Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

82 alerts match the current filters. tactic: TA0005 ✕ technique: T1562 ✕

Show ATT&CK heatmap
  • A browser was opened in private mode Informational Identity Threat Module

    A browser was opened in private mode, which may indicate an attempt to cover tracks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006) Hide Artifacts (T1564)
    Required data: XDR Agent
    Attacker's goals: A browser was opened in private mode. Users might use private mode if they wish to stay anonymous online or hide their search and browsing history.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.
  • A cloud identity created or modified a security group Informational Cloud 2 variations

    A cloud identity created or modified a security group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Bypass network security controls to gain access to restricted cloud resources.
    Investigative actions: Check which security rules were added or modified. Check whether the identity that modified the security group rules is permitted to perform such action. Check which cloud resources can be affected by the security group.

    Variations

    A cloud identity opened a security group to the Internet

    Medium overridden

    A cloud identity modified a security group to allow network access from the Internet. overridden

    A cloud identity opened a security group to an unknown IP

    Low overridden

    A cloud identity modified a security group to allow network access from an unknown IP. overridden

  • A domain was added to the trusted domains list Low Identity Threat Module 2 variations

    A domain was added to the Google Workspace trusted domains list.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification: Trust Modification (T1484.002)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An adversary may add a trusted domain to collect and exfiltrate data from their target's organization with less restrictive security controls.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new domain in the trusted domains list. Follow further actions done by the account.

    Variations

    A domain was added to the trusted domains list by a non Google Workspace administrative user

    Low overridden

    A domain was added to the Google Workspace trusted domains list. overridden

    A domain was added to the trusted domains list from an unusual ASN

    Low overridden

    A domain was added to the Google Workspace trusted domains list. overridden

  • A user added a Windows firewall rule Informational Identity Threat Module

    A user added a new Windows Firewall rule. Adding a firewall rule may indicate an attempt to bypass controls limiting network usage or to disrupt network communications.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Firewall rules determine what traffic your firewall will block or allow. A malicious insider might want to change these rules in an attempt to bypass network limitations or disrupt network communication.
    Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Check Windows Defender Firewall with Advanced Security for a new rule that was added. Check if the new rule was added to different machines as well.
  • A user modified an Okta network zone Informational Identity Threat Module 2 variations

    An Okta network zone was modified by a user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker may attempt to modify an Okta network zone to weaken an organization's security controls.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other network zones have been changed or removed.

    Variations

    The user has made an unusual modification to the Okta Network zone

    Medium overridden

    An atypical modification to the Okta Network zone has been performed by the user. overridden

    A user modified an Okta network zone with suspicious characteristics

    Low overridden

    An Okta network zone was modified by a user with suspicious characteristics. overridden

  • A user modified an Okta policy rule Informational Identity Threat Module 1 variation

    An Okta policy rule was modified by a user, suggesting a potential compromise of the account.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)
    Required data: Okta Audit Log
    Detector tags: Okta Audit Analytics
    Attacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.

    Variations

    A user modified an Okta policy rule with suspicious characteristics

    Low overridden

    An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden

  • A user modified the CA audit policy Low Identity Analytics

    This may indicate that an attacker is attempting to cover their tracks before an AD CS attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable Windows Event Logging (T1562.002)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: An attacker is attempting to cover their tracks before an AD CS attack.
    Investigative actions: Check the user account modifying the CA audit policy and verify its activity. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Examine recent activity from the user account, including logon patterns and privilege changes. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.
  • AI safeguards deletion attempt Informational Cloud 1 variation

    A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log Azure Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.
    Investigative actions: Examine which AI models were affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    AI safeguards were successfully deleted

    Low overridden

    A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden

  • AI safeguards were modified Informational Cloud 2 variations

    A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log Azure Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.
    Investigative actions: Examine changed safeguards filters and determine which AI models were affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    Unusual modification of AI safeguards

    Low overridden

    A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden

    AI safeguards were created or modified

    Informational overridden

    A cloud identity created or modified AI safeguards. overridden

  • AWS Bedrock model invocation logging deletion Low Cloud 2 variations

    A cloud identity deleted the model invocation logging.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Avoid detection by limiting collected data from models.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.

