Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0010 ✕ technique: T1578 ✕
Show ATT&CK heatmapAn unusual cloud identity was granted permissions to a BigQuery resource Informational Cloud 1 variation
An unusual cloud identity was granted permissions to a BigQuery table or dataset.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578)Required data: Gcp Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides inside BigQuery tables or datasets.Investigative actions: Check if {cloud_best_identity_match} intended to change BigQuery resource policy. Verify if the affected tables or datasets did not contain any sensitive information.Variations
Cloud admin granted an unknown identity permissions to a BigQuery resource
Informational overridden
An unusual cloud identity was granted permissions to a BigQuery table or dataset. overridden
Cloud snapshot created or modified Informational Cloud 3 variations
A cloud identity has created or modified a cloud snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.Variations
Cloud snapshot was configured for public access
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Cloud snapshot was shared with an unusual AWS account(s)
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Previously unseen GCP principal was bound to cloud snapshot
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden