Uncommon SQL like command line

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-10-27

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Unsecured Credentials: Credentials In Files (T1552.001)
Severity	Informational

Uncommon SQL query in command line of an executed process.

An attacker may use SQL queries to steal information stored at the target databases.

Check if the CGO (Causality Group Owner) is known for running SQL queries in the organization.

ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Unsecured Credentials: Credentials In Files (T1552.001)
Severity	Medium

Uncommon SQL query in command line of a process which executed remotely.

An attacker may use SQL queries to steal information stored at the target databases.

Check if the CGO (Causality Group Owner) is known for running SQL queries in the organization.

ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Unsecured Credentials: Credentials In Files (T1552.001)
Severity	Medium

Uncommon SQL query in command line of a process executed by a Remote Monitoring & Management tool.

An attacker may use SQL queries to steal information stored at the target databases.

Check if the CGO (Causality Group Owner) is known for running SQL queries in the organization.

ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Unsecured Credentials: Credentials In Files (T1552.001)
Severity	Low

Uncommon SQL query in command line of an executed process.

An attacker may use SQL queries to steal information stored at the target databases.

Check if the CGO (Causality Group Owner) is known for running SQL queries in the organization.