Analytics Alerts
Browse the Cortex analytics alert reference.
9 alerts match the current filters. tactic: TA0040 ✕ technique: T1565 ✕
Show ATT&CK heatmapData Sharing between GCP and Google Workspace was disabled Informational Identity Threat Module 3 variations
An identity has modified data sharing settings between GCP and Google Workspace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Indicator Removal (T1070) Impair Defenses (T1562) Data Manipulation (T1565) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check whether Google Workspace audit log events were configured to be sent to Google Cloud. Follow further actions done by the account.Variations
Data Sharing between GCP and Google Workspace was disabled by a suspicious identity
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data Sharing between GCP and Google Workspace was disabled from an unusual ASN
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Disable encryption operations Low Cloud
Encryption was disabled on the servers that host EC2 instances, both for data-at-rest and data-in-transit.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation (T1565)Required data: AWS Audit LogDetector tags: Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Decrypt sensitive data host on EC2 instance, this may be a step in a flow for data exfiltration.Investigative actions: Check if Identity intended to disable the encryption.GCP Storage Bucket Configuration Modification Informational Cloud
A GCP storage bucket configuration has been modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Manipulate stored data.Investigative actions: Check if there were any services/procedures affected by the modification. Check what other actions were taken by the identity that modified the configuration.Logging was impaired via external encryption key Medium Cloud
The resource was configured with an external key This might be an attempt to disrupt log inspection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Manipulation (T1565) Impair Defenses (T1562)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Modifying the key used to encrypt the logs to remain undetected.Investigative actions: Check the identity that updated the resource configuration. Check the key used to encrypt the logs.Suspicious AI Dataset Download Low Cloud 1 variation
A model dataset was accessed by an identity that typically doesn't interact with dataset files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Manipulate datasets used by ML models.Investigative actions: Determine which dataset was accessed. Examine the changes made to the dataset.Variations
Suspicious First-Time AI Dataset Download by Identity
Medium overridden
A model dataset was accessed by an identity that typically doesn't interact with dataset files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection. overridden
Suspicious AI Dataset Label Modification Low Cloud
AI Dataset labels were modified by an identity that typically doesn't interact with labels.MITRE ATLAS Technique: AML.T0020 - Poison Training Data.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Contaminating training set, so that predictions on new data will be modified.Investigative actions: Check the identity that modified the dataset's labels. Check that the dataset is correctly labeled.Unusual AI Knowledge Base Modification Low Cloud 1 variation
An AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases.MITRE ATLAS Technique: AML.T0070 - RAG Poisoning.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Contaminating knowledge base, so that contextual information will be incorrect, biased or harmful.Investigative actions: Check the identity that modified the knowledge base. Check recent additions to the knowledge base.Variations
Suspicious AI Knowledge Base Modification
Medium overridden
An AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases, adding a new data source type. overridden
Unusual AI RAG Knowledge Base Modification Low Cloud
AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases.MITRE ATLAS Technique: AML.T0070 - RAG Poisoning.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Contaminating knowledge base, so that contextual information will be incorrect, biased or harmful.Investigative actions: Check the identity that modified the knowledge base. Check recent additions to the knowledge base.Unusual AI dataset modification Low Cloud 1 variation
A cloud identity modified an AI dataset.MITRE ATLAS Techniques: AML.T0059 - Erode Dataset Integrity, AML.T0018.000 - Backdoor ML Model: Poison ML Model.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Poison datasets used by ML models.Investigative actions: Examine changed datasets and determine which ML models were affected. Investigate any unusual activity originating from the suspected identity.Variations
Unusual AI dataset modification from an internal IP address
Informational overridden
A cloud identity modified an AI dataset.MITRE ATLAS Techniques: AML.T0059 - Erode Dataset Integrity, AML.T0018.000 - Backdoor ML Model: Poison ML Model.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning. overridden