A user accessed an abnormal number of files on a remote shared folder

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Threat Module

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

File and Directory Discovery (T1083)

Severity

Informational

Description

A user remotely accessed an abnormal number of files on a remote shared folder. This might indicate an attempt to collect data before exfiltration.

Attacker's Goals

Collect valuable data about the organization for exfiltration purposes.

Investigative actions

  • Check for other suspicious activity made by the user at the time of the event.
  • Go over the list of files and check if such user should have access to those files.