    Variations

    AWS Bedrock model invocation logging deletion by an identity with administrative activity

    Informational overridden

    A cloud identity with administrative activity deleted the model invocation logging. overridden

    AWS Bedrock model invocation logging was successfully deleted

    Low overridden

    A cloud identity successfully deleted the model invocation logging. overridden

  • AWS CloudTrail has been stopped Informational Cloud 2 variations

    A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Verify whether the identity attempted to stop trail logging. Determine if additional trails continue to log activity.

    Variations

    AWS CloudTrail has been stopped

    Medium overridden

    A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden

    AWS CloudTrail has been stopped

    Low overridden

    A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden

  • AWS CloudTrail modification Informational Cloud 2 variations

    An identity updated a CloudTrail trail configuration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Review the activity of the identity that modified the trail's configuration. Check which trail is affected by this change. Verify whether a new destination has been set for log archiving.

    Variations

    AWS CloudTrail modification

    Medium overridden

    An identity updated a CloudTrail trail configuration. overridden

    AWS CloudTrail modification

    Low overridden

    An identity updated a CloudTrail trail configuration. overridden

  • AWS CloudWatch log group deletion Informational Cloud

    An AWS CloudWatch log group was deleted, this action permanently deletes all the archives associated with this group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log group. Check what resources were affected by this change.
  • AWS CloudWatch log stream deletion Informational Cloud

    An AWS CloudWatch log stream was deleted, this action permanently deletes all the archives associated with this stream.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log stream. Check which resource is affected by this change.
  • AWS Config Recorder stopped Informational Cloud

    Configuration Recorder was stopped for a resource in AWS Config.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check the identity which stopped the configuration recording. Check what resources are affected by this change.
  • AWS Flow Logs deletion Informational Cloud

    A cloud identity has deleted one or more Flow Logs records.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate information.
    Investigative actions: Check if the Identity intended to delete the Flow Logs record/s. Check what VPC is affected by this.
  • AWS Guard-Duty detector deletion Low Cloud

    AWS Guard-Duty detector was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: This action may assist an attacker to evade detection.
    Investigative actions: Check why the identity deleted the detector. Check what resources are relevant to the deleted detector.
  • AWS S3 bucket was exposed to public access Low Cloud 2 variations

    AWS bucket was publicly shared.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the identity intended to change the state of the bucket to public. Change the bucket or ACL policy for bucket. Restrict permissions for the identity if needed.

    Variations

    AWS S3 bucket was exposed to public access by admin cloud identity

    Informational overridden

    AWS bucket was publicly shared. overridden

    AWS S3 bucket was exposed to public access containing sensitive information

    High overridden

    AWS bucket was publicly shared. overridden

  • AWS config resource deletion Informational Cloud

    An AWS config resource deletion this includes:Config rule, organization rule, configuration recorder, remediation configuration, conformance pack, configuration aggregator, delivery channel, retention configuration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may modify Config configuration to evade detection.
    Investigative actions: Check why the identity deleted the configuration. Check what resources are relevant to the deleted config.
  • AWS data asset shared public Low Cloud

    A data asset was publicly shared.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.
  • AWS network ACL rule deletion Informational Cloud

    An AWS network ACL rule was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.
    Investigative actions: Identify which VPC and associated resources are affected. Check the rule number, as ACL rules are evaluated in order. Determine whether the rule is ingress or egress.
  • AWS web ACL deletion Informational Cloud 1 variation

    Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: To impair defense, this may assist data exfiltration.
    Investigative actions: Verify if the identity intended to delete the Web ACL. Check what resources are affected by the Web ACL deletion.

