Analytics Alerts
Browse the Cortex analytics alert reference.
12 alerts match the current filters. tactic: TA0040 ✕ technique: T1489 ✕
Show ATT&CK heatmapA service was disabled Informational 3 variations
A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Service Stop (T1489)Required data: XDR AgentAttacker's goals: Evade detection by certain programs. Limit the functionality and availability of systems, services, and network resources.Investigative actions: Check if the disabled service could potentially threaten a malicious actor, or if holds a critical role. Investigate the disabling process to understand if it performed other suspicious actions.Variations
A service was disabled without using the ServiceControlManager RPC interface
Informational overridden
A service was disabled abnormally through the registry. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden
An injected process performed an uncommon service deactivation
Informational overridden
A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden
An unsigned process performed an uncommon service deactivation
Low overridden
A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden
Aurora DB cluster stopped Informational Cloud
An Aurora DB cluster (RDS) was stopped.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Service Stop (T1489)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: This may assist an attacker to exfiltrate sensitive information.Investigative actions: Check if the identity intended to stop the cluster. Check if this DB contains sensitive information. Check encryption for the DB cluster (at rest).Azure Automation Runbook Deletion Informational Cloud
An Azure Automation runbook was deleted. This could disrupt business automation processes or remove a malicious runbook that was part of an attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Impair Defenses (T1562) Service Stop (T1489)Required data: Azure Audit LogAttacker's goals: Stop business services.Investigative actions: Check which runbook was deleted and whether it is malicious or valid.Broker Collection Error Informational 2 variations
A collection error was detected on a broker VM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Destruction (T1485) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Variations
Broker Collector Critical Error
High overridden
A collection error was detected on a broker VM. overridden
Broker Collection Issue
Medium overridden
A collection error was detected on a broker VM. overridden
Collection error High
A collection error was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Correlation rule error Medium
An error was identified while running a correlation rule.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 12 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Error in event forwarding Medium
An error was detected in event forwarding.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 4 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.GCP Pub/Sub Subscription Deletion Informational Cloud
A GCP Pub/Sub subscription was deleted. An attacker might use this technique to affect business workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Service Stop (T1489)Required data: Gcp Audit LogAttacker's goals: Interrupt business services.Investigative actions: Check which services were affected due to the Pub/Sub deletion. Check The cloud identity activity prior/after the subscription deletion.GCP Pub/Sub Topic Deletion Informational Cloud
A GCP Pub/Sub topic was deleted, might affect workflows due to interrupts within the Pub/Sub pipeline.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Service Stop (T1489)Required data: Gcp Audit LogAttacker's goals: Interrupt business services.Investigative actions: Check which services were affected due to the Pub/Sub topic deletion. Check The cloud identity activity prior/after the topic deletion.Logs were not collected from a data source for an abnormally long time Low 4 variations
Logs were not collected from a data source for an abnormally long time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 6 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Variations
Logs were not collected from a Windows Event Collector (WEC) for an abnormally long time
Low overridden
Logs were not collected from a data source for an abnormally long time. overridden
Logs were not collected from a Microsoft Windows XDR Collector (XDRC) for an abnormally long time
Low overridden
Logs were not collected from a data source for an abnormally long time. overridden
Logs were not collected from a data source for an abnormally long time, which indicates a significant stop
Medium overridden
Logs were not collected from a data source for an abnormally long time. overridden
Logs were not collected from a data source for an abnormally long time, despite a stable and consistent data stream until recently
Medium overridden
Logs were not collected from a data source for an abnormally long time. overridden
Parsing Rule Error Medium
A Parsing Rule error was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Uncommon service stop operation Informational
An attempt to stop a service was made using an unusual shell command.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Service Stop (T1489)Required data: XDR AgentAttacker's goals: Attackers may disable services to disrupt system functionality and weaken security defenses.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.