Analytics Alerts
Browse the Cortex analytics alert reference.
9 alerts match the current filters. tactic: TA0005 ✕ technique: T1070 ✕
Show ATT&CK heatmapAWS SecurityHub findings were modified Informational Cloud
AWS SecurityHub findings were modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: AWS Audit LogAttacker's goals: Bypass security measures implemented by AWS SecurityHub.Investigative actions: Check the current AWS SecurityHub settings and verify they are configured properly.Azure mailbox rule creation Informational Cloud 1 variation
A Mailbox rule in Azure was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Defense Evasion (TA0005)ATT&CK techniques: Email Collection: Email Forwarding Rule (T1114.003) Indicator Removal: Clear Mailbox Data (T1070.008)Required data: Azure Audit Log Microsoft Graph LogsDetector tags: Microsoft Graph Activity LogsAttacker's goals: Intercept or exfiltrate sensitive information.Investigative actions: Investigate the rule's details and confirm its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised.Variations
Unusual Azure mailbox rule creation
Low overridden
A Mailbox rule in Azure was created. overridden
Data Sharing between GCP and Google Workspace was disabled Informational Identity Threat Module 3 variations
An identity has modified data sharing settings between GCP and Google Workspace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Indicator Removal (T1070) Impair Defenses (T1562) Data Manipulation (T1565) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check whether Google Workspace audit log events were configured to be sent to Google Cloud. Follow further actions done by the account.Variations
Data Sharing between GCP and Google Workspace was disabled by a suspicious identity
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data Sharing between GCP and Google Workspace was disabled from an unusual ASN
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Delayed Deletion of Files Low
A command line deleting files used the time-out or ping commands to delay the file deletion. This is suspicious, as malware sometimes uses these techniques to cover their tracks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal: File Deletion (T1070.004)Required data: XDR AgentAttacker's goals: Evade security controls and possibly cover their tracks.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Deletion of AD CS certificate database entries Informational Identity Analytics 1 variation
A user has deleted rows from the certificate database of an AD CS server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to cover their tracks after issuing certificates.Investigative actions: Check the user account deleting the certificate database entries and verify its activity. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Examine recent activity from the user account, including logon patterns and privilege changes.Variations
Abnormal deletion of AD CS certificate database entries
Low overridden
A user has deleted rows from the certificate database of an AD CS server. overridden
Removal of an Azure Owner from an Application or Service Principal Informational Cloud 1 variation
An Azure Owner was removed from an application or service principal. This may indicate malicious activity or unauthorized access to the application or service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: Azure Audit LogAttacker's goals: Remove owners from applications for full control of the application or service principal. Manipulate or delete data stored in the Azure environment.Investigative actions: Check the Azure Activity Log to identify which user removed the Azure Owner. Check the Azure Role Assignments to identify the current Azure Owners. Check the Application or Service Principal to identify if any changes have been made.Variations
Removal of an Azure AD privileged user from an Application or Service Principal
Low overridden
An Azure Owner was removed from an application or service principal. This may indicate malicious activity or unauthorized access to the application or service. overridden
Uncommon attempt to clear shell history Low 1 variation
An attempt to clear or manipulate shell history files was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal (T1070)Required data: XDR AgentAttacker's goals: Attackers may clear or modify shell history files to remove traces of their activities.Investigative actions: Investigate the user and process that executed the command. Examine other related activities on the host to understand the context of this action.Variations
Globally uncommon attempt to clear shell history
Medium overridden
An attempt to clear or manipulate shell history files was detected. overridden
User moved Exchange sent messages to deleted items Informational Identity Threat Module Email 1 variation
A user moved sent messages to deleted items in Exchange.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal: Clear Mailbox Data (T1070.008)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to hide newly sent email messages for evasion purposes.Investigative actions: Look for signs that the user account and mailboxes are compromised (e.g. abnormal logins, unusual activity). Investigate the IP address associated with the activity. Follow further actions done by the account. Look for unusual email patterns from the affected mailbox (e.g. unusual email contents). Examine the user's email activity history for suspicious behavior.Variations
Sensitive Exchange sent messages moved to deleted items from unusual source
Low overridden
A user moved sensitive sent messages to deleted items in Exchange. overridden
Windows event logs were cleared with PowerShell Informational 3 variations
Windows event logs were cleared or deleted with PowerShell.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Indicator Removal: Clear Windows Event Logs (T1070.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attackers may clear events from Windows event logs to remove traces of their malicious activity.Investigative actions: Validate if the script that was executed is from a legitimate IT activity. Look for additional suspicious actions that were executed on the host.Variations
Suspicious clear or delete security provider event logs with PowerShell
High overridden
Windows event logs were cleared or deleted with PowerShell. overridden
Suspicious clear or delete default providers event logs with PowerShell
Medium overridden
Windows event logs were cleared or deleted with PowerShell. overridden
Windows event logs were cleared with uncommon PowerShell command line
Low overridden
Windows event logs were cleared or deleted with PowerShell. overridden