Modified Logic - Content Update Release Notes - Cortex - Cortex

Analytics Content Version: 2026.01.28
Product
Cortex
Creation date
2026-02-09
Last date published
2026-02-09
Category
Content Update Release Notes

[Informational] A process is masquerading as a common Microsoft product

  • [High] An unsigned and rare actor executing masqueraded process with uncommon characteristics - Added

  • [Medium] A process that was executed by remote causality actor is masquerading as a common Microsoft product - Added

[Informational] Rare scheduled task created

  • [High] Rare scheduled task created by an injected actor - Added

  • [Medium] Uncommon remote scheduled task created - Modified Metadata

  • [Low] Highly rare scheduled task created - Modified Logic

  • [Low] Uncommon local scheduled task created - Modified Logic

[Low] Uncommon driver loaded

  • [High] Uncommon driver loaded by a Web server process - Modified Metadata

  • [Medium] Globally rare and unsigned driver loaded - Modified Logic

  • [Medium] Uncommon driver with a globally rare vendor loaded as a service - Modified Metadata

[Informational] A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process

  • [High -> Medium] A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by unsigned causality actor - Modified Metadata

  • [High -> Medium] A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process - Modified Metadata

  • [Medium -> Low] A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process - Modified Metadata

[Informational] An identity attached an administrative policy to an IAM user or role

  • [Medium] An identity failed to attach an administrative policy to an IAM user or role - Modified Logic

  • [Low] A suspicious identity attached an administrative policy to an IAM user/role - Modified Logic

[Informational] An identity initiated a download of multiple cloud objects

  • [Medium] An identity initiated a download of multiple cloud objects in large volume compared to the project's usual volume - Modified Logic

  • [Low] An identity initiated a download of multiple cloud objects in large volume compared to the bucket's usual volume - Modified Logic

[Informational] An identity performed a suspicious download of multiple cloud storage objects

  • [Medium] An identity performed a suspicious download of multiple cloud storage objects - Modified Logic

[Informational] Uncommon attempt at discovering a sensitive file

  • [Medium] Uncommon attempt at discovering a sensitive file by a potentially known credential dumper or enumeration script - Modified Logic

[Informational] Uncommon attempt at grabbing credentials from a sensitive file

  • [Medium] Uncommon attempt at grabbing credentials from a sensitive file by a potentially known credential dumper or enumeration script - Modified Logic

[Informational] An identity created or updated password for an IAM user

  • [Low] A suspicious identity created or updated password for an IAM user - Modified Logic

[Low] Email attachment with Right-to-Left Override Unicode character

[Informational -> Low] Email with file-sharing link containing auto-download parameter

[Low] Execution of command from within a Kubernetes pod using kubelet credentials

[Low] Risk indicators detected in email

[Low] Sending unusual file(s) to an external address

[Low] Suspicious access of the System Management Container

[Low] Suspicious modification of the AdminSDHolder's ACL

[Informational] An uncommon file added to startup-related Registry keys

[Informational] An unusual read activity of cloud object

[Informational] Cloud impersonation attempt by unusual identity type

[Informational] Email attachment with a potentially malicious file extension

[Informational] Email attachment(s) with potentially malicious MIME type

[Informational] Email contains URL delivering high-risk file type

[Informational] Email marked as spam and bulk based on Spam Confidence Level and Bulk Complaint Level values

[Informational] Moniker link detected in URL(s)

[Informational] Near-empty email from an external sender

  • [Informational] Blank email with an attachment from an external sender - Added

  • [Informational] Blank email with an inline attachment from an external sender - Added

  • [Informational] Email has empty body or subject and was sent from an external source - Removed

  • [Informational] Empty email from an external sender - Modified Metadata

[Informational] Possible Privilege Escalation using Delegated MSA account

[Informational] Punycode characters detected in URL(s)

[Informational] Suspicious DKIM Result

  • [Informational] DKIM results lacking sender correlation - Modified Logic

  • [Informational] Known domain DKIM deviation - Modified Logic

  • [Informational] Known domain suspicious DKIM result - Modified Logic

[Informational] Uncommon URL domain(s) in your organization detected in email

[Informational] Unpopular URL(s) detected in email

[Informational] Unpopular domains detected in email URLs for a recipient

[Informational] Unrecognized sender address

  • [Informational] Email was received from an unknown sender with an unrecognized domain - Removed

[Informational] Unusual secret management activity

[Informational] User signed in to an application via Power Automate for the first time