Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0007 ✕ technique: T1654 ✕

Show ATT&CK heatmap
  • Log enumeration via cloud native logging service Informational Cloud 1 variation

    An activity of log enumeration operations via cloud native logging service was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Log Enumeration (T1654)
    Required data: AWS Audit Log
    Attacker's goals: Gaining information about your environment as part of the discovery phase.
    Investigative actions: Check the identity which invoked the operations.

    Variations

    Log enumeration via cloud native logging service invoked by an identity for the first time

    Low overridden

    An activity of log enumeration operations via cloud native logging service was detected. overridden

  • SCCM log files enumeration Informational Identity Analytics 1 variation

    Multiple local SCCM logs were accessed within a short period of time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Log Enumeration (T1654)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Enumerate data about the SCCM configuration, infrastructure and deployments.
    Investigative actions: Check suspicious network connections from the process or host. Check if the user account that initiated the enumeration is supposed to access these files.

    Variations

    Suspicious SCCM log files enumeration

    Low overridden

    Multiple local SCCM logs were abnormally accessed within a short period of time. overridden