Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

92 alerts match the current filters. tactic: TA0040 ✕

Show ATT&CK heatmap
  • A Google Workspace Role privilege was deleted Informational Identity Threat Module

    A privilege was removed from a Google Workspace Role, This could potentially affect the access to services and data in the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Gain access to sensitive data stored in the workspace. Gain elevated privileges in the workspace.
    Investigative actions: Investigate who was assigned the deleted role privilege. Verify if the role privilege was deleted intentionally.
  • A Google Workspace user was removed from a group Informational Identity Threat Module

    A user removed another user from a Google Workspace group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may interrupt the availability of services and resources by inhibiting access to users.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the user's work can be affected by this action. Follow further actions done by the account.
  • A Kubernetes Pod was deleted Informational Cloud

    A Kubernetes Pod was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Destroy data to interrupt cluster services and availability.
    Investigative actions: Check which Kubernetes Pods were deleted.
  • A Kubernetes cluster was created or deleted Informational Cloud

    A Kubernetes cluster was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Leverage access to manipulate the Kubernetes infrastructure.
    Investigative actions: Check which changes were made to the Kubernetes cluster and whether they are expected.
  • A Kubernetes service was created or deleted Informational Cloud

    A Kubernetes service was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Attackers may attempt to perform denial-of-service attacks to make services unavailable.
    Investigative actions: Check which changes were made to the Kubernetes service.
  • A Possible crypto miner was detected on a host Medium

    The host produced traffic consistent with the crypto mining.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Resource Hijacking (T1496)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Abuse resources to mine crypto coins.
    Investigative actions: Check the host for crypto mining client software. Look for differences in the resource consumption from this host. Examine the client's network traffic for suspicious domains affiliated with mining or mining pools.
  • A cloud instance was stopped Informational Cloud

    A cloud compute instance was stopped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: System Shutdown/Reboot (T1529)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Interrupt business services.
    Investigative actions: Review recent activity related to the identity and the affected cloud instance.
  • A container registry was created or deleted Informational Cloud

    A container registry was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to sensitive data stored in the container registry. Modify or delete existing data in the container registry.
    Investigative actions: Check the activity logs to determine what was created or removed.
  • A service was disabled Informational 3 variations

    A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: XDR Agent
    Attacker's goals: Evade detection by certain programs. Limit the functionality and availability of systems, services, and network resources.
    Investigative actions: Check if the disabled service could potentially threaten a malicious actor, or if holds a critical role. Investigate the disabling process to understand if it performed other suspicious actions.

    Variations

    A service was disabled without using the ServiceControlManager RPC interface

    Informational overridden

    A service was disabled abnormally through the registry. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden

    An injected process performed an uncommon service deactivation

    Informational overridden

    A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden

    An unsigned process performed an uncommon service deactivation

    Low overridden

    A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden

  • A third-party application's access to the Google Workspace domain's resources was revoked Informational Identity Threat Module

    An identity removed a third-party application's access to Google Workspace domain's resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An attacker might remove an application to impair the environment.
    Investigative actions: Check the Google Workspace Application settings to determine which actions were triggered. Investigate the source of the request and the user associated with it. Review the access control policies to determine if the removal of the application is allowed.
  • AWS Backup recovery point deletion Informational Cloud

    An attempt was made to delete an AWS Backup recovery point.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete backup recovery points to prevent system recovery after compromise.
    Investigative actions: Identify the deleted recovery point and its associated resource. Investigate the identity that performed the deletion and review recent related activity.
  • AWS CloudWatch log group deletion Informational Cloud

    An AWS CloudWatch log group was deleted, this action permanently deletes all the archives associated with this group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log group. Check what resources were affected by this change.
  • AWS CloudWatch log stream deletion Informational Cloud

    An AWS CloudWatch log stream was deleted, this action permanently deletes all the archives associated with this stream.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log stream. Check which resource is affected by this change.
  • AWS EBS snapshot deletion Informational Cloud

    An attempt was made to delete an EBS snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system.
    Investigative actions: Identify the deleted snapshot and its associated resource. Investigate the identity that performed the deletion and review recent related activity.
  • AWS IAM resource group deletion Informational Cloud

    An AWS IAM resource group was deleted, this action may affect the permissions of the members of the deleted group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may interrupt the availability of an account, this may revoke access to the account.
    Investigative actions: Check what members were affected by this action.
  • AWS RDS cluster deletion Informational Cloud

    A previously provisioned DB cluster (RDS) was deleted.When a DB cluster is being deleted, all automated backups for that DB cluster are deleted and can't be recovered.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Destruction of data.
    Investigative actions: Check which cluster was deleted. Check if there are any manual backups for that cluster (as they are not affected by this action).
  • Abnormal Allocation of compute resources in multiple regions Informational Cloud 4 variations

    An identity allocated an unusual compute resource pool, suspected as mining activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)
    ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Leverage cloud compute resources to generate virtual currency.
    Investigative actions: Verify that the identity creating the resources is legitimate. Check for unusual behavior from this identity, including potential compromise (e.g., exposed access keys or service accounts).

