A user changed the Windows system time

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Threat Module

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

System Time Discovery (T1124)

Severity

Informational

Description

A user changed the Windows system time. This may be indicative of a malicious activity and may affect authentication from the source machine.

Attacker's Goals

A malicious insider might change their Windows system time. This action might affect the machine's ability to authenticate to the domain.

Investigative actions

Check for any other suspicious activity related to the host and the user involved in the alert.