Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. technique: T1572 ✕

Show ATT&CK heatmap
  • Suspicious ICMP packet Low 1 variation

    An ICMP router advertisement was sent by a host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Make the victim change his routing table.
    Investigative actions: Investigate why the source host sent an ICMP router advertisement and if it changed the destination target routing table.

    Variations

    Suspicious ICMP packet that resemble an ICMP redirect attack

    Informational overridden

    ICMP redirect was sent by a user. overridden

  • Uncommon network tunnel creation Informational 3 variations

    An uncommon network tunnel was established.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    12 Hours
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: Palo Alto Networks Url Logs
    Attacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.

    Variations

    Uncommon network tunnel creation

    Informational overridden

    An uncommon network tunnel was established using ACS_ssh.exe. overridden

    Uncommon SSH tunnel to unpopular IP address

    Low overridden

    An uncommon SSH tunnel was established to an unpopular remote IP address at the organization. overridden

    An uncommon network tunnel was established over the default SSH port

    Low overridden

    An unpopular process and command line created a network tunnel over the default SSH port. overridden

  • Uncommon reverse SSH tunnel to external domain/ip Low 1 variation

    An uncommon reverse SSH tunnel might have been created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: XDR Agent
    Detector tags: Abnormal Communication Analytics
    Attacker's goals: Attackers may use SSH to create an encrypted tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the external ip/domain. Investigate the causality of the process.

    Variations

    Uncommon reverse SSH tunnel to external domain/ip using a sensitive port

    Low overridden

    An uncommon reverse SSH tunnel might have been created. overridden

  • Unusual SSH Activity Informational 2 variations

    Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    2 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Protocol Tunneling (T1572)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the client IP/Agent for using known intelligence tools. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised, Additionally examine logs for any unexpected data transfers or commands that may indicate malicious intent.

    Variations

    Unusual, long SSH activity with tunnel characteristics

    Low overridden

    Unusual SSH activity was detected that involved a high volume of data transfer and abnormal session duration. overridden

    Unusual SSH activity with tunnel characteristics to external destination

    Low overridden

    Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session. overridden