Untrusted process contacted LLM API

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-05-18
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Resource Development (TA0042)

ATT&CK Technique

Obtain Capabilities: Artificial Intelligence (T1588.007)

Severity

Informational

Description

An untrusted process contacted an LLM API.

Attacker's Goals

Adversaries may use LLM APIs to create malicious payload dynamically. Each payload will be slightly different making detection more complex.

Investigative actions

  • Investigate the process that contacted the LLM API.
  • Check if this LLM API access is legitimate and expected.
  • Analyze the data potentially sent to the LLM service.

Variations

Untrusted process contacted a rare LLM API

Synopsis

ATT&CK Tactic

Resource Development (TA0042)

ATT&CK Technique

Obtain Capabilities: Artificial Intelligence (T1588.007)

Severity

Low

Description

An untrusted process contacted a rare LLM API.

Attacker's Goals

Adversaries may use LLM APIs to create malicious payload dynamically. Each payload will be slightly different making detection more complex.

Investigative actions

  • Investigate the process that contacted the LLM API.
  • Check if this LLM API access is legitimate and expected.
  • Analyze the data potentially sent to the LLM service.