A Torrent client was detected on a host

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-04-13

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Palo Alto Networks Firewall traffic Logs OR XDR Agent OR Third-Party Firewalls
Detection Modules
Detector Tags
ATT&CK Tactic	Exfiltration (TA0010) Initial Access (TA0001)
ATT&CK Technique	Exfiltration Over Alternative Protocol (T1048) Phishing (T1566)
Severity	Informational

Description

The host produced traffic consistent with the BitTorrent protocol.
Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data.

Attacker's Goals

Exfiltrate data or as a phishing entry point.

Investigative actions

Check the host for torrent client software.
Look at the download's folder for foreign files or Torrent files.
Examine the client's network traffic for uploaded or downloaded file hashes.

Variations

A Torrent client was detected on a host

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

The host produced traffic consistent with the BitTorrent protocol.
Torrent usage may expose the organization to malware or enable attackers or malicious insiders to exfiltrate data.

Attacker's Goals

Exfiltrate data or as a phishing entry point.

Investigative actions

Check the host for torrent client software.
Look at the download's folder for foreign files or Torrent files.
Examine the client's network traffic for uploaded or downloaded file hashes.