Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0040 ✕ technique: T1499 ✕

Show ATT&CK heatmap
  • Potential denial of wallet abusing AI services Low Cloud 1 variation

    An ML model experienced a sudden spike in requests in a short time.MITRE ATLAS Techniques: AML.T0029 - Denial of ML Service, AML.T0034 - Cost Harvesting.OWASP Top 10 LLM Technique: LLM10 - Unbounded Consumption.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Endpoint Denial of Service: Application Exhaustion Flood (T1499.003) Resource Hijacking (T1496)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Disrupting or shutting down an ML service.
    Investigative actions: Investigate the impact on the ML service.

    Variations

    Possible denial of wallet abusing AI services

    Medium overridden

    An ML model experienced a sudden spike in requests in a short time.MITRE ATLAS Techniques: AML.T0029 - Denial of ML Service, AML.T0034 - Cost Harvesting.OWASP Top 10 LLM Technique: LLM10 - Unbounded Consumption. overridden

  • Suspicious ICMP traffic that resembles smurf attack Low

    ICMP smurf attack was used.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Endpoint Denial of Service: Service Exhaustion Flood (T1499.002) Network Denial of Service (T1498)
    Required data: XDR Agent
    Attacker's goals: Attempt to perform a denial-of-service attack by network exhaustion.
    Investigative actions: Check if the ICMP message to broadcast was used for a legitimate reason. If not, check for denial-of-service impact on the subnet.