    Variations

    Abnormal Unusual allocation of compute resources in multiple regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Suspicious allocation of compute resources in multiple regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Allocation of compute resources in a high number of regions

    High overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

    Abnormal Allocation of compute resources in multiple regions by an unusual identity

    Low overridden

    An identity allocated an unusual compute resource pool, suspected as mining activity. overridden

  • Allocation of multiple cloud compute resources Informational Cloud 5 variations

    An identity allocated multiple compute resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)
    ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage cloud compute resources to earn virtual currency.
    Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, service account, etc.

    Variations

    Unusual allocation of multiple cloud compute resources

    High overridden

    An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen across all the projects during the past 30 days. overridden

    Unusual allocation of multiple cloud compute resources

    Medium overridden

    An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden

    Unusual allocation of multiple cloud compute resources

    Medium overridden

    An identity allocated multiple compute resources.The allocated instances contains GPU accelerators, such pattern is related to a crypto mining activity. overridden

    Allocation of multiple cloud compute resources with accelerator gear

    Low overridden

    An identity allocated multiple compute resources.his activity is unusual for this identity in past 30 days. overridden

    Unusual allocation attempt of multiple cloud compute resources

    Low overridden

    An identity attempted to allocate multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden

  • An AWS EFS File-share mount was deleted Informational Cloud

    An AWS EFS File-share mount was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Modify or delete data stored in the EFS File-share.
    Investigative actions: Verify whether the identity that deleted the File-share should be making this action.
  • An AWS EFS file-share was deleted Informational Cloud

    An AWS EFS File-share has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Gain access to sensitive data stored on the AWS EFS File-share.
    Investigative actions: Check the AWS EFS File-shares for any modifications or deletions.
  • An AWS EKS cluster was created or deleted Informational Cloud

    An AWS EKS cluster has been created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485) Valid Accounts (T1078)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to the cluster and its resources.Gain access to sensitive data stored in the cluster.
    Investigative actions: Check whether the identity is authorized to perform changes to AWS EKS clusters.
  • An AWS RDS Global Cluster Deletion Informational Cloud

    An AWS RDS global cluster was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Destruction of data.
    Investigative actions: Check for existing backups for the deleted cluster. Check if a secondary cluster exists, which was detached before the global deletion.
  • An AWS S3 bucket configuration was modified Informational Cloud

    An AWS S3 bucket configuration has been modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Impair Defenses (T1562) Data Encrypted for Impact (T1486)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Modify storage configuration to detection or allow access to sensitive information.
    Investigative actions: Examine AWS S3 access to identify any suspicious activity. Check which S3 buckets were affected.
  • An AWS SES identity was deleted Informational Cloud

    An AWS SES identity has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to confidential emails of an organization.
    Investigative actions: Check whether the identity that executed the API should be making this action.
  • An Azure Kubernetes Cluster was created or deleted Informational Cloud

    An Azure Kubernetes Cluster was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Azure Audit Log
    Attacker's goals: Leverage access to Azure Kubernetes to disrupt or damage the organization's infrastructure.
    Investigative actions: Verify whether the identity is authorized to perform this action. Investigate any suspicious activity initiated by the identity.
  • An Azure Kubernetes Service Account was modified or deleted Informational Cloud

    An Azure Kubernetes Service Account was modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to privileged resources using Kubernetes Service Account.
    Investigative actions: Verify whether the identity should be making this action. Check the Kubernetes cluster for any suspicious activity initiated by the identity. Check if any other service accounts have been modified or deleted.
  • An Azure virtual network Device was modified Informational Cloud

    An Azure virtual network Device was modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to resources within the virtual network. Gain access to sensitive data stored on the virtual network.
    Investigative actions: Investigate the Azure portal for the relevant virtual network device and review the changes made to it. Review the Azure Activity Log for any suspicious activities related to the virtual network device.
  • An Azure virtual network was modified Informational Cloud

    An Azure virtual network has been modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Azure Audit Log
    Attacker's goals: Manipulate, interrupt, or destroy data.
    Investigative actions: Verify whether the identity should be making this action. Check the audit logs for any suspicious activity related to the virtual network.
  • An internal Cloud resource performed port scan on external networks Medium Cloud

