Uncommon Local Scheduled Task Creation via schtasks.exe
Traps endpoint data.
The schtasks.exe command enables creating, deleting, querying, changing, running, and ending scheduled tasks on a local or remote endpoint.
Attackers may attempt to use the command to gain persistence on the endpoint using scheduled tasks.
Uncommon Remote Scheduled Task Creation via schtasks.exe
Uncommon Remote Scheduled Task Creation via schtasks.exe The Uncommon Remote Scheduled Task Creation via schtasks.exe alert indicates the uncommon scheduling of a task on a ...
Cortex XDR – Analytics Alert Reference
Cortex XDR – Analytics Alert reference includes symptoms of the alert, how the symptoms are detected, and what should be done about the alert. ...
New Features May 2019
New Features: May 2019 Feature Description Mobile Endpoint Coverage through GlobalProtect and GlobalProtect Cloud Service The Cortex XDR™ – Analytics app can now detect threats ...
Possible Cortex XDR – Analytics Alerts
All possible Cortex XDR – Analytics alerts grouped by attack category. ...
Uncommon ARP Cache Listing via arp.exe
Uncommon ARP Cache Listing via arp.exe The Uncommon ARP Cache Listing via arp.exe alert indicates the uncommon listing of the ARP cache through the arp.exe ...
Uncommon Routing Table Listing via route.exe
Uncommon Routing Table Listing via route.exe The Uncommon Routing Rable Listing via route.exe alert indicates that the route.exe command was used to display or modify ...
Uncommon net localgroup Execution
Uncommon net localgroup Execution The Uncommon net localgroup Execution alert indicates the net localgroup command was used on an endpoint. Synopsis Detection Frequency 10 minutes. ...
Uncommon Net Group Execution
Uncommon Net Group Execution The Cortex XDR – Analytics Uncommon Net Group Execution alert indicates the net group command was used on an endpoint. Synopsis ...
Uncommon Remote Service Start via sc.exe
Uncommon Remote Service Start via sc.exe The Uncommon Remote Service Start via sc.exe alert indicates that the Service Control (sc.exe) command was used to start ...