Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. tactic: TA0040 ✕ technique: T1486 ✕

Show ATT&CK heatmap
  • An AWS S3 bucket configuration was modified Informational Cloud

    An AWS S3 bucket configuration has been modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Impair Defenses (T1562) Data Encrypted for Impact (T1486)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Modify storage configuration to detection or allow access to sensitive information.
    Investigative actions: Examine AWS S3 access to identify any suspicious activity. Check which S3 buckets were affected.
  • S3 configuration deletion Informational Cloud

    An S3 bucket configuration has been deleted.This may affect the S3 access, and the objects it contains.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Encrypted for Impact (T1486)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Modify the S3 configuration and expose stored sensitive data.
    Investigative actions: Check what data is stored on the S3. Check which configuration change has been made. Verify this change did not make this S3 publicly available.
  • Suspicious data encryption Low

    Known applications were used to encrypt data within a machine's local file system.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Encrypted for Impact (T1486) Obfuscated Files or Information: Encrypted/Encoded File (T1027.013)
    Required data: XDR Agent
    Attacker's goals: Damage or hide data on the local file system.
    Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.
  • Suspicious objects encryption in an AWS bucket High Cloud

    An AWS KMS key from a non-organization account was used to encrypt multiple objects in a bucket for the first time.This may indicate an attacker attempting to perform a ransomware attack against the organization's cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Encrypted for Impact (T1486)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Gain monetary compensation in exchange for decryption or the decryption key. Permanently deny access to important storage objects.
    Investigative actions: Check if the external KMS service is a legit encryption service. Check if the identity performed enumeration activity to detect insecure S3 buckets, which are configured without the versioning and MFA Delete mechanisms. Detect additional buckets that were encrypted using the same external KMS service. Disable the identity from which the external service was configured. Enable versioning on every critical bucket. Enable MFA Delete on every critical bucket.