    An internal cloud resource attempted to connect to the same destination port of multiple external IP addresses.This may be a result of the cloud resource being hijacked by an attacker.Attackers perform port scans on a specific destination port for reconnaissance purposes, to detect known vulnerable services that accept connections in the specific port, and perform targeted attacks against them.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Impact (TA0040)
    ATT&CK techniques: Network Service Discovery (T1046) Resource Hijacking (T1496) Cloud Service Discovery (T1526)
    Required data: AWS Flow Log AWS OCSF Flow Logs Azure Flow Log Gcp Flow Log XDR Agent
    Attacker's goals: Detect vulnerable services, which listen on known ports and are opened to the Internet.
    Investigative actions: Check if similar activity was performed on additional cloud resources. Check if similar activity was performed against additional ports and external ip addresses from the same cloud resource. Check which process triggered the port scanning activity and for what purpose.
  • Aurora DB cluster stopped Informational Cloud

    An Aurora DB cluster (RDS) was stopped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: This may assist an attacker to exfiltrate sensitive information.
    Investigative actions: Check if the identity intended to stop the cluster. Check if this DB contains sensitive information. Check encryption for the DB cluster (at rest).
  • Azure Automation Runbook Deletion Informational Cloud

    An Azure Automation runbook was deleted. This could disrupt business automation processes or remove a malicious runbook that was part of an attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Impair Defenses (T1562) Service Stop (T1489)
    Required data: Azure Audit Log
    Attacker's goals: Stop business services.
    Investigative actions: Check which runbook was deleted and whether it is malicious or valid.
  • Azure Resource Group Deletion Informational Cloud

    Resource group deletion permanently deletes all resources within the group, An attacker might use this technique to avoid detection or destroy procedures/data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check which resource group was deleted.
  • Azure account deletion by a non-standard account Low Identity Threat Module 2 variations

    An Azure AD account deletion was performed by a user that doesn't typically delete users.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: AzureAD Audit Log
    Attacker's goals: Interrupt availability and access to Azure by deleting access accounts.
    Investigative actions: Follow further actions by the initiator. Check what services, groups and applications are affected by the deleted user being removed. Check if the deleted user had a privileged role.

    Variations

    Azure account deletion by a non-standard account with high administrative activity

    Informational overridden

    An Azure AD account deletion was performed by an identity with high administrative activity that doesn't typically delete users. overridden

    A suspicious Azure account deletion by a non-standard account

    Medium overridden

    An Azure AD account deletion was performed by a user that doesn't typically delete users in a suspicious manner. overridden

  • Billing admin role was removed Low Cloud

    Sensitive Action - Billing admin role was removed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Prevent billing notifications from being sent to the billing admin.
    Investigative actions: Check if the identity intended to remove the billing admin. Check if the identity performed additional malicious operations in the cloud environment.
  • Broker Collection Error Informational 2 variations

    A collection error was detected on a broker VM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.

    Variations

    Broker Collector Critical Error

    High overridden

    A collection error was detected on a broker VM. overridden

    Broker Collection Issue

    Medium overridden

    A collection error was detected on a broker VM. overridden

  • Cloud identity reached a throttling API rate Informational Cloud 3 variations

    A cloud identity has executed a high volume of API calls, causing a throttling error.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse cloud resource, such behavior is usually seen during cryptocurrency attacks.
    Investigative actions: Check the identity created resources and their legitimacy. Look for any unusual behavior originated from the suspected identity.

    Variations

    Cloud identity reached a highly unusual throttling API rate

    Low overridden

    A cloud identity has executed a high volume of API calls, causing a throttling error.This indicates on a high volume of cloud instances allocation, such activity may be related to a cryptocurrency attack. overridden

    Cloud identity reached an unusual throttling API rate in the cloud project

    Informational overridden

    A cloud identity has executed a high volume of API calls, causing a throttling error.This API rate is unusual on the project level. overridden

    Cloud identity reached an unusual throttling API rate

    Informational overridden

    A cloud identity has executed a high volume of API calls, causing a throttling error.This activity is unusual for The cloud identity, and was not seen in the last 30 days. overridden

  • Cloud storage automatic backup disabled Informational Cloud 1 variation

    Automatic backup of a cloud storage resource was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Impair built-in protection of the cloud environment. This action may be a preliminary action before deleting the cloud resource itself.
    Investigative actions: Confirm that the identity intended to disable automatic backup on this resource. Follow further actions done by the identity. Monitor this resource for other suspicious activities.

    Variations

    Cloud storage automatic backup disabled from a CLI

    Informational overridden

    Automatic backup of a cloud storage resource was disabled from a CLI. overridden

  • Cloud storage delete protection disabled Informational Cloud 1 variation

    Delete protection of a cloud storage resource was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Impair built-in protection of the cloud environment. This action may be a preliminary action before deleting the cloud resource itself.
    Investigative actions: Confirm that the identity intended to disable deletion protection on this resource. Follow further actions done by the identity. Monitor this resource for other suspicious activities.

