Analytics Alerts
Browse the Cortex analytics alert reference.
10 alerts match the current filters. technique: T1213 ✕
Show ATT&CK heatmapA Google Workspace identity used the security investigation tool Informational Identity Threat Module 1 variation
A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Email Collection (T1114)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Access sensitive data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Determine what data was accessed using the security investigation tool.Variations
A suspicious Google Workspace identity used the security investigation tool
Low overridden
A Google Workspace identity used the security investigation tool The Google Workspace security investigation tool can be abused to access sensitive data. overridden
A rare FTP user has been detected on an existing FTP server Low 1 variation
A rare or new FTP user has been detected on an existing FTP server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall EAL LogsAttacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.Investigative actions: Verify that the new username is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application. Check the logs on the FTP server for a new user creation.Variations
Possible FTP User Scanning Detected
Low overridden
A rare or new FTP user has been detected on an existing FTP server. overridden
DLP sensitive data exposed to external users Informational Identity Threat Module Email 1 variation
A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to access sensitive information.Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.Variations
High-severity DLP sensitive data exposed to external users
Low overridden
A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information. overridden
Microsoft Teams messages were exported from conversation Informational Identity Threat Module 1 variation
Microsoft Teams messages were exported from conversation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage message extraction from Microsoft Teams to obtain valuable information.Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.Variations
Microsoft Teams messages were exported from conversation by a privileged user for the first time
Low overridden
Microsoft Teams messages were exported from conversation. overridden
New FTP Server Low 2 variations
A new FTP server has been detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Valid Accounts (T1078)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.Investigative actions: Verify that the new service is legitimate. Examine the legitimacy of the application that produced this uncommon FTP. Examine the parent process of this application.Variations
New FTP Server Accessed Via a Port Scan
Informational overridden
A new FTP server has been detected. overridden
New FTP Server from an external source
Low overridden
A new FTP server has been detected. overridden
OneDrive file download Informational Cloud
A file was downloaded from OneDrive using the Microsoft Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Exfiltrate sensitive data by downloading files from OneDrive.Investigative actions: Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Rare DLP rule match by user Informational Identity Threat Module Email 1 variation
A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Sharepoint (T1213.002) Data from Information Repositories (T1213)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to access sensitive information.Investigative actions: Review the details of the triggered DLP rule match.Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Communicate with the user to verify the legitimacy of the triggered event.Variations
DLP rule match by user for the first time
Low overridden
A user triggered an O365 DLP rule match, which may indicate an attacker's attempt to access sensitive information. overridden
Unusual process accessed a macOS notes DB file Informational 1 variation
An unusual process has accessed a user's notes DB file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Sensitive Information Stealing AnalyticsAttacker's goals: Obtain access to user's notes and steal their contents.Investigative actions: Determine whether it is legitimate for the process to access user's notes. Analyze the process/application that accessed the DB file. Check for any other suspicious actions that were performed by the process. Look for unusual access of resources using credentials that may be stored in the above notes.Variations
Unusual unsigned process accessed a macOS notes DB file
Low overridden
An unusual process has accessed a user's notes DB file. overridden
User accessed multiple O365 AIP sensitive files Informational Identity Threat Module
A user accessed multiple O365 AIP sensitive files.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories (T1213) Data from Local System (T1005)Required data: Office 365 AuditDetector tags: O365 DLP AnalyticsAttacker's goals: An attacker is attempting to collect sensitive information.Investigative actions: Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Follow further actions done by the account. Check what sensitivity labels are detected and how suspicious they are. Examine the user's account history for suspicious behavior.User exported multiple messages in Microsoft Teams via Graph API Informational Identity Threat Module 3 variations
A user exported multiple messages in Microsoft Teams via Graph API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Data from Information Repositories: Messaging Applications (T1213.005)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may leverage messages extraction from Microsoft Teams to collect sensitive data.Investigative actions: Confirm that the exported messages were extracted from a certified and trusted entity. Determine if it is within the user's role to extract messages from Microsoft Teams. Follow further actions done by the account and validate that the exported conversations were not sent to an untrusted entity.Variations
User exported multiple chats in Microsoft Teams via Graph API
Low overridden
A user exported multiple messages in Microsoft Teams via Graph API. overridden
User exported multiple messages in Microsoft Teams via Graph API by a privileged user for the first time
Low overridden
A user exported multiple messages in Microsoft Teams via Graph API. overridden
User exported multiple messages in Microsoft Teams via Graph API from a first seen ASN
Low overridden
A user exported multiple messages in Microsoft Teams via Graph API. overridden