Analytics Alerts
Browse the Cortex analytics alert reference.
7 alerts match the current filters. technique: T1567 ✕
Show ATT&CK heatmapA process connected to a rare cloud resource Informational 3 variations
A process connected to a rare cloud resource.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Application Layer Protocol: Web Protocols (T1071.001) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Communicate with the attacker's Command and Control (C2) infrastructure.Investigative actions: Investigate the actor process connected to the cloud resource. Determine if the cloud resource is owned by your organization or a known external entity. Assess whether this communication pattern is expected or not.Variations
A browser process connected to a rare cloud resource
Informational overridden
A browser process connected to a rare cloud resource. overridden
A process connected to an atypical rare cloud resource
Informational overridden
A process connected to an atypical rare cloud resource. overridden
A process connected to a rare cloud resource atypical to this agent
Informational overridden
A process connected to a rare cloud resource atypical to this agent. overridden
A user accessed an uncommon AppID Informational Identity Threat Module 5 variations
A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to exfiltrate sensitive data.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.Variations
A user accessed an uncommon external peer-to-peer service
Informational overridden
A user accessed an uncommon external peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon external file-sharing service
Informational overridden
A user accessed an uncommon external file-sharing service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon peer-to-peer service
Informational overridden
A user accessed an uncommon peer-to-peer service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon file-sharing service
Informational overridden
A user accessed an uncommon file-sharing service that is rarely accessed by them or anyone else in the organization. overridden
A user accessed an uncommon VPN service
Informational overridden
A user connected to an unusual VPN service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to hide their online activity. overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent Low 2 variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred. Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.Variations
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server. overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain
Low overridden
Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain. overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server Informational 1 variation
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this rare combination of HTTP User Agent with the external HTTP Server. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server where both the User Agent and the HTTP Server are rare
Low overridden
Abnormal network communication with a rare combination of HTTP User Agent and HTTP Server to an external address. overridden
HTTP with suspicious characteristics Low 3 variations
Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Exfiltration (TA0010)ATT&CK techniques: Web Service (T1102) Exfiltration Over Web Service (T1567)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Data exfiltration, attack tool staging or command and control channel through a trusted service.Investigative actions: Examine the legitimacy of the application that produced this uncommon connection. Examine the parent process of this application. Check for anomalies at the time when the communication occurred.Variations
HTTP with suspicious characteristics which is repetitive
Low overridden
Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics to an IP address
Low overridden
Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden
HTTP with suspicious characteristics that always fails
Informational overridden
Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities. overridden
Massive upload to SaaS service Informational Identity Threat Module 1 variation
A user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Data Staged: Remote Data Staging (T1074.002)Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 AuditAttacker's goals: An attacker may upload files to a SaaS service to stage and exfiltrate data from the organization.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were uploaded to determine if they contain sensitive data. Verify if the user account that uploaded the files is authorized to access them. Analyze the file types that were uploaded. Monitor the account for any further suspicious actions.Variations
Massive upload to SaaS service by suspicious user
Low overridden
A suspicious user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged. overridden
Massive upload to a rare storage or mail domain Informational Identity Threat Module 1 variation
A large amount of data was transferred to an external site that is used for mail or storage. This behavior may indicate data exfiltration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)Required data: Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs XDR AgentAttacker's goals: A user uploaded an abnormal amount of data to a file sharing service. This activity might indicate an attempt to exfiltrate files and data from the organization.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Identify the user uploading the data to determine if the transfer is sanctioned.Variations
A user uploaded over 500 MB to a rare storage or mail domain
Low overridden
A user uploaded over 500 MB to a file sharing service that is rarely accessed by them or anyone else in the organization. overridden