    Variations

    Cloud storage delete protection disabled by an unusual identity

    Informational overridden

    Delete protection of a cloud storage resource was disabled by an unusual identity. overridden

  • Collection error High

    A collection error was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Correlation rule error Medium

    An error was identified while running a correlation rule.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    12 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Data Sharing between GCP and Google Workspace was disabled Informational Identity Threat Module 3 variations

    An identity has modified data sharing settings between GCP and Google Workspace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Indicator Removal (T1070) Impair Defenses (T1562) Data Manipulation (T1565) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check whether Google Workspace audit log events were configured to be sent to Google Cloud. Follow further actions done by the account.

    Variations

    Data Sharing between GCP and Google Workspace was disabled by a suspicious identity

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled from an unusual ASN

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

  • Deletion of multiple cloud resources Informational Cloud 2 variations

    An identity deleted multiple cloud resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage access to the cloud to delete resources and cause damage to an organization's infrastructure.
    Investigative actions: Confirm the legitimacy of the suspected identity and what cloud resources have been deleted by the identity. Look for any unusual activity associated with the suspected identity and determine whether they are compromised.

    Variations

    Deletion of multiple cloud resources

    Medium overridden

    An identity deleted multiple cloud resources.This large volume of deleted cloud resources had not been seen across all projects for the last 30 days. overridden

    Deletion of multiple cloud resources

    Low overridden

    An identity deleted multiple cloud resources.This large volume of deleted cloud resources had not been seen in this project for the last 30 days. overridden

  • Disable encryption operations Low Cloud

    Encryption was disabled on the servers that host EC2 instances, both for data-at-rest and data-in-transit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation (T1565)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Decrypt sensitive data host on EC2 instance, this may be a step in a flow for data exfiltration.
    Investigative actions: Check if Identity intended to disable the encryption.
  • Error in event forwarding Medium

    An error was detected in event forwarding.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    4 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • GCP IAM Role Deletion Informational Cloud

    A GCP IAM role was created. An attacker might use this technique to interrupt users' actions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Gcp Audit Log
    Attacker's goals: Inhibit users from accessing resources.
    Investigative actions: Check which users were affected by the role deletion. Check what other actions were taken by the identity that deleted the role.
  • GCP IAM Service Account Key Deletion Informational Cloud

    A GCP IAM service account key was deleted. An attacker might use this technique to interrupt business operations.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Gcp Audit Log
    Attacker's goals: Account access removal.
    Investigative actions: Check which operations were corrupted after the deletion.
  • GCP IAM deny policy creation Low Cloud 1 variation

    An identity created a GCP IAM deny policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Gcp Audit Log
    Attacker's goals: Interrupt availability of cloud resources by inhibiting access to accounts utilized by legitimate users.
    Investigative actions: Examine the details of the created deny policy. Review the recent activity of the identity.

    Variations

    Unusual GCP IAM deny policy creation

    Medium overridden

    An identity created a GCP IAM deny policy. overridden

  • GCP Pub/Sub Subscription Deletion Informational Cloud

    A GCP Pub/Sub subscription was deleted. An attacker might use this technique to affect business workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: Gcp Audit Log
    Attacker's goals: Interrupt business services.
    Investigative actions: Check which services were affected due to the Pub/Sub deletion. Check The cloud identity activity prior/after the subscription deletion.
  • GCP Pub/Sub Topic Deletion Informational Cloud

    A GCP Pub/Sub topic was deleted, might affect workflows due to interrupts within the Pub/Sub pipeline.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: Gcp Audit Log
    Attacker's goals: Interrupt business services.
    Investigative actions: Check which services were affected due to the Pub/Sub topic deletion. Check The cloud identity activity prior/after the topic deletion.
  • GCP Service Account Deletion Informational Cloud

    A GCP service account was deleted. An attacker might use this technique to remove access to valid accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Gcp Audit Log
    Attacker's goals: Account access removal.
    Investigative actions: Check which operations were corrupted after the deletion.
  • GCP Service Account Disable Informational Cloud

    A GCP service account was disabled. An attacker might use this technique to interrupt business procedures and workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Gcp Audit Log
    Attacker's goals: Account access removal.
    Investigative actions: Check if there were any services/procedures affected by the disable operation.
  • GCP Storage Bucket Configuration Modification Informational Cloud

    A GCP storage bucket configuration has been modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Manipulate stored data.
    Investigative actions: Check if there were any services/procedures affected by the modification. Check what other actions were taken by the identity that modified the configuration.
  • GCP Storage Bucket deletion Informational Cloud 1 variation

    A GCP bucket was deleted. An attacker might use this technique to destroy business data and its workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Data destruction.
    Investigative actions: Check which data was deleted from the bucket.

