Analytics Alerts
Browse the Cortex analytics alert reference.
5 alerts match the current filters. technique: T1219 ✕
Show ATT&CK heatmapAn app was added to Google Marketplace Informational Identity Threat Module 3 variations
An app was added to the Google Workspace Marketplace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Remote Access Tools (T1219)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An adversary may add a malicious application to an organization's Google Workspace domain to maintain a presence in their target's organization and steal data.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new app that was added to Google workspace Marketplace. Follow further actions done by the account.Variations
An app was added to Google Marketplace by a non-administrative identity
Informational overridden
An app was added to the Google Workspace Marketplace. overridden
An app was added to Google Marketplace from an unusual ASN
Low overridden
An app was added to the Google Workspace Marketplace. overridden
An unusual app was added to Google Marketplace
Low overridden
An app was added to the Google Workspace Marketplace. overridden
Rare process with VNC server capabilities started Low
A rare process with VNC server capabilities was started.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.Uncommon VNC server communication Low 4 variations
Uncommon VNC server network traffic was observed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Lateral Movement (TA0008)ATT&CK techniques: Remote Access Tools (T1219) Remote Services: VNC (T1021.005)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Check if it was executed remotely or locally.Variations
Uncommon VNC scanning activity detected from a scanning tool
Medium overridden
An uncommon VNC scanning network traffic was observed from a scanning tool. overridden
Uncommon VNC server communication from an unmanaged previously unseen external host
Low overridden
Uncommon VNC server network traffic was observed from an unmanaged, previously unseen external host. overridden
Partially uncommon VNC server communication
Informational overridden
Uncommon VNC server network traffic was observed. overridden
Uncommon VNC server connection
Informational overridden
An uncommon VNC Server network connection was observed. overridden
Uncommon recurring rare external host access Informational 6 variations
A process has established recurring connections to an uncommon external host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol (T1071) Exfiltration Over C2 Channel (T1041) Remote Access Tools (T1219)Required data: XDR AgentDetector tags: Abnormal Communication AnalyticsAttacker's goals: Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.Investigative actions: Identify the process contacting the remote host and determine whether the traffic is malicious. Look for other endpoints on your network that are also periodically contacting the same external host. Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.Variations
Uncommon recurring rare external host access by an automated penetration testing tool
High overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access to a dynamic DNS domain
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access initiated by a cron job
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access with a rare top-level domain
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access using an exfiltration tool
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon recurring rare external host access with a sensitive file in actor or causality command line
Low overridden
A process has established recurring connections to an uncommon external host. overridden
Uncommon remote monitoring and management tool Low 4 variations
An uncommon Remote Monitoring and Management (RMM) product was observed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Remote Access Tools (T1219)Required data: XDR AgentAttacker's goals: Accessing a remote machine with full interactive graphic interface capabilities.Investigative actions: Check if the product usage is approved. Ask the owners of the machine if they knowingly used this software. Investigate why the software was being used. Check if it was executed remotely or locally.Variations
Uncommon renamed remote monitoring and management tool
Medium overridden
An uncommon renamed Remote Monitoring and Management (RMM) product was observed. overridden
Uncommon remote monitoring and management tool (browser origin)
Informational overridden
An uncommon Remote Monitoring and Management (RMM) product was observed. (browser origin). overridden
Uncommon remote monitoring and management tool extracted from an internet-downloaded archive and executed
Low overridden
An uncommon Remote Monitoring and Management (RMM) product extracted from an internet-downloaded archive and executed. overridden
Uncommon remote monitoring and management tool downloaded from an uncommon source and executed
Medium overridden
An uncommon Remote Monitoring and Management (RMM) product downloaded from an uncommon source and executed. overridden