Analytics Alerts
Browse the Cortex analytics alert reference.
23 alerts match the current filters. tactic: TA0040 ✕ technique: T1485 ✕
Show ATT&CK heatmapA Kubernetes Pod was deleted Informational Cloud
A Kubernetes Pod was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Destroy data to interrupt cluster services and availability.Investigative actions: Check which Kubernetes Pods were deleted.A Kubernetes cluster was created or deleted Informational Cloud
A Kubernetes cluster was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Leverage access to manipulate the Kubernetes infrastructure.Investigative actions: Check which changes were made to the Kubernetes cluster and whether they are expected.A container registry was created or deleted Informational Cloud
A container registry was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to sensitive data stored in the container registry. Modify or delete existing data in the container registry.Investigative actions: Check the activity logs to determine what was created or removed.AWS CloudWatch log group deletion Informational Cloud
An AWS CloudWatch log group was deleted, this action permanently deletes all the archives associated with this group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: An attacker may change the configuration of the affected resource to remain undetected.Investigative actions: Check why the identity deleted the log group. Check what resources were affected by this change.AWS CloudWatch log stream deletion Informational Cloud
An AWS CloudWatch log stream was deleted, this action permanently deletes all the archives associated with this stream.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: An attacker may change the configuration of the affected resource to remain undetected.Investigative actions: Check why the identity deleted the log stream. Check which resource is affected by this change.AWS RDS cluster deletion Informational Cloud
A previously provisioned DB cluster (RDS) was deleted.When a DB cluster is being deleted, all automated backups for that DB cluster are deleted and can't be recovered.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Destruction of data.Investigative actions: Check which cluster was deleted. Check if there are any manual backups for that cluster (as they are not affected by this action).An AWS EFS File-share mount was deleted Informational Cloud
An AWS EFS File-share mount was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Modify or delete data stored in the EFS File-share.Investigative actions: Verify whether the identity that deleted the File-share should be making this action.An AWS EFS file-share was deleted Informational Cloud
An AWS EFS File-share has been deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Gain access to sensitive data stored on the AWS EFS File-share.Investigative actions: Check the AWS EFS File-shares for any modifications or deletions.An AWS EKS cluster was created or deleted Informational Cloud
An AWS EKS cluster has been created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Impact (TA0040)ATT&CK techniques: Data Destruction (T1485) Valid Accounts (T1078)Required data: AWS Audit LogAttacker's goals: Gain access to the cluster and its resources.Gain access to sensitive data stored in the cluster.Investigative actions: Check whether the identity is authorized to perform changes to AWS EKS clusters.An AWS RDS Global Cluster Deletion Informational Cloud
An AWS RDS global cluster was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Destruction of data.Investigative actions: Check for existing backups for the deleted cluster. Check if a secondary cluster exists, which was detached before the global deletion.An AWS SES identity was deleted Informational Cloud
An AWS SES identity has been deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit LogAttacker's goals: Gain access to confidential emails of an organization.Investigative actions: Check whether the identity that executed the API should be making this action.An Azure Kubernetes Cluster was created or deleted Informational Cloud
An Azure Kubernetes Cluster was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: Azure Audit LogAttacker's goals: Leverage access to Azure Kubernetes to disrupt or damage the organization's infrastructure.Investigative actions: Verify whether the identity is authorized to perform this action. Investigate any suspicious activity initiated by the identity.Azure Resource Group Deletion Informational Cloud
Resource group deletion permanently deletes all resources within the group, An attacker might use this technique to avoid detection or destroy procedures/data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Evade detection.Investigative actions: Check which resource group was deleted.Broker Collection Error Informational 2 variations
A collection error was detected on a broker VM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Variations
Broker Collector Critical Error
High overridden
A collection error was detected on a broker VM. overridden
Broker Collection Issue
Medium overridden
A collection error was detected on a broker VM. overridden
Deletion of multiple cloud resources Informational Cloud 2 variations
An identity deleted multiple cloud resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage access to the cloud to delete resources and cause damage to an organization's infrastructure.Investigative actions: Confirm the legitimacy of the suspected identity and what cloud resources have been deleted by the identity. Look for any unusual activity associated with the suspected identity and determine whether they are compromised.Variations