    Variations

    Successful AWS web ACL deletion by a non-admin identity

    Low overridden

    Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted. overridden

  • An AWS GuardDuty IP set was created Informational Cloud

    An AWS GuardDuty IP set has been created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check which IP set has been modified and confirm the changes.
  • An AWS S3 bucket configuration was modified Informational Cloud

    An AWS S3 bucket configuration has been modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Impair Defenses (T1562) Data Encrypted for Impact (T1486)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Modify storage configuration to detection or allow access to sensitive information.
    Investigative actions: Examine AWS S3 access to identify any suspicious activity. Check which S3 buckets were affected.
  • An Azure Firewall policy deletion Low Cloud

    An Azure Firewall policy was deleted. An attacker might use this technique to disable network defenses.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Exfiltrate information, network persistence of a service/resource.
    Investigative actions: Check which subnets or specific IP addresses were affected by the change. Check which services were accessed after the firewall change and via which protocols or network traffic.
  • An Azure Firewall rule collection group was modified or deleted Informational Cloud

    An Azure Firewall rule collection group was modified or deleted. This could indicate a malicious actor attempting to bypass security measures.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures to gain access to cloud resources.
    Investigative actions: Check the Azure Firewall rule collection group to identify the modified or deleted rules.
  • An Azure Firewall was modified Informational Cloud

    An Azure Firewall was modified or deleted. This may indicate a security risk.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures.
    Investigative actions: Verify whether the identity should be making this action. Check what changes were made to Azure Firewall.
  • An Azure Network Security Group was modified Informational Cloud

    An Azure Network Security Group was modified or deleted. This could indicate malicious activity or a misconfiguration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures to gain access to cloud resources.
    Investigative actions: Check the network security settings of the Azure account to identify any recent changes.
  • An Azure Point-to-Site VPN was modified Informational Cloud

    An Azure Point-to-Site VPN was modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security controls.
    Investigative actions: Determine how the Azure Point-to-Site VPN was modified or deleted. Verify whether the identity performing this action is authorized to make such changes.
  • An Azure Suppression Rule was created Informational Cloud

    An Azure Suppression Rule was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures.
    Investigative actions: Investigate the user's activity to determine the cause of the alert.
  • An Azure VPN Connection was modified Informational Cloud

    Modification or removal of an Azure VPN connection was detected. This alert indicates a change to an existing VPN connection or the deletion of an existing connection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security measures.
    Investigative actions: Check how Azure VPN Connection was modified. Verify whether the identity should be making this action.
  • An Azure firewall rule group was modified Informational Cloud

    An Azure firewall rule group was modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Azure Audit Log
    Attacker's goals: Bypass security controls to gain access to restricted resources within the Azure cloud environment.
    Investigative actions: Check the Azure Firewall rule configuration to identify the changes made. Verify whether the identity should be making this action.
  • An identity disabled bucket logging Informational Cloud

    An identity disabled bucket logging.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Avoid detection by disabling cloud logging capabilities.
    Investigative actions: Determine whether this activity was done on purpose. Examine additional API calls made by the identity.
  • Azure Automation Runbook Deletion Informational Cloud

    An Azure Automation runbook was deleted. This could disrupt business automation processes or remove a malicious runbook that was part of an attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Impair Defenses (T1562) Service Stop (T1489)
    Required data: Azure Audit Log
    Attacker's goals: Stop business services.
    Investigative actions: Check which runbook was deleted and whether it is malicious or valid.
  • Azure Event Hub Deletion Low Cloud

    An Azure event hub was deleted. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check what actions were taken by the identity that deleted the event hub.
  • Azure Kubernetes events were deleted Informational Cloud

    Events have been deleted in Azure Kubernetes. This could indicate malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Attacker's goals: Remove evidence or hinder defenses.
    Investigative actions: Look for any suspicious activity initiated by the identity.
  • Azure Network Watcher Deletion Low Cloud

    Azure Network Watchers are used for monitoring and diagnosing Azure resources. An attacker might use this technique to avoid security mitigations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Avoid security mitigations and detections.
    Investigative actions: Check which devices are monitored by the deleted Network Watcher.
  • Azure Resource Group Deletion Informational Cloud

    Resource group deletion permanently deletes all resources within the group, An attacker might use this technique to avoid detection or destroy procedures/data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check which resource group was deleted.
  • Azure diagnostic configuration deletion Informational Cloud

    An attacker might delete the Azure diagnostic settings to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check the identity and its actions after the deletion action.
  • Azure storage account was publicly shared Informational Cloud

