Analytics Alerts
Browse the Cortex analytics alert reference.
14 alerts match the current filters. tactic: TA0040 ✕ technique: T1498 ✕
Show ATT&CK heatmapA Kubernetes service was created or deleted Informational Cloud
A Kubernetes service was created or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Attackers may attempt to perform denial-of-service attacks to make services unavailable.Investigative actions: Check which changes were made to the Kubernetes service.An Azure virtual network Device was modified Informational Cloud
An Azure virtual network Device was modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: Azure Audit LogAttacker's goals: Gain access to resources within the virtual network. Gain access to sensitive data stored on the virtual network.Investigative actions: Investigate the Azure portal for the relevant virtual network device and review the changes made to it. Review the Azure Activity Log for any suspicious activities related to the virtual network device.An Azure virtual network was modified Informational Cloud
An Azure virtual network has been modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: Azure Audit LogAttacker's goals: Manipulate, interrupt, or destroy data.Investigative actions: Verify whether the identity should be making this action. Check the audit logs for any suspicious activity related to the virtual network.Cloud identity reached a throttling API rate Informational Cloud 3 variations
A cloud identity has executed a high volume of API calls, causing a throttling error.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Abuse cloud resource, such behavior is usually seen during cryptocurrency attacks.Investigative actions: Check the identity created resources and their legitimacy. Look for any unusual behavior originated from the suspected identity.Variations
Cloud identity reached a highly unusual throttling API rate
Low overridden
A cloud identity has executed a high volume of API calls, causing a throttling error.This indicates on a high volume of cloud instances allocation, such activity may be related to a cryptocurrency attack. overridden
Cloud identity reached an unusual throttling API rate in the cloud project
Informational overridden
A cloud identity has executed a high volume of API calls, causing a throttling error.This API rate is unusual on the project level. overridden
Cloud identity reached an unusual throttling API rate
Informational overridden
A cloud identity has executed a high volume of API calls, causing a throttling error.This activity is unusual for The cloud identity, and was not seen in the last 30 days. overridden
Collection error High
A collection error was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Correlation rule error Medium
An error was identified while running a correlation rule.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 12 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Error in event forwarding Medium
An error was detected in event forwarding.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 4 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.GCP Virtual Private Cloud (VPC) Network Deletion Informational Cloud
A GCP VPC network was deleted. An attacker might use this technique to interrupt business resources and workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: Gcp Audit LogAttacker's goals: Block the availability of targeted resources to users/services.Investigative actions: Check which services were affected by the VPC deletion. Check the cloud identity activity before and after the VPC network deletion.GCP Virtual Private Network Route Creation Informational Cloud
A GCP VPC route was created. An attacker might use this technique to impact business workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: Gcp Audit LogAttacker's goals: Block the availability of targeted resources to users/services.Investigative actions: Check which services were affected by the route creation. Check the cloud identity activity before or after the route creation.GCP Virtual Private Network Route Deletion Informational Cloud
A GCP VPC route was deleted. An attacker might use this technique to impact business workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: Gcp Audit LogAttacker's goals: Block the availability of targeted resources to users/services.Investigative actions: Check which services were affected by the route deletion. Check The cloud identity activity prior/after the route deletion.Kubernetes network policy modification Informational Cloud
A change has been made to the network policies of a Kubernetes cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the network infrastructure. Gain access to sensitive data. Gain access to Kubernetes resources.Investigative actions: Investigate the Kubernetes Network Policy to identify the changes made. Verify whether the identity should be making this action.Logs were not collected from a data source for an abnormally long time Low 4 variations
Logs were not collected from a data source for an abnormally long time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 6 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Variations
Logs were not collected from a Windows Event Collector (WEC) for an abnormally long time
Low overridden
Logs were not collected from a data source for an abnormally long time. overridden
Logs were not collected from a Microsoft Windows XDR Collector (XDRC) for an abnormally long time
Low overridden
Logs were not collected from a data source for an abnormally long time. overridden
Logs were not collected from a data source for an abnormally long time, which indicates a significant stop
Medium overridden
Logs were not collected from a data source for an abnormally long time. overridden
Logs were not collected from a data source for an abnormally long time, despite a stable and consistent data stream until recently
Medium overridden
Logs were not collected from a data source for an abnormally long time. overridden
Parsing Rule Error Medium
A Parsing Rule error was detected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)Required data: Health Monitoring DataAttacker's goals: N/A.Investigative actions: N/A.Suspicious ICMP traffic that resembles smurf attack Low
ICMP smurf attack was used.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Endpoint Denial of Service: Service Exhaustion Flood (T1499.002) Network Denial of Service (T1498)Required data: XDR AgentAttacker's goals: Attempt to perform a denial-of-service attack by network exhaustion.Investigative actions: Check if the ICMP message to broadcast was used for a legitimate reason. If not, check for denial-of-service impact on the subnet.