Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0005 ✕ technique: T1537 ✕

Show ATT&CK heatmap
  • An unusual cloud identity was granted permissions to a BigQuery resource Informational Cloud 1 variation

    An unusual cloud identity was granted permissions to a BigQuery table or dataset.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578)
    Required data: Gcp Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides inside BigQuery tables or datasets.
    Investigative actions: Check if {cloud_best_identity_match} intended to change BigQuery resource policy. Verify if the affected tables or datasets did not contain any sensitive information.

    Variations

    Cloud admin granted an unknown identity permissions to a BigQuery resource

    Informational overridden

    An unusual cloud identity was granted permissions to a BigQuery table or dataset. overridden

  • Cloud snapshot created or modified Informational Cloud 3 variations

    A cloud identity has created or modified a cloud snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the snapshot.
    Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.

    Variations

    Cloud snapshot was configured for public access

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Cloud snapshot was shared with an unusual AWS account(s)

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Previously unseen GCP principal was bound to cloud snapshot

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden