Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

23 alerts match the current filters. technique: T1485 ✕

Show ATT&CK heatmap
  • A Kubernetes Pod was deleted Informational Cloud

    A Kubernetes Pod was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Destroy data to interrupt cluster services and availability.
    Investigative actions: Check which Kubernetes Pods were deleted.
  • A Kubernetes cluster was created or deleted Informational Cloud

    A Kubernetes cluster was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Leverage access to manipulate the Kubernetes infrastructure.
    Investigative actions: Check which changes were made to the Kubernetes cluster and whether they are expected.
  • A container registry was created or deleted Informational Cloud

    A container registry was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to sensitive data stored in the container registry. Modify or delete existing data in the container registry.
    Investigative actions: Check the activity logs to determine what was created or removed.
  • AWS CloudWatch log group deletion Informational Cloud

    An AWS CloudWatch log group was deleted, this action permanently deletes all the archives associated with this group.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log group. Check what resources were affected by this change.
  • AWS CloudWatch log stream deletion Informational Cloud

    An AWS CloudWatch log stream was deleted, this action permanently deletes all the archives associated with this stream.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: AWS Audit Log
    Attacker's goals: An attacker may change the configuration of the affected resource to remain undetected.
    Investigative actions: Check why the identity deleted the log stream. Check which resource is affected by this change.
  • AWS RDS cluster deletion Informational Cloud

    A previously provisioned DB cluster (RDS) was deleted.When a DB cluster is being deleted, all automated backups for that DB cluster are deleted and can't be recovered.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Destruction of data.
    Investigative actions: Check which cluster was deleted. Check if there are any manual backups for that cluster (as they are not affected by this action).
  • An AWS EFS File-share mount was deleted Informational Cloud

    An AWS EFS File-share mount was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Modify or delete data stored in the EFS File-share.
    Investigative actions: Verify whether the identity that deleted the File-share should be making this action.
  • An AWS EFS file-share was deleted Informational Cloud

    An AWS EFS File-share has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Gain access to sensitive data stored on the AWS EFS File-share.
    Investigative actions: Check the AWS EFS File-shares for any modifications or deletions.
  • An AWS EKS cluster was created or deleted Informational Cloud

    An AWS EKS cluster has been created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Initial Access (TA0001) Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485) Valid Accounts (T1078)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to the cluster and its resources.Gain access to sensitive data stored in the cluster.
    Investigative actions: Check whether the identity is authorized to perform changes to AWS EKS clusters.
  • An AWS RDS Global Cluster Deletion Informational Cloud

    An AWS RDS global cluster was deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Destruction of data.
    Investigative actions: Check for existing backups for the deleted cluster. Check if a secondary cluster exists, which was detached before the global deletion.
  • An AWS SES identity was deleted Informational Cloud

    An AWS SES identity has been deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log
    Attacker's goals: Gain access to confidential emails of an organization.
    Investigative actions: Check whether the identity that executed the API should be making this action.
  • An Azure Kubernetes Cluster was created or deleted Informational Cloud

    An Azure Kubernetes Cluster was created or deleted.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Azure Audit Log
    Attacker's goals: Leverage access to Azure Kubernetes to disrupt or damage the organization's infrastructure.
    Investigative actions: Verify whether the identity is authorized to perform this action. Investigate any suspicious activity initiated by the identity.
  • Azure Resource Group Deletion Informational Cloud

    Resource group deletion permanently deletes all resources within the group, An attacker might use this technique to avoid detection or destroy procedures/data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Destruction (T1485) Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Azure Audit Log
    Attacker's goals: Evade detection.
    Investigative actions: Check which resource group was deleted.
  • Broker Collection Error Informational 2 variations

    A collection error was detected on a broker VM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.

    Variations

    Broker Collector Critical Error

    High overridden

    A collection error was detected on a broker VM. overridden

    Broker Collection Issue

    Medium overridden

    A collection error was detected on a broker VM. overridden

  • Deletion of multiple cloud resources Informational Cloud 2 variations

    An identity deleted multiple cloud resources.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage access to the cloud to delete resources and cause damage to an organization's infrastructure.
    Investigative actions: Confirm the legitimacy of the suspected identity and what cloud resources have been deleted by the identity. Look for any unusual activity associated with the suspected identity and determine whether they are compromised.

