Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0005 ✕ technique: T1222 ✕
Show ATT&CK heatmapAzure Blob Container Access Level Modification Informational Cloud
Access level modification for a blob container, this action might be dangerous as sensitive data can be exposed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: File and Directory Permissions Modification (T1222)Required data: Azure Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Access restricted data.Investigative actions: Check if and which data was exposed after the access level modification.GCP Storage Bucket Permissions Modification Informational Cloud
A GCP storage bucket's IAM permissions were modified. An attacker might use this technique to expose sensitive data or cause data loss.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: File and Directory Permissions Modification (T1222)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate information.Investigative actions: Check which data exists in the modified bucket and its classification. Look for events that involve actions for the bucket data.