Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0005 ✕ technique: T1565 ✕

Show ATT&CK heatmap
  • Data Sharing between GCP and Google Workspace was disabled Informational Identity Threat Module 3 variations

    An identity has modified data sharing settings between GCP and Google Workspace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Indicator Removal (T1070) Impair Defenses (T1562) Data Manipulation (T1565) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check whether Google Workspace audit log events were configured to be sent to Google Cloud. Follow further actions done by the account.

    Variations

    Data Sharing between GCP and Google Workspace was disabled by a suspicious identity

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled from an unusual ASN

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

  • Logging was impaired via external encryption key Medium Cloud

    The resource was configured with an external key This might be an attempt to disrupt log inspection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Manipulation (T1565) Impair Defenses (T1562)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Modifying the key used to encrypt the logs to remain undetected.
    Investigative actions: Check the identity that updated the resource configuration. Check the key used to encrypt the logs.