Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
- Requires:
- Palo Alto Networks Platform Logs
- Requires:
|
Detection Modules |
Identity Threat Module |
Detector Tags |
|
ATT&CK Tactic |
Exfiltration (TA0010) |
ATT&CK Technique |
Exfiltration Over Web Service (T1567) |
Severity |
Informational |
Description
A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization.
Attacker's Goals
A user accessed an uncommon AppID that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to exfiltrate sensitive data.
Investigative actions
Check for any other suspicious activity related to the host and the user involved in the alert.
Variations
A user accessed an uncommon external peer-to-peer service
Synopsis
Description
A user accessed an uncommon external peer-to-peer service that is rarely accessed by them or anyone else in the organization.
Attacker's Goals
A user accessed an uncommon external peer-to-peer service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to exfiltrate sensitive data.
Investigative actions
Check for any other suspicious activity related to the host and the user involved in the alert.
A user accessed an uncommon external file-sharing service
Synopsis
Description
A user accessed an uncommon external file-sharing service that is rarely accessed by them or anyone else in the organization.
Attacker's Goals
A user accessed an uncommon external file-sharing service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to exfiltrate sensitive data.
Investigative actions
Check for any other suspicious activity related to the host and the user involved in the alert.
A user accessed an uncommon peer-to-peer service
Synopsis
Description
A user accessed an uncommon peer-to-peer service that is rarely accessed by them or anyone else in the organization.
Attacker's Goals
A user accessed an uncommon peer-to-peer service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to exfiltrate sensitive data.
Investigative actions
Check for any other suspicious activity related to the host and the user involved in the alert.
A user accessed an uncommon file-sharing service
Synopsis
Description
A user accessed an uncommon file-sharing service that is rarely accessed by them or anyone else in the organization.
Attacker's Goals
A user accessed an uncommon file-sharing service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to exfiltrate sensitive data.
Investigative actions
Check for any other suspicious activity related to the host and the user involved in the alert.
A user accessed an uncommon VPN service
Synopsis
Description
A user connected to an unusual VPN service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to hide their online activity.
Attacker's Goals
A user connected to an unusual VPN service that is rarely accessed by them or anyone else in the organization. This may indicate an attempt to hide their online activity.
Investigative actions
Check for any other suspicious activity related to the host and the user involved in the alert.