    Variations

    GCP Storage Bucket containing sensitive data was deleted

    Informational overridden

    A GCP bucket was deleted. An attacker might use this technique to destroy business data and its workflows. overridden

  • GCP Virtual Private Cloud (VPC) Network Deletion Informational Cloud

    A GCP VPC network was deleted. An attacker might use this technique to interrupt business resources and workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Gcp Audit Log
    Attacker's goals: Block the availability of targeted resources to users/services.
    Investigative actions: Check which services were affected by the VPC deletion. Check the cloud identity activity before and after the VPC network deletion.
  • GCP Virtual Private Network Route Creation Informational Cloud

    A GCP VPC route was created. An attacker might use this technique to impact business workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Gcp Audit Log
    Attacker's goals: Block the availability of targeted resources to users/services.
    Investigative actions: Check which services were affected by the route creation. Check the cloud identity activity before or after the route creation.
  • GCP Virtual Private Network Route Deletion Informational Cloud

    A GCP VPC route was deleted. An attacker might use this technique to impact business workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Gcp Audit Log
    Attacker's goals: Block the availability of targeted resources to users/services.
    Investigative actions: Check which services were affected by the route deletion. Check The cloud identity activity prior/after the route deletion.
  • Kubernetes network policy modification Informational Cloud

    A change has been made to the network policies of a Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the network infrastructure. Gain access to sensitive data. Gain access to Kubernetes resources.
    Investigative actions: Investigate the Kubernetes Network Policy to identify the changes made. Verify whether the identity should be making this action.
  • Logging was impaired via external encryption key Medium Cloud

    The resource was configured with an external key This might be an attempt to disrupt log inspection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Manipulation (T1565) Impair Defenses (T1562)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Modifying the key used to encrypt the logs to remain undetected.
    Investigative actions: Check the identity that updated the resource configuration. Check the key used to encrypt the logs.
  • Logs were not collected from a data source for an abnormally long time Low 4 variations

    Logs were not collected from a data source for an abnormally long time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    6 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.

    Variations

    Logs were not collected from a Windows Event Collector (WEC) for an abnormally long time

    Low overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a Microsoft Windows XDR Collector (XDRC) for an abnormally long time

    Low overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a data source for an abnormally long time, which indicates a significant stop

    Medium overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a data source for an abnormally long time, despite a stable and consistent data stream until recently

    Medium overridden

    Logs were not collected from a data source for an abnormally long time. overridden

  • ML artifacts destruction Low Cloud 1 variation

    An identity deleted multiple ML artifacts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Leverage access to the cloud to delete resources and cause damage to an organization's infrastructure.
    Investigative actions: Confirm the legitimacy of the suspected identity and what cloud resources have been deleted by the identity. Look for any unusual activity associated with the suspected identity and determine whether they are compromised.

    Variations

    Unusual ML artifacts destruction

    Medium overridden

    An identity deleted multiple ML artifacts.This large volume of deleted ML artifacts had not been seen across all projects for the last 30 days. overridden

  • Massive files deletion in Box Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Box. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Box Audit Log
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Box with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Box. This behavior may indicate that the data is being wiped. overridden

  • Massive files deletion in Dropbox Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Dropbox. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: DropBox
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Dropbox with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Dropbox. This behavior may indicate that the data is being wiped. overridden

  • Massive files deletion in Google Drive Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Google Drive. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Google Drive with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Google Drive. This behavior may indicate that the data is being wiped. overridden

  • Massive files deletion in Microsoft SharePoint or OneDrive Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Microsoft SharePoint or OneDrive. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Microsoft SharePoint or OneDrive with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Microsoft SharePoint or OneDrive. This behavior may indicate that the data is being wiped. overridden

  • Multiple Azure AD admin role removals Low Identity Threat Module

    An Azure AD identity removed multiple administrators from their roles.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: AzureAD Audit Log
    Attacker's goals: An attacker may want to lock out an organization and retain sole access.
    Investigative actions: Check if the identity performing the actions was authorized to perform them. Check what roles the users were removed from. Check whether the identity is a newly added admin. Check if the identity is operating in its usual manner (location, time, operations) Check if the identity performed additional operations in the cloud environment that might be malicious.
  • Multiple user accounts were deleted Informational Identity Analytics 1 variation

    A user deleted multiple user accounts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Impact (TA0040)
    ATT&CK techniques: Valid Accounts (T1078) Account Access Removal (T1531)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Persistence using a valid account.
    Investigative actions: Check the user who deleted the accounts and verify the activity. Look into the recent activity of the deleted accounts and whether they were temporary or dormant.