    Variations

    Deletion of multiple cloud resources

    Medium overridden

    An identity deleted multiple cloud resources.This large volume of deleted cloud resources had not been seen across all projects for the last 30 days. overridden

    Deletion of multiple cloud resources

    Low overridden

    An identity deleted multiple cloud resources.This large volume of deleted cloud resources had not been seen in this project for the last 30 days. overridden

  • GCP Storage Bucket deletion Informational Cloud 1 variation

    A GCP bucket was deleted. An attacker might use this technique to destroy business data and its workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: Data destruction.
    Investigative actions: Check which data was deleted from the bucket.

    Variations

    GCP Storage Bucket containing sensitive data was deleted

    Informational overridden

    A GCP bucket was deleted. An attacker might use this technique to destroy business data and its workflows. overridden

  • ML artifacts destruction Low Cloud 1 variation

    An identity deleted multiple ML artifacts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Leverage access to the cloud to delete resources and cause damage to an organization's infrastructure.
    Investigative actions: Confirm the legitimacy of the suspected identity and what cloud resources have been deleted by the identity. Look for any unusual activity associated with the suspected identity and determine whether they are compromised.

    Variations

    Unusual ML artifacts destruction

    Medium overridden

    An identity deleted multiple ML artifacts.This large volume of deleted ML artifacts had not been seen across all projects for the last 30 days. overridden

  • Massive files deletion in Box Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Box. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Box Audit Log
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Box with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Box. This behavior may indicate that the data is being wiped. overridden

  • Massive files deletion in Dropbox Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Dropbox. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: DropBox
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Dropbox with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Dropbox. This behavior may indicate that the data is being wiped. overridden

  • Massive files deletion in Google Drive Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Google Drive. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Google Drive with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Google Drive. This behavior may indicate that the data is being wiped. overridden

  • Massive files deletion in Microsoft SharePoint or OneDrive Informational Identity Threat Module 1 variation

    A user deleted a large amount of data in Microsoft SharePoint or OneDrive. This behavior may indicate that the data is being wiped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485)
    Required data: Office 365 Audit
    Attacker's goals: An attacker may delete files from a SaaS service to wipe data from the organization.
    Investigative actions: Investigate the source account and verify if it was compromised or performed an authorized activity. Review the files that were deleted to determine if they contain sensitive or critical data. Monitor the account for any further suspicious actions.

    Variations

    Massive files deletion in Microsoft SharePoint or OneDrive with suspicious parameters

    Low overridden

    A suspicious user deleted a large amount of data in Microsoft SharePoint or OneDrive. This behavior may indicate that the data is being wiped. overridden

  • Unusual AWS S3 objects deletion Informational Cloud 2 variations

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Inhibit System Recovery (T1490) Data Destruction (T1485)
    Required data: AWS Audit Log
    Attacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system. They may also aim to interrupt availability to resources.
    Investigative actions: Identify the deleted objects and their containing bucket. Investigate the identity that performed the deletion and review recent related activity.

    Variations

    A non administrative identity deleted multiple S3 objects from a project

    Low overridden

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden

    An identity permanently deleted multiple S3 objects from a project

    Medium overridden

    An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden

  • Unusual resource modification by newly seen IAM user Informational Cloud 3 variations

    A cloud resource was modified by a newly seen IAM user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Impact (TA0040)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Data Destruction (T1485)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Leverage access to manipulate cloud infrastructure.
    Investigative actions: Examine which resources were affected and how. Investigate any unusual activity originating from the identity.

    Variations

    Unusual Kubernetes resource modification by newly seen IAM user

    Informational overridden

    A cloud resource was modified by a newly seen IAM user. overridden

    Unusual IAM resource modification by newly seen IAM user

    Low overridden

    A cloud resource was modified by a newly seen IAM user. overridden

    Unusual resource modification by newly seen IAM user from an uncommon IP

    Low overridden

    A cloud resource was modified by a newly seen IAM user. overridden