    Azure Storage Account network permissions modified to public, exposing data to any network and unauthorized identities.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: Attackers want to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the storage account should be accessed from all networks. Disable public network access if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.
  • Chrome OS Remote Access policy was modified in Google Workspace Informational Identity Threat Module 1 variation

    A user modified Chrome OS Remote Access configuration in Google Workspace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Lateral Movement (TA0008)
    ATT&CK techniques: Impair Defenses (T1562) Remote Services (T1021)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may modify remote access settings to maintain persistent access and bypass security controls.
    Investigative actions: Verify if the configuration change was authorized. Investigate the source IP address and account involved for malicious activity. Follow further actions performed by the account and Remote Access connections performed.

    Variations

    Suspicious Chrome OS Remote Access policy was modified in Google Workspace

    Low overridden

    This is the first time the user performs this operation in the last 30 days. overridden

  • Cloud AI agent was modified Informational Cloud 1 variation

    A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Modify AI agents to evade certain restrictions and potentially access sensitive data.
    Investigative actions: Examine changed AI agent and determine how it was affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    Unusual modification of AI agent

    Low overridden

    A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden

  • Cloud Organizational policy was created or modified Informational Cloud 1 variation

    Cloud organizational policy was created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484)
    Required data: Gcp Audit Log
    Attacker's goals: Gain elevated privileges, disable security measures, misuse resources or cause disruption.
    Investigative actions: Check which services were affected by the policy creation. Check The cloud identity activity prior/after the policy creation.

    Variations

    Cloud Organizational policy was created or modified

    Low overridden

    Cloud organizational policy was created or modified. overridden

  • Cloud Watch alarm deletion Informational Cloud

    A Cloud Watch alarm was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: Delete alarm to evade detection.
    Investigative actions: Check the identity that deleted the alarm. Check the which resource were related to the deleted alarm.
  • Cloud resource logging was disabled Informational Cloud 3 variations

    Cloud resource logging was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Avoiding detection of their activities by limiting the amount of data collected. This action may be preliminary to resource deletion or data exhilaration from the resource. Setting the stage for further attacks, like a Ransomware Attack.
    Investigative actions: Confirm that the identity intended to disable logging on this resource. Follow further actions done by the identity. Monitor other (non-disabled) activity logs related to this resource.

    Variations

    Cloud resource logging was disabled - failed attempt

    Informational overridden

    A failed attempt to disable cloud resource logging. overridden

    Cloud resource logging was disabled on an Azure DB/storage resource

    Informational overridden

    Cloud resource logging was disabled on a DB/storage resource. overridden

    Cloud resource logging was disabled on a GCP DB/storage resource

    Low overridden

    Cloud resource logging was disabled on a DB/storage resource. overridden

  • CloudTrail logging deletion Informational Cloud 2 variations

    CloudTrail logging trail deletion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Verify whether the identity attempted to delete the trail. Determine whether an additional trail needs to be enabled.

    Variations

    Successful CloudTrail logging deletion by a non-admin identity

    Medium overridden

    CloudTrail logging trail deletion. overridden

    Successful CloudTrail logging deletion by an unusual identity

    Low overridden

    CloudTrail logging trail deletion. overridden

  • Data Sharing between GCP and Google Workspace was disabled Informational Identity Threat Module 3 variations

    An identity has modified data sharing settings between GCP and Google Workspace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Indicator Removal (T1070) Impair Defenses (T1562) Data Manipulation (T1565) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check whether Google Workspace audit log events were configured to be sent to Google Cloud. Follow further actions done by the account.

