Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

10 alerts match the current filters. tactic: TA0040 ✕ technique: T1490 ✕

Show ATT&CK heatmap
  • AWS Backup recovery point deletion Informational Cloud

    An attempt was made to delete an AWS Backup recovery point.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete backup recovery points to prevent system recovery after compromise.
    Investigative actions: Identify the deleted recovery point and its associated resource. Investigate the identity that performed the deletion and review recent related activity.
  • AWS EBS snapshot deletion Informational Cloud

    An attempt was made to delete an EBS snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system.
    Investigative actions: Identify the deleted snapshot and its associated resource. Investigate the identity that performed the deletion and review recent related activity.
  • Cloud storage automatic backup disabled Informational Cloud 1 variation

    Automatic backup of a cloud storage resource was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Impair built-in protection of the cloud environment. This action may be a preliminary action before deleting the cloud resource itself.
    Investigative actions: Confirm that the identity intended to disable automatic backup on this resource. Follow further actions done by the identity. Monitor this resource for other suspicious activities.

    Variations

    Cloud storage automatic backup disabled from a CLI

    Informational overridden

    Automatic backup of a cloud storage resource was disabled from a CLI. overridden

  • Cloud storage delete protection disabled Informational Cloud 1 variation

    Delete protection of a cloud storage resource was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Impair built-in protection of the cloud environment. This action may be a preliminary action before deleting the cloud resource itself.
    Investigative actions: Confirm that the identity intended to disable deletion protection on this resource. Follow further actions done by the identity. Monitor this resource for other suspicious activities.

    Variations

    Cloud storage delete protection disabled by an unusual identity

    Informational overridden

    Delete protection of a cloud storage resource was disabled by an unusual identity. overridden

  • Object versioning was disabled Informational Cloud 1 variation

    Object versioning of a cloud storage resource was disabled.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log Azure Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Impair the ability of the cloud environment to recover in disaster scenarios.
    Investigative actions: Confirm that the identity intended to disable the resource versioning. Follow further actions done by the identity. Monitor this resource for other suspicious activities.

    Variations

    Object versioning was disabled by an unusual identity

    Informational overridden

    Cloud storage versioning was disabled/suspended by an unusual identity. overridden

  • Soft delete of cloud storage configuration was disabled Informational Cloud

    A Soft Delete configuration was disabled on a cloud storage account.Soft delete allows a deletion of a blob or a container to be restored.Disabling it will impair the ability of the cloud environment to recover in disaster scenarios.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Impair the ability of the cloud environment to recover in disaster scenarios.
    Investigative actions: Check if the identity intended to disable soft delete for this storage account. Check if the identity performed additional malicious operations in the cloud environment.
  • Suspicious EBS snapshots deletion Low Cloud 1 variation

    An identity deleted multiple EBS snapshots from the project, considerably more than usual.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system.
    Investigative actions: Identify the deleted snapshots and their associated resources. Investigate the identity that performed the deletion and review recent related activity.

    Variations

    A non administrative identity successfully deleted multiple snapshots from a project

    Medium overridden

    An identity deleted multiple EBS snapshots from the project, considerably more than usual. overridden

  • Unusual AWS S3 objects deletion Informational Cloud 2 variations

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490) Data Destruction (T1485)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system. They may also aim to interrupt availability to resources.
    Investigative actions: Identify the deleted objects and their containing bucket. Investigate the identity that performed the deletion and review recent related activity.

    Variations

    A non administrative identity deleted multiple S3 objects from a project

    Low overridden

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden

    An identity permanently deleted multiple S3 objects from a project

    Medium overridden

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden

  • Wbadmin deleted files in quiet mode High

    Wbadmin was used to delete files in quiet mode.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: XDR Agent
    Attacker's goals: Adversaries may delete the backup catalog to prevent recovery of a corrupted system.
    Investigative actions: Check if the delete action was legitimate and performed by an authorized user.
  • Windows Event Log was cleared using wevtutil.exe Low 2 variations

    A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490)
    Required data: XDR Agent
    Attacker's goals: Delete logs to cover tracks of the malicious activity, making it harder to perform analysis.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Security Event Log was cleared using wevtutil.exe

    High overridden

    A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis. overridden

    A Sensitive Windows Event Log was cleared using wevtutil.exe

    Medium overridden

    A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis. overridden