Account probing

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent

Detection Modules

Identity Analytics

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A user failed to log in to multiple hosts it never accessed before in a short amount of time.
This may indicate the account is compromised and an attacker is probing for a host it can access with those credentials.

Attacker's Goals

Gain access to hosts by using stolen user-account credentials.

Investigative actions

Check if the user account was compromised, and which resources it could access.