    Variations

    Data Sharing between GCP and Google Workspace was disabled by a suspicious identity

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled from an unusual ASN

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

  • Data encryption was disabled Informational Cloud

    A cloud identity has disabled data encryption.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Weaken Encryption (T1600) Impair Defenses (T1562)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: An attacker is trying to access sensitive data in plaintext. An attacker might try to exfiltrate plaintext data to an endpoint controlled by the attacker and avoid detection. An attacker can re-encrypt the data with a key that is available only to the attacker.
    Investigative actions: Check if the identity intended to disable data encryption. Check which cloud assets were affected by manipulating the above-mentioned configuration file. Check if the identity performed additional suspicious actions to affected assets.
  • Disable Microsoft Defender Antivirus via registry Low

    Disable Microsoft Defender Antivirus via registry.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adversary may attempt to disable defender antivirus to execute malicious tools and move through the network without triggering alarms.
    Investigative actions: Investigate the process that set or create the registry key.
  • Exchange DKIM signing configuration disabled Low Identity Threat Module Email 1 variation

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    A recently configured Exchange DKIM signing configuration was disabled

    Informational overridden

    A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed. overridden

  • Exchange Safe Attachment policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Attachment policy, which provides phishing protection to email attachments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Attachment (T1566.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may attempt to disable the Safe Attachment policy to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.
  • Exchange Safe Link policy disabled or removed Low Identity Threat Module Email

    A user disabled an Exchange Safe Link policy, which provides phishing protection to emails that contain hyperlinks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Link (T1566.002)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to bypass security measures associated with hyperlinks in email messages.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for email messages received with hyperlinks. Check for a possible phishing campaign on the organization.
  • Exchange anti-phish policy disabled or removed Low Identity Threat Module Email 1 variation

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.

    Variations

    Recently configured Exchange anti-phish policy disabled or removed

    Informational overridden

    A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign. overridden

  • Exchange audit log disabled Low Identity Threat Module Email

    A user disabled the Exchange audit log. This may indicate an attempt to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Exchange mailbox audit bypass Low Identity Threat Module Email

    A user added mailbox audit bypass for an account. This will allow the account to perform actions without being logged, and may indicate an attempt to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may abuse the audit bypass mechanism to conceal actions and evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected.
  • Exchange malware filter policy removed Low Identity Threat Module Email

    A user removed an Exchange malware filter policy, which may prevent the detection of malware.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to evade detection.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed. Monitor for signs of malware in future messages.
  • GCP Firewall Rule Modification Informational Cloud

    A GCP firewall rule was modified. An attacker might use this technique to access restricted resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Gcp Audit Log
    Attacker's goals: Access restricted resources.
    Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.
  • GCP Firewall Rule creation Informational Cloud

    A GCP VPN firewall rule was created. An attacker might use this technique to block or open access to/from restricted areas.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Gcp Audit Log
    Attacker's goals: Access restricted resources.
    Investigative actions: Check if there were any network attempts that fit the created rule. Check the cloud identity activity before and after the rule creation.
  • GCP Logging Bucket Deletion Informational Cloud

    A GCP logging bucket was deleted. An attacker might delete the bucket to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Evade detection.
    Investigative actions: Check which logs were affected by the bucket deletion. Check The cloud identity activity prior/after to the bucket deletion.
  • GCP VPC Firewall Rule Deletion Informational Cloud

    A GCP VPC firewall rule was deleted. An attacker might use this technique to access restricted resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)
    Required data: Gcp Audit Log
    Attacker's goals: Access restricted resources.
    Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.
  • GCP data asset shared public Low Cloud

    The GCP data asset was publicly shared.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Public Exposure, Data Detection & Response
    Attacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.
    Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.
  • GCP logging sink deletion Informational Cloud 1 variation

    A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Gcp Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Identify the logs impacted by the deletion. Review cloud identity activity before and after the deletion.

    Variations

    GCP logging sink deletion

    Low overridden

    A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection. overridden

  • GCP logging sink modification Informational Cloud 2 variations

    A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Gcp Audit Log
    Attacker's goals: Evade detection by limiting collected data.
    Investigative actions: Identify the relevant logs impacted by the modification. Review The cloud identity activity before and after the logging sink modification.

    Variations

    GCP logging sink modification

    Medium overridden

    A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden

    GCP logging sink modification

    Low overridden

    A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden

  • Indicator blocking Informational 1 variation

    Auditing or logging configuration changes on Linux host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Impairing host defenses.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Indicator blocking in a Kubernetes pod

    Low overridden

    Auditing or logging configuration changes on Linux host. overridden

  • Iptables configuration command was executed Informational 7 variations

    The iptables process was executed with a command to add or delete rules on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent
    Attacker's goals: Adding or deleting system firewalls rules to avoid possible detection.
    Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.

