Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. technique: T1210 ✕
Show ATT&CK heatmapRare MS-Update traffic over HTTP Informational
The endpoint requested an MS-Update operation with abnormal HTTP traffic characteristics.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008)ATT&CK techniques: Exploitation of Remote Services (T1210)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: The Windows Server Update Services enable machines to discover and download software updates from a dedicated update server. Attacker may use the MS-Update protocol to execute unauthorized code through Microsoft binaries.Investigative actions: Inspect the legitimacy of the server as a WSUS functioning server. Verify that your MS-Update network routine is HTTPS enforced Verify that this MS-Update server is not a newly deployed server as part of a legitimate IT activity.Unusual ADFS Remote Synchronization network connections from non-ADFS server Low
Detected an unauthorized configuration sync request to the ADFS Policy Store from a non-ADFS server, step for forging SAML tokens in a Golden SAML attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Lateral Movement (TA0008)ATT&CK techniques: Forge Web Credentials: SAML Tokens (T1606.002) Exploitation of Remote Services (T1210)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: Active Directory Federation Services AnalyticsAttacker's goals: The attack goal is to forge a valid SAML token to impersonate any user and gain persistent, unauthorized access to cloud resources, effectively bypassing MFA and standard security controls.Investigative actions: Correlate this network event with AD FS service account activity. The attacker must use the service account's credentials to authenticate this request. Check for a possible DCSync alerts. Check alerts that related to ADFS server. Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Inspect the source machine for the presence of tools like AADInternals or custom SOAP-based scripts.Unusual DB process spawning a shell Informational 3 variations
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Lateral Movement (TA0008)ATT&CK techniques: Exploit Public-Facing Application (T1190) Exploitation of Remote Services (T1210)Required data: XDR AgentDetector tags: Shell AnalyticsAttacker's goals: Obtain access to either the database or its hosting machine for various purposes like privilege escalation, lateral movement, and data theft.Investigative actions: Review the commands/processes executed by the shell for malicious actions. Check if and what else the DB process has executed. Check for any additional alerts raised in the context of the DB process. Audit the query/access logs of the DB for suspicious actions (Such as SQL injection or similar).Variations
Unusual DB process spawning a shell with a possible reconnaissance command
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden
Unusual DB process spawning a shell with a possible web download/access command
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden
Unusual DB process spawning a shell with an unusual command line
Low overridden
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt. overridden