    Variations

    A user deleted multiple users for the first time

    Low overridden

    A user deleted multiple user accounts. overridden

  • Object versioning was disabled Informational Cloud 1 variation

    Object versioning of a cloud storage resource was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log Azure Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Impair the ability of the cloud environment to recover in disaster scenarios.
    Investigative actions: Confirm that the identity intended to disable the resource versioning. Follow further actions done by the identity. Monitor this resource for other suspicious activities.

    Variations

    Object versioning was disabled by an unusual identity

    Informational overridden

    Cloud storage versioning was disabled/suspended by an unusual identity. overridden

  • PIM privilege member removal Informational Cloud

    A cloud identity has removed a user's privileged role within PIM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Azure Audit Log
    Attacker's goals: Disrupt system and network access by blocking legitimate user accounts.
    Investigative actions: Investigate the suspected identity who initiated the removal. Identify the privileged accounts that were affected. Review the current access rights of the privileged accounts.
  • Parsing Rule Error Medium

    A Parsing Rule error was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Possible Insider Threat Activity Low Identity Threat Module 1 variation

    A user was observed performing suspicious activity that might indicate an attempt to use their access to organizational resources for personal gain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Financial Theft (T1657)
    Required data: Azure Audit Log AzureAD AzureAD Audit Log Microsoft Graph Logs Office 365 Audit Okta Okta Audit Log Palo Alto Networks Firewall EAL Logs Palo Alto Networks Firewall threat Logs Palo Alto Networks Global Protect Third-Party VPNs Slack Audit Log XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An insider threat might use their access to organizational resources for personal gain.
    Investigative actions: Check how long the user has been part of the organization. Check if the user is about to leave the company. Verify that the user is not part of a department that performs such activity as part of daily operations.

    Variations

    Indicate Insider Threat Activity

    Medium overridden

    A user was observed performing suspicious activity that might indicate an attempt to use their access to organizational resources for personal gain. overridden

  • Potential denial of wallet abusing AI services Low Cloud 1 variation

    An ML model experienced a sudden spike in requests in a short time.MITRE ATLAS Techniques: AML.T0029 - Denial of ML Service, AML.T0034 - Cost Harvesting.OWASP Top 10 LLM Technique: LLM10 - Unbounded Consumption.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Endpoint Denial of Service: Application Exhaustion Flood (T1499.003) Resource Hijacking (T1496)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Disrupting or shutting down an ML service.
    Investigative actions: Investigate the impact on the ML service.

    Variations

    Possible denial of wallet abusing AI services

    Medium overridden

    An ML model experienced a sudden spike in requests in a short time.MITRE ATLAS Techniques: AML.T0029 - Denial of ML Service, AML.T0034 - Cost Harvesting.OWASP Top 10 LLM Technique: LLM10 - Unbounded Consumption. overridden

  • S3 configuration deletion Informational Cloud

    An S3 bucket configuration has been deleted.This may affect the S3 access, and the objects it contains.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Encrypted for Impact (T1486)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Modify the S3 configuration and expose stored sensitive data.
    Investigative actions: Check what data is stored on the S3. Check which configuration change has been made. Verify this change did not make this S3 publicly available.
  • Sensitive account password reset attempt Informational Identity Analytics 1 variation

    An attempt was made to reset a sensitive account's password.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Account Access Removal (T1531)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may attempt to gain access to the account.
    Investigative actions: Verify this action with the user who performed the change.

    Variations

    Sensitive account password reset attempt for the first time

    Low overridden

    An attempt was made to reset a sensitive account's password. overridden

  • Soft delete of cloud storage configuration was disabled Informational Cloud

    A Soft Delete configuration was disabled on a cloud storage account.Soft delete allows a deletion of a blob or a container to be restored.Disabling it will impair the ability of the cloud environment to recover in disaster scenarios.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Impair the ability of the cloud environment to recover in disaster scenarios.
    Investigative actions: Check if the identity intended to disable soft delete for this storage account. Check if the identity performed additional malicious operations in the cloud environment.
  • Spam Bot Traffic Low 2 variations

    The endpoint connected to an excessive number of external SMTP servers.A spambot may be trying to send spam email using multiple SMTP servers.Spambots can cause your domain to be blacklisted, and can contain other malicious functionality. The same mechanism can also be used for exfiltration. Some VPN clients can also tunnel data over SMTP.Note: This detection model looks for SMTP connections to external servers, but the volume of traffic is not considered. A count is performed based on the number of domains being contacted, as well as the number of unresolved IP addresses.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Days
    Deduplication:
    3 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Resource Hijacking (T1496)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: The attacker uses the host as an SMTP client to send mails and hide their real origin.
    Investigative actions: Verify that the source is not an SMTP server. If Cortex XDR Analytics has failed to identify the process as a valid SMTP server, this alert will be a false positive. Verify that IP addresses are actually not being resolved by the non-SMTP process. If the process is performing DNS resolution with a DNS service outside your network, it is possible (depending on your network topology) that Cortex XDR Analytics will not observe that traffic. Because SMTP services typically use numerous IP addresses, this situation could cause a process to exceed a limit when it would otherwise fail to do so. If the SMTP connection activity turns out to be the result of malicious file activity, search on the Triage page for other endpoints infected with the file.

