Uncommon communication to an instant messaging server

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Web Service (T1102)

Severity

Informational

Description

A rare communication between a process to a known instant messaging server.

Attacker's Goals

Data exfiltration or attack tool staging through a trusted service.

Investigative actions

  • Examine the legitimacy of the application that made the communication with the provider's server.
  • Examine the parent process of this application.
  • Check for anomalies regarding the time frame where the communication occurred.

Variations

Uncommon communication to an instant messaging server by a suspicious process

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Web Service (T1102)

Severity

Low

Description

A rare communication by a suspicious process to a known instant messaging server.

Attacker's Goals

Data exfiltration or attack tool staging through a trusted service.

Investigative actions

  • Examine the legitimacy of the application that made the communication with the provider's server.
  • Examine the parent process of this application.
  • Check for anomalies regarding the time frame where the communication occurred.


Uncommon communication to an instant messaging server by an uncommon scripting engine execution

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Web Service (T1102)

Severity

Low

Description

A rare communication by an uncommon execution of a scripting engine to a known instant messaging server.

Attacker's Goals

Data exfiltration or attack tool staging through a trusted service.

Investigative actions

  • Examine the legitimacy of the application that made the communication with the provider's server.
  • Examine the parent process of this application.
  • Check for anomalies regarding the time frame where the communication occurred.