EMAIL BETA - Elevated alert triggered by combined alerts and severity

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2025-04-21
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:

Detection Modules

Email

Detector Tags

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Informational

Description

Multiple informational and low-severity alerts have combined to trigger an elevated alert.

Attacker's Goals

Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.

Investigative actions

  • Identify the specific emails responsible for the accumulation of low-severity alerts.
  • Review their headers and content for patterns or anomalies.
  • Assess the email's context and attack techniques to determine the primary risk factor driving the alert.
  • Review the email headers and metadata of each flagged email to identify potential spoofing techniques or unusual routing patterns.
  • Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts.
  • Correlate findings with recent low-severity alerts in the SIEM to assess whether similar accumulation patterns are forming.
  • Engage potentially affected users to understand if any actions were taken in response to these emails, which could increase the overall risk.
  • Document and escalate findings if the accumulation of low-severity warnings suggests a broader phishing campaign.

Variations

EMAIL BETA - Elevated alert triggered by combined attack techniques

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Phishing (T1566)

Severity

Low

Description

Multiple informational and low-severity alerts have combined to trigger an elevated alert.

Attacker's Goals

Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.

Investigative actions

  • Identify the specific emails responsible for the accumulation of low-severity alerts.
  • Review their headers and content for patterns or anomalies.
  • Assess the email's context and attack techniques to determine the primary risk factor driving the alert.
  • Review the email headers and metadata of each flagged email to identify potential spoofing techniques or unusual routing patterns.
  • Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts.
  • Correlate findings with recent low-severity alerts in the SIEM to assess whether similar accumulation patterns are forming.
  • Engage potentially affected users to understand if any actions were taken in response to these emails, which could increase the overall risk.
  • Document and escalate findings if the accumulation of low-severity warnings suggests a broader phishing campaign.