Analytics Alerts
Browse the Cortex analytics alert reference.
16 alerts match the current filters. tactic: TA0040 ✕ technique: T1531 ✕
Show ATT&CK heatmapA Google Workspace Role privilege was deleted Informational Identity Threat Module
A privilege was removed from a Google Workspace Role, This could potentially affect the access to services and data in the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Gain access to sensitive data stored in the workspace. Gain elevated privileges in the workspace.Investigative actions: Investigate who was assigned the deleted role privilege. Verify if the role privilege was deleted intentionally.A Google Workspace user was removed from a group Informational Identity Threat Module
A user removed another user from a Google Workspace group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may interrupt the availability of services and resources by inhibiting access to users.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check if the user's work can be affected by this action. Follow further actions done by the account.A third-party application's access to the Google Workspace domain's resources was revoked Informational Identity Threat Module
An identity removed a third-party application's access to Google Workspace domain's resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An attacker might remove an application to impair the environment.Investigative actions: Check the Google Workspace Application settings to determine which actions were triggered. Investigate the source of the request and the user associated with it. Review the access control policies to determine if the removal of the application is allowed.AWS IAM resource group deletion Informational Cloud
An AWS IAM resource group was deleted, this action may affect the permissions of the members of the deleted group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: AWS Audit LogAttacker's goals: An attacker may interrupt the availability of an account, this may revoke access to the account.Investigative actions: Check what members were affected by this action.An Azure Kubernetes Service Account was modified or deleted Informational Cloud
An Azure Kubernetes Service Account was modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Azure Audit LogAttacker's goals: Gain access to privileged resources using Kubernetes Service Account.Investigative actions: Verify whether the identity should be making this action. Check the Kubernetes cluster for any suspicious activity initiated by the identity. Check if any other service accounts have been modified or deleted.Azure account deletion by a non-standard account Low Identity Threat Module 2 variations
An Azure AD account deletion was performed by a user that doesn't typically delete users.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: AzureAD Audit LogAttacker's goals: Interrupt availability and access to Azure by deleting access accounts.Investigative actions: Follow further actions by the initiator. Check what services, groups and applications are affected by the deleted user being removed. Check if the deleted user had a privileged role.Variations
Azure account deletion by a non-standard account with high administrative activity
Informational overridden
An Azure AD account deletion was performed by an identity with high administrative activity that doesn't typically delete users. overridden
A suspicious Azure account deletion by a non-standard account
Medium overridden
An Azure AD account deletion was performed by a user that doesn't typically delete users in a suspicious manner. overridden
Billing admin role was removed Low Cloud
Sensitive Action - Billing admin role was removed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Prevent billing notifications from being sent to the billing admin.Investigative actions: Check if the identity intended to remove the billing admin. Check if the identity performed additional malicious operations in the cloud environment.GCP IAM Role Deletion Informational Cloud
A GCP IAM role was created. An attacker might use this technique to interrupt users' actions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Gcp Audit LogAttacker's goals: Inhibit users from accessing resources.Investigative actions: Check which users were affected by the role deletion. Check what other actions were taken by the identity that deleted the role.GCP IAM Service Account Key Deletion Informational Cloud
A GCP IAM service account key was deleted. An attacker might use this technique to interrupt business operations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Gcp Audit LogAttacker's goals: Account access removal.Investigative actions: Check which operations were corrupted after the deletion.GCP IAM deny policy creation Low Cloud 1 variation
An identity created a GCP IAM deny policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Gcp Audit LogAttacker's goals: Interrupt availability of cloud resources by inhibiting access to accounts utilized by legitimate users.Investigative actions: Examine the details of the created deny policy. Review the recent activity of the identity.Variations
Unusual GCP IAM deny policy creation
Medium overridden
An identity created a GCP IAM deny policy. overridden
GCP Service Account Deletion Informational Cloud
A GCP service account was deleted. An attacker might use this technique to remove access to valid accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Gcp Audit LogAttacker's goals: Account access removal.Investigative actions: Check which operations were corrupted after the deletion.GCP Service Account Disable Informational Cloud
A GCP service account was disabled. An attacker might use this technique to interrupt business procedures and workflows.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Gcp Audit LogAttacker's goals: Account access removal.Investigative actions: Check if there were any services/procedures affected by the disable operation.Multiple Azure AD admin role removals Low Identity Threat Module
An Azure AD identity removed multiple administrators from their roles.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 3 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: AzureAD Audit LogAttacker's goals: An attacker may want to lock out an organization and retain sole access.Investigative actions: Check if the identity performing the actions was authorized to perform them. Check what roles the users were removed from. Check whether the identity is a newly added admin. Check if the identity is operating in its usual manner (location, time, operations) Check if the identity performed additional operations in the cloud environment that might be malicious.Multiple user accounts were deleted Informational Identity Analytics 1 variation
A user deleted multiple user accounts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Impact (TA0040)ATT&CK techniques: Valid Accounts (T1078) Account Access Removal (T1531)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence using a valid account.Investigative actions: Check the user who deleted the accounts and verify the activity. Look into the recent activity of the deleted accounts and whether they were temporary or dormant.Variations
A user deleted multiple users for the first time
Low overridden
A user deleted multiple user accounts. overridden
PIM privilege member removal Informational Cloud
A cloud identity has removed a user's privileged role within PIM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Azure Audit LogAttacker's goals: Disrupt system and network access by blocking legitimate user accounts.Investigative actions: Investigate the suspected identity who initiated the removal. Identify the privileged accounts that were affected. Review the current access rights of the privileged accounts.Sensitive account password reset attempt Informational Identity Analytics 1 variation
An attempt was made to reset a sensitive account's password.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Account Access Removal (T1531)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may attempt to gain access to the account.Investigative actions: Verify this action with the user who performed the change.Variations
Sensitive account password reset attempt for the first time
Low overridden
An attempt was made to reset a sensitive account's password. overridden