    Variations

    Spam Bot Traffic

    Informational overridden

    The endpoint connected to an excessive number of external SMTP servers.A spambot may be trying to send spam email using multiple SMTP servers.Spambots can cause your domain to be blacklisted, and can contain other malicious functionality. The same mechanism can also be used for exfiltration. Some VPN clients can also tunnel data over SMTP.Note: This detection model looks for SMTP connections to external servers, but the volume of traffic is not considered. A count is performed based on the number of domains being contacted, as well as the number of unresolved IP addresses. overridden

    Failed Spam Bot Traffic

    Informational overridden

    The endpoint connected to an excessive number of external SMTP servers.A spambot may be trying to send spam email using multiple SMTP servers.Spambots can cause your domain to be blacklisted, and can contain other malicious functionality. The same mechanism can also be used for exfiltration. Some VPN clients can also tunnel data over SMTP.Note: This detection model looks for SMTP connections to external servers, but the volume of traffic is not considered. A count is performed based on the number of domains being contacted, as well as the number of unresolved IP addresses. overridden

  • Suspicious AI Dataset Download Low Cloud 1 variation

    A model dataset was accessed by an identity that typically doesn't interact with dataset files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Manipulate datasets used by ML models.
    Investigative actions: Determine which dataset was accessed. Examine the changes made to the dataset.

    Variations

    Suspicious First-Time AI Dataset Download by Identity

    Medium overridden

    A model dataset was accessed by an identity that typically doesn't interact with dataset files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection. overridden

  • Suspicious AI Dataset Label Modification Low Cloud

    AI Dataset labels were modified by an identity that typically doesn't interact with labels.MITRE ATLAS Technique: AML.T0020 - Poison Training Data.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Contaminating training set, so that predictions on new data will be modified.
    Investigative actions: Check the identity that modified the dataset's labels. Check that the dataset is correctly labeled.
  • Suspicious EBS snapshots deletion Low Cloud 1 variation

    An identity deleted multiple EBS snapshots from the project, considerably more than usual.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system.
    Investigative actions: Identify the deleted snapshots and their associated resources. Investigate the identity that performed the deletion and review recent related activity.

    Variations

    A non administrative identity successfully deleted multiple snapshots from a project

    Medium overridden

    An identity deleted multiple EBS snapshots from the project, considerably more than usual. overridden

  • Suspicious ICMP traffic that resembles smurf attack Low

    ICMP smurf attack was used.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Endpoint Denial of Service: Service Exhaustion Flood (T1499.002) Network Denial of Service (T1498)
    Required data: XDR Agent
    Attacker's goals: Attempt to perform a denial-of-service attack by network exhaustion.
    Investigative actions: Check if the ICMP message to broadcast was used for a legitimate reason. If not, check for denial-of-service impact on the subnet.
  • Suspicious data encryption Low

    Known applications were used to encrypt data within a machine's local file system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Encrypted for Impact (T1486) Obfuscated Files or Information: Encrypted/Encoded File (T1027.013)
    Required data: XDR Agent
    Attacker's goals: Damage or hide data on the local file system.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.
  • Suspicious heavy allocation of compute resources - possible mining activity Medium Cloud 3 variations

    An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)
    ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage cloud compute resources to earn virtual currency.
    Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. access key, service account, etc.

    Variations

    Suspicious heavy allocation of compute resources - possible mining activity

    Low overridden

    An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden

    Suspicious heavy allocation of compute resources - possible mining activity

    High overridden

    An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden

    Suspicious heavy allocation of compute resources - possible mining activity

    Medium overridden

    An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden

  • Suspicious objects encryption in an AWS bucket High Cloud

    An AWS KMS key from a non-organization account was used to encrypt multiple objects in a bucket for the first time.This may indicate an attacker attempting to perform a ransomware attack against the organization's cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Encrypted for Impact (T1486)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Gain monetary compensation in exchange for decryption or the decryption key. Permanently deny access to important storage objects.
    Investigative actions: Check if the external KMS service is a legit encryption service. Check if the identity performed enumeration activity to detect insecure S3 buckets, which are configured without the versioning and MFA Delete mechanisms. Detect additional buckets that were encrypted using the same external KMS service. Disable the identity from which the external service was configured. Enable versioning on every critical bucket. Enable MFA Delete on every critical bucket.
  • Suspicious theme and sentiment in email Informational Email