    Variations

    Rare iptables port forward command was executed

    Low overridden

    An iptables command was executed to perform port forward, This command is unpopular. overridden

    Uncommon iptables port forward command was executed on the host

    Informational overridden

    An iptables command was executed to perform port forward, This command is uncommon for the host. overridden

    Rare iptables delete command was executed

    Low overridden

    An iptables command was executed to delete rule, This command is unpopular. overridden

    A rare iptables delete command was executed on the host

    Informational overridden

    An iptables command was executed to delete rule, This command is uncommon for the host. overridden

    A rare iptables flush all command was executed

    Low overridden

    An iptables command was executed to flush all rules, This command is unpopular. overridden

    A rare iptables flush command was executed

    Low overridden

    An iptables command was executed to flush all rules, This command is unpopular. overridden

    A rare iptables flush command was executed on the host

    Informational overridden

    An iptables command was executed to flush rules, This command is uncommon for the host. overridden

  • Kubernetes cluster events deletion Informational Cloud

    Kubernetes cluster events deletion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Adversaries may delete Kubernetes events to avoid possible detection.
    Investigative actions: Check whether these changes are expected.
  • Linux system firewall was modified Low

    The system firewall was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Exfiltrate data or move laterally in the organization.
    Investigative actions: Examine the command to understand which IPs or ports were affected. Check the communication allowed by the modified firewall rule.
  • Logging was impaired via external encryption key Medium Cloud

    The resource was configured with an external key This might be an attempt to disrupt log inspection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Manipulation (T1565) Impair Defenses (T1562)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Modifying the key used to encrypt the logs to remain undetected.
    Investigative actions: Check the identity that updated the resource configuration. Check the key used to encrypt the logs.
  • MFA device was removed/deactivated from an IAM user Informational Cloud

    Deactivate an MFA device and disassociate it from an IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562)
    Required data: AWS Audit Log
    Attacker's goals: This may allow an attacker to gain access to the IAM user.
    Investigative actions: Check if IAM requires MFA to be enabled.
  • Microsoft 365 DLP policy disabled or removed Informational Identity Threat Module Email 1 variation

    A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Office 365 Audit
    Attacker's goals: An attacker is attempting to bypass Microsoft 365 Data Loss Prevention (DLP) policies.
    Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Monitor the user's activity for any access to sensitive data or data exfiltration. Investigate if any other security policies have been changed or removed.

    Variations

    Rare Microsoft 365 DLP policy removal

    Low overridden

    A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion. overridden

  • Microsoft Teams application setup policy was modified Informational Identity Threat Module 1 variation

    Microsoft Teams the application setup policy, which is responsible for application management, was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Impair Defenses (T1562) Cloud Application Integration (T1671)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may modify the application setup policy to maintain persistent access to compromised Teams accounts and conversations.
    Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. If the policy change causes an application installed for the whole organization, confirm that the application was created by a certified and trusted entity. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID or the unique token identifier.

    Variations

    A user changed the Microsoft Teams application setup policy for the first time

    Low overridden

    Microsoft Teams the application setup policy, which is responsible for application management, was modified. overridden

  • Microsoft Teams external communication policy was modified Informational Identity Threat Module 1 variation

    Microsoft Teams external communication policy was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)
    ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.
    Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.

    Variations

    Microsoft Teams external communication policy was modified by an unusual user

    Low overridden

    Microsoft Teams external communication policy was modified. overridden

  • New addition to Windows Defender exclusion list Low 1 variation

    Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Hide Artifacts: File/Path Exclusions (T1564.012) Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on the host and evade security controls.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the excluded object type (process, path or extension) and nature. Check if the excluded object is malicious.

    Variations

    New addition to Windows Defender exclusion list from an unsigned process

    Medium overridden

    Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension. overridden

  • Security object deletion in Google Workspace Admin Console Informational Identity Threat Module 1 variation

    A security object was deleted in Google Workspace Admin Console.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may modify or disable security rules to avoid detection of their activities.
    Investigative actions: Investigate the security object name deleted and whether it was intended. Check if the user was recently granted new elevated permissions that allowed them to delete security rules. Follow other administrative or suspicious actions performed by this user around the same time.