Deletion of multiple cloud resources
Medium overridden
An identity deleted multiple cloud resources.This large volume of deleted cloud resources had not been seen across all projects for the last 30 days. overridden
Deletion of multiple cloud resources
Low overridden
An identity deleted multiple cloud resources.This large volume of deleted cloud resources had not been seen in this project for the last 30 days. overridden
GCP Storage Bucket deletion Informational Cloud 1 variation
A GCP bucket was deleted. An attacker might use this technique to destroy business data and its workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Data destruction.Investigative actions: Check which data was deleted from the bucket.Variations
GCP Storage Bucket containing sensitive data was deleted
Informational overridden
A GCP bucket was deleted. An attacker might use this technique to destroy business data and its workflows. overridden
ML artifacts destruction Low Cloud 1 variation
An identity deleted multiple ML artifacts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Leverage access to the cloud to delete resources and cause damage to an organization's infrastructure.Investigative actions: Confirm the legitimacy of the suspected identity and what cloud resources have been deleted by the identity. Look for any unusual activity associated with the suspected identity and determine whether they are compromised.Variations
Unusual ML artifacts destruction
Medium overridden
An identity deleted multiple ML artifacts.This large volume of deleted ML artifacts had not been seen across all projects for the last 30 days. overridden
Massive files deletion in Box Informational Identity Threat Module 1 variation
A user deleted a large amount of data in Box. This behavior may indicate that the data is being wiped.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: Box Audit LogAttacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.Variations
Massive files deletion in Box with suspicious parameters
Low overridden
A suspicious user deleted a large amount of data in Box. This behavior may indicate that the data is being wiped. overridden
Massive files deletion in Dropbox Informational Identity Threat Module 1 variation
A user deleted a large amount of data in Dropbox. This behavior may indicate that the data is being wiped.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: DropBoxAttacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.Variations
Massive files deletion in Dropbox with suspicious parameters
Low overridden
A suspicious user deleted a large amount of data in Dropbox. This behavior may indicate that the data is being wiped. overridden
Massive files deletion in Google Drive Informational Identity Threat Module 1 variation
A user deleted a large amount of data in Google Drive. This behavior may indicate that the data is being wiped.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.Variations
Massive files deletion in Google Drive with suspicious parameters
Low overridden
A suspicious user deleted a large amount of data in Google Drive. This behavior may indicate that the data is being wiped. overridden
Massive files deletion in Microsoft SharePoint or OneDrive Informational Identity Threat Module 1 variation
A user deleted a large amount of data in Microsoft SharePoint or OneDrive. This behavior may indicate that the data is being wiped.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485)Required data: Office 365 AuditAttacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.Variations
Massive files deletion in Microsoft SharePoint or OneDrive with suspicious parameters
Low overridden
A suspicious user deleted a large amount of data in Microsoft SharePoint or OneDrive. This behavior may indicate that the data is being wiped. overridden
Unusual AWS S3 objects deletion Informational Cloud 2 variations
An identity deleted multiple S3 bucket objects from the project, considerably more than usual.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490) Data Destruction (T1485)Required data: AWS Audit LogAttacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system. They may also aim to interrupt availability to resources.Investigative actions: Identify the deleted objects and their containing bucket. Investigate the identity that performed the deletion and review recent related activity.Variations
A non administrative identity deleted multiple S3 objects from a project
Low overridden
An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden
An identity permanently deleted multiple S3 objects from a project
Medium overridden
An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden
Unusual resource modification by newly seen IAM user Informational Cloud 3 variations
A cloud resource was modified by a newly seen IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Impact (TA0040)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Data Destruction (T1485)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage access to manipulate cloud infrastructure.Investigative actions: Examine which resources were affected and how. Investigate any unusual activity originating from the identity.Variations
Unusual Kubernetes resource modification by newly seen IAM user
Informational overridden
A cloud resource was modified by a newly seen IAM user. overridden
Unusual IAM resource modification by newly seen IAM user
Low overridden
A cloud resource was modified by a newly seen IAM user. overridden
Unusual resource modification by newly seen IAM user from an uncommon IP
Low overridden
A cloud resource was modified by a newly seen IAM user. overridden