Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
3 Days |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An archive file was created by a user who doesn't usually create such files. This might indicate an attempt to stage data before exfiltration.
Attacker's Goals
Stage data on an endpoint in the organization.
Investigative actions
Check for any other suspicious activity related to the host and the user involved in the alert.