Analytics Alerts
Browse the Cortex analytics alert reference.
10 alerts match the current filters. technique: T1490 ✕
Show ATT&CK heatmapAWS Backup recovery point deletion Informational Cloud
An attempt was made to delete an AWS Backup recovery point.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit LogAttacker's goals: Adversaries may delete backup recovery points to prevent system recovery after compromise.Investigative actions: Identify the deleted recovery point and its associated resource. Investigate the identity that performed the deletion and review recent related activity.AWS EBS snapshot deletion Informational Cloud
An attempt was made to delete an EBS snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit LogAttacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system.Investigative actions: Identify the deleted snapshot and its associated resource. Investigate the identity that performed the deletion and review recent related activity.Cloud storage automatic backup disabled Informational Cloud 1 variation
Automatic backup of a cloud storage resource was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Impair built-in protection of the cloud environment. This action may be a preliminary action before deleting the cloud resource itself.Investigative actions: Confirm that the identity intended to disable automatic backup on this resource. Follow further actions done by the identity. Monitor this resource for other suspicious activities.Variations
Cloud storage automatic backup disabled from a CLI
Informational overridden
Automatic backup of a cloud storage resource was disabled from a CLI. overridden
Cloud storage delete protection disabled Informational Cloud 1 variation
Delete protection of a cloud storage resource was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Impair built-in protection of the cloud environment. This action may be a preliminary action before deleting the cloud resource itself.Investigative actions: Confirm that the identity intended to disable deletion protection on this resource. Follow further actions done by the identity. Monitor this resource for other suspicious activities.Variations
Cloud storage delete protection disabled by an unusual identity
Informational overridden
Delete protection of a cloud storage resource was disabled by an unusual identity. overridden
Object versioning was disabled Informational Cloud 1 variation
Object versioning of a cloud storage resource was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit Log Azure Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Impair the ability of the cloud environment to recover in disaster scenarios.Investigative actions: Confirm that the identity intended to disable the resource versioning. Follow further actions done by the identity. Monitor this resource for other suspicious activities.Variations
Object versioning was disabled by an unusual identity
Informational overridden
Cloud storage versioning was disabled/suspended by an unusual identity. overridden
Soft delete of cloud storage configuration was disabled Informational Cloud
A Soft Delete configuration was disabled on a cloud storage account.Soft delete allows a deletion of a blob or a container to be restored.Disabling it will impair the ability of the cloud environment to recover in disaster scenarios.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: Azure Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Impair the ability of the cloud environment to recover in disaster scenarios.Investigative actions: Check if the identity intended to disable soft delete for this storage account. Check if the identity performed additional malicious operations in the cloud environment.Suspicious EBS snapshots deletion Low Cloud 1 variation
An identity deleted multiple EBS snapshots from the project, considerably more than usual.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: AWS Audit LogAttacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system.Investigative actions: Identify the deleted snapshots and their associated resources. Investigate the identity that performed the deletion and review recent related activity.Variations
A non administrative identity successfully deleted multiple snapshots from a project
Medium overridden
An identity deleted multiple EBS snapshots from the project, considerably more than usual. overridden
Unusual AWS S3 objects deletion Informational Cloud 2 variations
An identity deleted multiple S3 bucket objects from the project, considerably more than usual.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490) Data Destruction (T1485)Required data: AWS Audit LogAttacker's goals: Adversaries may delete data to prevent the recovery of a corrupted system. They may also aim to interrupt availability to resources.Investigative actions: Identify the deleted objects and their containing bucket. Investigate the identity that performed the deletion and review recent related activity.Variations
A non administrative identity deleted multiple S3 objects from a project
Low overridden
An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden
An identity permanently deleted multiple S3 objects from a project
Medium overridden
An identity deleted multiple S3 bucket objects from the project, considerably more than usual. overridden
Wbadmin deleted files in quiet mode High
Wbadmin was used to delete files in quiet mode.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: XDR AgentAttacker's goals: Adversaries may delete the backup catalog to prevent recovery of a corrupted system.Investigative actions: Check if the delete action was legitimate and performed by an authorized user.Windows Event Log was cleared using wevtutil.exe Low 2 variations
A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040)ATT&CK techniques: Inhibit System Recovery (T1490)Required data: XDR AgentAttacker's goals: Delete logs to cover tracks of the malicious activity, making it harder to perform analysis.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Security Event Log was cleared using wevtutil.exe
High overridden
A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis. overridden
A Sensitive Windows Event Log was cleared using wevtutil.exe
Medium overridden
A command-line utility was used to clear the Windows Event Log. It may be used to delete logs to cover the tracks of the malicious activity, making it harder to perform analysis. overridden