Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. tactic: TA0005 ✕ technique: T1485 ✕

Show ATT&CK heatmap
  • AWS CloudWatch log group deletion Informational Cloud

    An AWS CloudWatch log group was deleted, this action permanently deletes all the archives associated with this group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log group. Check what resources were affected by this change.
  • AWS CloudWatch log stream deletion Informational Cloud

    An AWS CloudWatch log stream was deleted, this action permanently deletes all the archives associated with this stream.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log stream. Check which resource is affected by this change.
  • Azure Resource Group Deletion Informational Cloud

    Resource group deletion permanently deletes all resources within the group, An attacker might use this technique to avoid detection or destroy procedures/data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check which resource group was deleted.