Suspicious SaaS API call from a Tor exit node

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Box Audit Log
      OR
    • DropBox
      OR
    • Google Workspace Audit Logs
      OR
    • Office 365 Audit

Detection Modules

Identity Threat Module

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Proxy: Multi-hop Proxy (T1090.003)

Severity

High

Description

A SaaS API was called from a Tor exit node.

Attacker's Goals

Conceal information about malicious activities, such as location and network usage.

Investigative actions

Block all web traffic to and from public Tor entry and exit nodes.

Variations

A Failed API call from a Tor exit node

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Proxy: Multi-hop Proxy (T1090.003)

Severity

Informational

Description

A SaaS API was called from a Tor exit node.

Attacker's Goals

Conceal information about malicious activities, such as location and network usage.

Investigative actions

Block all web traffic to and from public Tor entry and exit nodes.


Suspicious SaaS API call from a Tor exit node via Mobile Device

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Proxy: Multi-hop Proxy (T1090.003)

Severity

Medium

Description

A SaaS API was called from a Tor exit node.

Attacker's Goals

Conceal information about malicious activities, such as location and network usage.

Investigative actions

Block all web traffic to and from public Tor entry and exit nodes.