A user accessed multiple time-consuming websites

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

12 Hours

Deduplication Period

1 Day

Required Data

  • Requires:
    • Palo Alto Networks Platform Logs

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

Reconnaissance (TA0043)

ATT&CK Technique

Search Open Websites/Domains (T1593)

Severity

Informational

Description

A user was observed visiting multiple domains for personal reasons. Time theft happens when an employee is paid to work but did not actually work during that time. It might affect your business as it reduces the employee's efficiency.

Attacker's Goals

A user may utilize work time for personal reasons.

Investigative actions

  • Investigate the domains accessed and how popular they are in the organization.
  • Verify that the user is not part of a department that visits these websites as part of daily their operations.