Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. technique: T1657 ✕
Show ATT&CK heatmapPossible Insider Threat Activity Low Identity Threat Module 1 variation
A user was observed performing suspicious activity that might indicate an attempt to use their access to organizational resources for personal gain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Financial Theft (T1657)Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An insider threat might use their access to organizational resources for personal gain.Investigative actions: Check how long the user has been part of the organization. Check if the user is about to leave the company. Verify that the user is not part of a department that performs such activity as part of daily operations.Variations
Indicate Insider Threat Activity
Medium overridden
A user was observed performing suspicious activity that might indicate an attempt to use their access to organizational resources for personal gain. overridden
Suspicious theme and sentiment in email Informational Email
The email's body has a theme and sentiment that may indicate a malicious attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Hour 30 Minutes
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Financial Theft (T1657)Required data: Box Audit Log DropBox Google Workspace Audit Logs Microsoft 365 Emails Office 365 Audit Okta Audit Log Salesforce Slack Audit LogDetector tags: PhishingAttacker's goals: Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.Investigative actions: Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming. Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk. Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.