Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

14 alerts match the current filters. tactic: TA0040 ✕ technique: T1498 ✕

Show ATT&CK heatmap
  • A Kubernetes service was created or deleted Informational Cloud

    A Kubernetes service was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Attackers may attempt to perform denial-of-service attacks to make services unavailable.
    Investigative actions: Check which changes were made to the Kubernetes service.
  • An Azure virtual network Device was modified Informational Cloud

    An Azure virtual network Device was modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Azure Audit Log
    Attacker's goals: Gain access to resources within the virtual network. Gain access to sensitive data stored on the virtual network.
    Investigative actions: Investigate the Azure portal for the relevant virtual network device and review the changes made to it. Review the Azure Activity Log for any suspicious activities related to the virtual network device.
  • An Azure virtual network was modified Informational Cloud

    An Azure virtual network has been modified or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Azure Audit Log
    Attacker's goals: Manipulate, interrupt, or destroy data.
    Investigative actions: Verify whether the identity should be making this action. Check the audit logs for any suspicious activity related to the virtual network.
  • Cloud identity reached a throttling API rate Informational Cloud 3 variations

    A cloud identity has executed a high volume of API calls, causing a throttling error.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Abuse cloud resource, such behavior is usually seen during cryptocurrency attacks.
    Investigative actions: Check the identity created resources and their legitimacy. Look for any unusual behavior originated from the suspected identity.

    Variations

    Cloud identity reached a highly unusual throttling API rate

    Low overridden

    A cloud identity has executed a high volume of API calls, causing a throttling error.This indicates on a high volume of cloud instances allocation, such activity may be related to a cryptocurrency attack. overridden

    Cloud identity reached an unusual throttling API rate in the cloud project

    Informational overridden

    A cloud identity has executed a high volume of API calls, causing a throttling error.This API rate is unusual on the project level. overridden

    Cloud identity reached an unusual throttling API rate

    Informational overridden

    A cloud identity has executed a high volume of API calls, causing a throttling error.This activity is unusual for The cloud identity, and was not seen in the last 30 days. overridden

  • Collection error High

    A collection error was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Correlation rule error Medium

    An error was identified while running a correlation rule.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    12 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Error in event forwarding Medium

    An error was detected in event forwarding.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    4 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • GCP Virtual Private Cloud (VPC) Network Deletion Informational Cloud

    A GCP VPC network was deleted. An attacker might use this technique to interrupt business resources and workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Gcp Audit Log
    Attacker's goals: Block the availability of targeted resources to users/services.
    Investigative actions: Check which services were affected by the VPC deletion. Check the cloud identity activity before and after the VPC network deletion.
  • GCP Virtual Private Network Route Creation Informational Cloud

    A GCP VPC route was created. An attacker might use this technique to impact business workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Gcp Audit Log
    Attacker's goals: Block the availability of targeted resources to users/services.
    Investigative actions: Check which services were affected by the route creation. Check the cloud identity activity before or after the route creation.
  • GCP Virtual Private Network Route Deletion Informational Cloud

    A GCP VPC route was deleted. An attacker might use this technique to impact business workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: Gcp Audit Log
    Attacker's goals: Block the availability of targeted resources to users/services.
    Investigative actions: Check which services were affected by the route deletion. Check The cloud identity activity prior/after the route deletion.
  • Kubernetes network policy modification Informational Cloud

    A change has been made to the network policies of a Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the network infrastructure. Gain access to sensitive data. Gain access to Kubernetes resources.
    Investigative actions: Investigate the Kubernetes Network Policy to identify the changes made. Verify whether the identity should be making this action.
  • Logs were not collected from a data source for an abnormally long time Low 4 variations

    Logs were not collected from a data source for an abnormally long time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    6 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.

    Variations

    Logs were not collected from a Windows Event Collector (WEC) for an abnormally long time

    Low overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a Microsoft Windows XDR Collector (XDRC) for an abnormally long time

    Low overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a data source for an abnormally long time, which indicates a significant stop

    Medium overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a data source for an abnormally long time, despite a stable and consistent data stream until recently

    Medium overridden

    Logs were not collected from a data source for an abnormally long time. overridden

  • Parsing Rule Error Medium

    A Parsing Rule error was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Suspicious ICMP traffic that resembles smurf attack Low

    ICMP smurf attack was used.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Endpoint Denial of Service: Service Exhaustion Flood (T1499.002) Network Denial of Service (T1498)
    Required data: XDR Agent
    Attacker's goals: Attempt to perform a denial-of-service attack by network exhaustion.
    Investigative actions: Check if the ICMP message to broadcast was used for a legitimate reason. If not, check for denial-of-service impact on the subnet.