    The email's body has a theme and sentiment that may indicate a malicious attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Hour 30 Minutes
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Financial Theft (T1657)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Microsoft 365 Emails Office 365 Audit Okta Audit Log Salesforce Slack Audit Log
    Detector tags: Phishing
    Attacker's goals: Trick recipients into revealing sensitive information, hijack the organization, or obtain money through deception.
    Investigative actions: Review the email headers and metadata of to identify potential spoofing techniques or unusual routing patterns. Analyze any URLs or attachments in a secure sandbox environment to detect possible malware or phishing attempts. Correlate findings with recent alerts in the SIEM to assess whether similar accumulation patterns are forming. Engage potentially affected users to understand if any actions were taken in response to this email, which could increase the overall risk. Document and escalate findings if the accumulation of warnings suggests a broader phishing campaign.
  • System shutdown or reboot Informational

    System shutdown or reboot using shutdown, reboot, halt or poweroff.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: System Shutdown/Reboot (T1529)
    Required data: XDR Agent
    Attacker's goals: Attackers may shut down or reboot hosts to disturb access to those hosts.
    Investigative actions: Verify that this isn't IT activity.
  • Uncommon service stop operation Informational

    An attempt to stop a service was made using an unusual shell command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: XDR Agent
    Attacker's goals: Attackers may disable services to disrupt system functionality and weaken security defenses.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Unusual AI Knowledge Base Modification Low Cloud 1 variation

    An AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases.MITRE ATLAS Technique: AML.T0070 - RAG Poisoning.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Contaminating knowledge base, so that contextual information will be incorrect, biased or harmful.
    Investigative actions: Check the identity that modified the knowledge base. Check recent additions to the knowledge base.

    Variations

    Suspicious AI Knowledge Base Modification

    Medium overridden

    An AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases, adding a new data source type. overridden

  • Unusual AI RAG Knowledge Base Modification Low Cloud

    AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases.MITRE ATLAS Technique: AML.T0070 - RAG Poisoning.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Contaminating knowledge base, so that contextual information will be incorrect, biased or harmful.
    Investigative actions: Check the identity that modified the knowledge base. Check recent additions to the knowledge base.
  • Unusual AI dataset modification Low Cloud 1 variation

    A cloud identity modified an AI dataset.MITRE ATLAS Techniques: AML.T0059 - Erode Dataset Integrity, AML.T0018.000 - Backdoor ML Model: Poison ML Model.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Poison datasets used by ML models.
    Investigative actions: Examine changed datasets and determine which ML models were affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    Unusual AI dataset modification from an internal IP address

    Informational overridden

    A cloud identity modified an AI dataset.MITRE ATLAS Techniques: AML.T0059 - Erode Dataset Integrity, AML.T0018.000 - Backdoor ML Model: Poison ML Model.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning. overridden

  • Unusual AWS S3 objects deletion Informational Cloud 2 variations

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490) Data Destruction (T1485)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system. They may also aim to interrupt availability to resources.
    Investigative actions: Identify the deleted objects and their containing bucket. Investigate the identity that performed the deletion and review recent related activity.

    Variations

    A non administrative identity deleted multiple S3 objects from a project

    Low overridden

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden

    An identity permanently deleted multiple S3 objects from a project

    Medium overridden

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden

  • Unusual resource modification by newly seen IAM user Informational Cloud 3 variations

    A cloud resource was modified by a newly seen IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Impact (TA0040)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage access to manipulate cloud infrastructure.
    Investigative actions: Examine which resources were affected and how. Investigate any unusual activity originating from the identity.

    Variations

    Unusual Kubernetes resource modification by newly seen IAM user

    Informational overridden

    A cloud resource was modified by a newly seen IAM user. overridden

    Unusual IAM resource modification by newly seen IAM user

    Low overridden

    A cloud resource was modified by a newly seen IAM user. overridden

    Unusual resource modification by newly seen IAM user from an uncommon IP

    Low overridden

    A cloud resource was modified by a newly seen IAM user. overridden

  • Wbadmin deleted files in quiet mode High

    Wbadmin was used to delete files in quiet mode.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: XDR Agent
    Attacker's goals: Adversaries may delete the backup catalog to prevent recovery of a corrupted system.
    Investigative actions: Check if the delete action was legitimate and performed by an authorized user.
  • Windows Event Log was cleared using wevtutil.exe Low 2 variations

    A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: XDR Agent
    Attacker's goals: Delete logs to cover tracks of the malicious activity, making it harder to perform analysis.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Security Event Log was cleared using wevtutil.exe

    High overridden

    A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis. overridden

    A Sensitive Windows Event Log was cleared using wevtutil.exe

    Medium overridden

    A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis. overridden