Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. technique: T1222 ✕

Show ATT&CK heatmap
  • Azure Blob Container Access Level Modification Informational Cloud

    Access level modification for a blob container, this action might be dangerous as sensitive data can be exposed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: File and Directory Permissions Modification (T1222)
    Required data: Azure Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Access restricted data.
    Investigative actions: Check if and which data was exposed after the access level modification.
  • GCP Storage Bucket Permissions Modification Informational Cloud

    A GCP storage bucket's IAM permissions were modified. An attacker might use this technique to expose sensitive data or cause data loss.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: File and Directory Permissions Modification (T1222)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate information.
    Investigative actions: Check which data exists in the modified bucket and its classification. Look for events that involve actions for the bucket data.