Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

12 alerts match the current filters. technique: T1489 ✕

Show ATT&CK heatmap
  • A service was disabled Informational 3 variations

    A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: XDR Agent
    Attacker's goals: Evade detection by certain programs. Limit the functionality and availability of systems, services, and network resources.
    Investigative actions: Check if the disabled service could potentially threaten a malicious actor, or if holds a critical role. Investigate the disabling process to understand if it performed other suspicious actions.

    Variations

    A service was disabled without using the ServiceControlManager RPC interface

    Informational overridden

    A service was disabled abnormally through the registry. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden

    An injected process performed an uncommon service deactivation

    Informational overridden

    A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden

    An unsigned process performed an uncommon service deactivation

    Low overridden

    A service was disabled abnormally. This may be performed by malicious actors in an attempt to evade detection or limit functionality. overridden

  • Aurora DB cluster stopped Informational Cloud

    An Aurora DB cluster (RDS) was stopped.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & Response
    Attacker's goals: This may assist an attacker to exfiltrate sensitive information.
    Investigative actions: Check if the identity intended to stop the cluster. Check if this DB contains sensitive information. Check encryption for the DB cluster (at rest).
  • Azure Automation Runbook Deletion Informational Cloud

    An Azure Automation runbook was deleted. This could disrupt business automation processes or remove a malicious runbook that was part of an attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Impair Defenses (T1562) Service Stop (T1489)
    Required data: Azure Audit Log
    Attacker's goals: Stop business services.
    Investigative actions: Check which runbook was deleted and whether it is malicious or valid.
  • Broker Collection Error Informational 2 variations

    A collection error was detected on a broker VM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Destruction (T1485) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.

    Variations

    Broker Collector Critical Error

    High overridden

    A collection error was detected on a broker VM. overridden

    Broker Collection Issue

    Medium overridden

    A collection error was detected on a broker VM. overridden

  • Collection error High

    A collection error was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Correlation rule error Medium

    An error was identified while running a correlation rule.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    12 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Error in event forwarding Medium

    An error was detected in event forwarding.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    4 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • GCP Pub/Sub Subscription Deletion Informational Cloud

    A GCP Pub/Sub subscription was deleted. An attacker might use this technique to affect business workflows.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: Gcp Audit Log
    Attacker's goals: Interrupt business services.
    Investigative actions: Check which services were affected due to the Pub/Sub deletion. Check The cloud identity activity prior/after the subscription deletion.
  • GCP Pub/Sub Topic Deletion Informational Cloud

    A GCP Pub/Sub topic was deleted, might affect workflows due to interrupts within the Pub/Sub pipeline.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: Gcp Audit Log
    Attacker's goals: Interrupt business services.
    Investigative actions: Check which services were affected due to the Pub/Sub topic deletion. Check The cloud identity activity prior/after the topic deletion.
  • Logs were not collected from a data source for an abnormally long time Low 4 variations

    Logs were not collected from a data source for an abnormally long time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    6 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.

    Variations

    Logs were not collected from a Windows Event Collector (WEC) for an abnormally long time

    Low overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a Microsoft Windows XDR Collector (XDRC) for an abnormally long time

    Low overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a data source for an abnormally long time, which indicates a significant stop

    Medium overridden

    Logs were not collected from a data source for an abnormally long time. overridden

    Logs were not collected from a data source for an abnormally long time, despite a stable and consistent data stream until recently

    Medium overridden

    Logs were not collected from a data source for an abnormally long time. overridden

  • Parsing Rule Error Medium

    A Parsing Rule error was detected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    6 Hours
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Network Denial of Service (T1498) Service Stop (T1489)
    Required data: Health Monitoring Data
    Attacker's goals: N/A.
    Investigative actions: N/A.
  • Uncommon service stop operation Informational

    An attempt to stop a service was made using an unusual shell command.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Service Stop (T1489)
    Required data: XDR Agent
    Attacker's goals: Attackers may disable services to disrupt system functionality and weaken security defenses.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.