
  • Cloud IMDS access followed by remote token usage Medium Cloud

    A request was made to the cloud Instance Metadata Service (IMDS) followed by a remote usage of EC2 role token.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour
    ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Unsecured Credentials (T1552)
    Required data: AWS Audit Log XDR Agent
    Attacker's goals: Gain unauthorized access by leveraging valid cloud credentials.
    Investigative actions: Identify the process that accessed the IMDS on the cloud instance. Examine the AWS API calls made by the stolen token, focusing on unusual or sensitive actions. Assess the role's permissions and rotate credentials if compromise is confirmed.
  • Failed Login For a Long Username With Special Characters Informational

    A long username containing special characters failed to log in to the domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Exploit Public-Facing Application (T1190)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: An attacker is trying to get code execution on internet-facing assets through command injection.
    Investigative actions: Is the host running internet-facing services? Are we looking at sanction vulnerability scanning?
  • Suspicious failed HTTP request - potential Spring4Shell exploit Low 1 variation

    A potentially malicious failed HTTP request was received, possibly as part of a Spring4Shell exploitation attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001)
    ATT&CK techniques: Exploit Public-Facing Application (T1190)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Gain the ability to execute code remotely or drop malware.
    Investigative actions: Check if suspicious process executions occurred after the request. Consider limiting access to the vulnerable server.

    Variations

    Suspicious HTTP request - potential Spring4Shell exploit

    Medium overridden

    A potentially malicious HTTP request was received, possibly as part of a Spring4Shell exploitation attempt. overridden

  • Unusual DB process spawning a shell Informational 3 variations

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Lateral Movement (TA0008)
    ATT&CK techniques: Exploit Public-Facing Application (T1190) Exploitation of Remote Services (T1210)
    Required data: XDR Agent
    Detector tags: Shell Analytics
    Attacker's goals: Obtain access to either the database or its hosting machine for various purposes like privilege escalation, lateral movement, and data theft.
    Investigative actions: Review the commands/processes executed by the shell for malicious actions. Check if and what else the DB process has executed. Check for any additional alerts raised in the context of the DB process. Audit the query/access logs of the DB for suspicious actions (Such as SQL injection or similar).

    Variations

    Unusual DB process spawning a shell with a possible reconnaissance command

    Low overridden

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden

    Unusual DB process spawning a shell with a possible web download/access command

    Low overridden

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden

    Unusual DB process spawning a shell with an unusual command line

    Low overridden

    A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden

  • Unusual Process Spawned by Nginx in Ingress-Nginx pod Low 1 variation

    Unusual Process Spawned by Nginx in Ingress-Nginx pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)
    ATT&CK techniques: Command and Scripting Interpreter (T1059) Exploit Public-Facing Application (T1190)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: An attacker attempts to use nginx for lateral movement or privilege escalation.
    Investigative actions: Investigate the child processes for malicious activity and network connections to an external host.

    Variations

    Unusual process spawned by ingress-nginx with a critical-severity vulnerability found the workload

    High overridden

    Unusual Process Spawned by Nginx in Ingress-Nginx pod. overridden