A user accessed an abnormal number of files on a remote shared folder

Cortex XSIAM Analytics Alert Reference by Alert name

Product
Cortex XSIAM
Last date published
2025-01-19
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

File and Directory Discovery (T1083)

Severity

Informational

Description

A user remotely accessed an abnormal number of files on a remote shared folder. This might indicate an attempt to collect data before exfiltration.

Attacker's Goals

Collect valuable data about the organization for exfiltration purposes.

Investigative actions

  • Check for other suspicious activity made by the user at the time of the event.
  • Go over the list of files and check if such user should have access to those files.