    Variations

    Security object deletion in Google Workspace Admin Console for the first time

    Low overridden

    A security object was deleted in Google Workspace Admin Console. overridden

  • Suspicious SSH Downgrade Low 2 variations

    The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Defense Evasion (TA0005)
    ATT&CK techniques: Remote Services (T1021) Impair Defenses: Downgrade Attack (T1562.010)
    Required data: Palo Alto Networks Firewall EAL Logs
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in a lower version of SSH.
    Investigative actions: Audit the authentication attempts in the SSH server from the alerted host.If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.

    Variations

    A Host Performed an SSH Downgrade For The First Time In The Last 30 Days

    Low overridden

    The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the source host used in the past. overridden

    A Target Server Performed an SSH Downgrade For The First Time In The Last 30 Days

    Low overridden

    The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the remote host used in the past. overridden

  • Suspicious activity on logging bucket Informational Cloud 1 variation

    An identity performed a suspicious activity on bucket used to store logs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: Evade detection by tampering the logs.
    Investigative actions: Verify whether the identity attempted to access the bucket. Verify no logs were modified in the bucket.

    Variations

    Suspicious deletion on CloudTrail logging bucket

    Medium overridden

    An identity performed a suspicious activity on bucket used to store CloudTrail logs. overridden

  • Suspicious disablement of the Windows Firewall Low

    The Windows Firewall has been disabled. Malware may turn it off to exfiltrate data and communicate with C2 servers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent
    Attacker's goals: An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.
    Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if the process is legitimately disabling the firewall.
  • Suspicious disablement of the Windows Firewall using PowerShell commands Medium

    The Windows Firewall has been disabled using PowerShell. Malware may turn it off to exfiltrate data and communicate with C2 servers.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.
    Investigative actions: Check Windows event logs to see the PowerShell command or script that was executed. Check whether the PowerShell command is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that disabled the firewall.
  • Tampering with Internet Explorer Protected Mode configuration Informational 2 variations

    When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent
    Attacker's goals: When an add-on is running inside Protected Mode attempts to launch a broker process, this key is checked to determine how the process should be launched. Attackers may change this value to make the process launch with higher privileges.
    Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Tampering with Internet Explorer Protected Mode default configuration

    Medium overridden

    When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/. overridden

    Tampering with Internet Explorer Protected Mode specific app configuration

    Informational overridden

    When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/. overridden

  • The Linux system firewall was disabled Low

    The system firewall was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    10 Minutes
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)
    Required data: XDR Agent
    Attacker's goals: Exfiltrate data or move laterally in the organization.
    Investigative actions: Examine the command to understand which ip or port were affected. Check the communication allowed by the created firewall rule.
  • Unusual Netsh PortProxy rule Low 2 variations

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)
    ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004) Proxy: Internal Proxy (T1090.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.
    Investigative actions: Check the connect address and if it's a known IP/domain. Check whether the causality group owner (CGO) process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Unusual Netsh PortProxy rule by non-netsh process

    Medium overridden

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden

    Unusual Netsh PortProxy rule by an unsigned causality actor

    Medium overridden

    Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden

  • User set insecure CA registry setting for global SANs Low Identity Analytics

    A user enabled the EDITF_ATTRIBUTESUBJECTALTNAME2 registry flag, allowing custom Subject Alternative Names (SANs) to be specified on all certificate templates. This could enable attackers to bypass security controls by requesting certificates with user-defined SANs.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Certificate Services Analytics
    Attacker's goals: This flag can allow an attacker to obtain a certificate with higher privileges and escalate to Domain Admin.
    Investigative actions: Confirm whether the registry change was authorized by the user or system administrator. Monitor certificate enrollments with Subject Alternate Names. Restore the secure configuration by disabling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag and enforcing strict certificate policies. Investigate any unusual authentication attempts or certificates issued to high-privilege users or accounts.