Analytics Alerts
Browse the Cortex analytics alert reference.
4 alerts match the current filters. technique: T1486 ✕
Show ATT&CK heatmapAn AWS S3 bucket configuration was modified Informational Cloud
An AWS S3 bucket configuration has been modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Impair Defenses (T1562) Data Encrypted for Impact (T1486)Required data: AWS Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Modify storage configuration to detection or allow access to sensitive information.Investigative actions: Examine AWS S3 access to identify any suspicious activity. Check which S3 buckets were affected.S3 configuration deletion Informational Cloud
An S3 bucket configuration has been deleted.This may affect the S3 access, and the objects it contains.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Encrypted for Impact (T1486)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Modify the S3 configuration and expose stored sensitive data.Investigative actions: Check what data is stored on the S3. Check which configuration change has been made. Verify this change did not make this S3 publicly available.Suspicious data encryption Low
Known applications were used to encrypt data within a machine's local file system.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Encrypted for Impact (T1486) Obfuscated Files or Information: Encrypted/Encoded File (T1027.013)Required data: XDR AgentAttacker's goals: Damage or hide data on the local file system.Investigative actions: Check if the action was done using an automation service. Check if there are any other suspicious activities originated from the same machine/executing user.Suspicious objects encryption in an AWS bucket High Cloud
An AWS KMS key from a non-organization account was used to encrypt multiple objects in a bucket for the first time.This may indicate an attacker attempting to perform a ransomware attack against the organization's cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Data Encrypted for Impact (T1486)Required data: AWS Audit LogDetector tags: Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Gain monetary compensation in exchange for decryption or the decryption key. Permanently deny access to important storage objects.Investigative actions: Check if the external KMS service is a legit encryption service. Check if the identity performed enumeration activity to detect insecure S3 buckets, which are configured without the versioning and MFA Delete mechanisms. Detect additional buckets that were encrypted using the same external KMS service. Disable the identity from which the external service was configured. Enable versioning on every critical bucket. Enable MFA Delete on every critical bucket.