Analytics Alerts
Browse the Cortex analytics alert reference.
82 alerts match the current filters. technique: T1562 ✕
Show ATT&CK heatmapA browser was opened in private mode Informational Identity Threat Module
A browser was opened in private mode, which may indicate an attempt to cover tracks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006) Hide Artifacts (T1564)Required data: XDR AgentAttacker's goals: A browser was opened in private mode. Users might use private mode if they wish to stay anonymous online or hide their search and browsing history.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert.A cloud identity created or modified a security group Informational Cloud 2 variations
A cloud identity created or modified a security group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Bypass network security controls to gain access to restricted cloud resources.Investigative actions: Check which security rules were added or modified. Check whether the identity that modified the security group rules is permitted to perform such action. Check which cloud resources can be affected by the security group.Variations
A cloud identity opened a security group to the Internet
Medium overridden
A cloud identity modified a security group to allow network access from the Internet. overridden
A cloud identity opened a security group to an unknown IP
Low overridden
A cloud identity modified a security group to allow network access from an unknown IP. overridden
A domain was added to the trusted domains list Low Identity Threat Module 2 variations
A domain was added to the Google Workspace trusted domains list.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification: Trust Modification (T1484.002)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An adversary may add a trusted domain to collect and exfiltrate data from their target's organization with less restrictive security controls.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate the new domain in the trusted domains list. Follow further actions done by the account.Variations
A domain was added to the trusted domains list by a non Google Workspace administrative user
Low overridden
A domain was added to the Google Workspace trusted domains list. overridden
A domain was added to the trusted domains list from an unusual ASN
Low overridden
A domain was added to the Google Workspace trusted domains list. overridden
A user added a Windows firewall rule Informational Identity Threat Module
A user added a new Windows Firewall rule. Adding a firewall rule may indicate an attempt to bypass controls limiting network usage or to disrupt network communications.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Firewall rules determine what traffic your firewall will block or allow. A malicious insider might want to change these rules in an attempt to bypass network limitations or disrupt network communication.Investigative actions: Check for any other suspicious activity related to the host and the user involved in the alert. Check Windows Defender Firewall with Advanced Security for a new rule that was added. Check if the new rule was added to different machines as well.A user modified an Okta network zone Informational Identity Threat Module 2 variations
An Okta network zone was modified by a user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker may attempt to modify an Okta network zone to weaken an organization's security controls.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other network zones have been changed or removed.Variations
The user has made an unusual modification to the Okta Network zone
Medium overridden
An atypical modification to the Okta Network zone has been performed by the user. overridden
A user modified an Okta network zone with suspicious characteristics
Low overridden
An Okta network zone was modified by a user with suspicious characteristics. overridden
A user modified an Okta policy rule Informational Identity Threat Module 1 variation
An Okta policy rule was modified by a user, suggesting a potential compromise of the account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484) Modify Authentication Process (T1556)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker may attempt to modify an Okta policy rule to weaken an organization's security controls.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed.Variations
A user modified an Okta policy rule with suspicious characteristics
Low overridden
An Okta policy rule was modified by a suspicious user, suggesting a potential compromise of the account. overridden
A user modified the CA audit policy Low Identity Analytics
This may indicate that an attacker is attempting to cover their tracks before an AD CS attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable Windows Event Logging (T1562.002)Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: An attacker is attempting to cover their tracks before an AD CS attack.Investigative actions: Check the user account modifying the CA audit policy and verify its activity. Review AD CS logs to identify any unauthorized certificate issuances, modifications, or template changes. Examine recent activity from the user account, including logon patterns and privilege changes. Continue monitoring the account for any subsequent actions that may indicate suspicious behavior.AI safeguards deletion attempt Informational Cloud 1 variation
A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit Log Azure Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.Investigative actions: Examine which AI models were affected. Investigate any unusual activity originating from the suspected identity.Variations
AI safeguards were successfully deleted
Low overridden
A cloud identity deleted AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden
AI safeguards were modified Informational Cloud 2 variations
A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit Log Azure Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Evade model's restrictions and potentially accessing sensitive data or banned topics.Investigative actions: Examine changed safeguards filters and determine which AI models were affected. Investigate any unusual activity originating from the suspected identity.Variations
Unusual modification of AI safeguards
Low overridden
A cloud identity modified AI safeguards.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden
AI safeguards were created or modified
Informational overridden
A cloud identity created or modified AI safeguards. overridden
AWS Bedrock model invocation logging deletion Low Cloud 2 variations
A cloud identity deleted the model invocation logging.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Avoid detection by limiting collected data from models.Investigative actions: Investigate any unusual activity originating from the suspected identity.Variations
AWS Bedrock model invocation logging deletion by an identity with administrative activity
Informational overridden
A cloud identity with administrative activity deleted the model invocation logging. overridden
AWS Bedrock model invocation logging was successfully deleted
Low overridden
A cloud identity successfully deleted the model invocation logging. overridden
AWS CloudTrail has been stopped Informational Cloud 2 variations
A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Verify whether the identity attempted to stop trail logging. Determine if additional trails continue to log activity.Variations
AWS CloudTrail has been stopped
Medium overridden
A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden
AWS CloudTrail has been stopped
Low overridden
A cloud trail logging has been stopped, which indicates that AWS API calls are not recorded in that trail. overridden
AWS CloudTrail modification Informational Cloud 2 variations
An identity updated a CloudTrail trail configuration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Review the activity of the identity that modified the trail's configuration. Check which trail is affected by this change. Verify whether a new destination has been set for log archiving.Variations
AWS CloudTrail modification
Medium overridden
An identity updated a CloudTrail trail configuration. overridden
AWS CloudTrail modification
Low overridden
An identity updated a CloudTrail trail configuration. overridden
AWS CloudWatch log group deletion Informational Cloud
An AWS CloudWatch log group was deleted, this action permanently deletes all the archives associated with this group.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: An attacker may change the configuration of the affected resource to remain undetected.Investigative actions: Check why the identity deleted the log group. Check what resources were affected by this change.AWS CloudWatch log stream deletion Informational Cloud
An AWS CloudWatch log stream was deleted, this action permanently deletes all the archives associated with this stream.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: An attacker may change the configuration of the affected resource to remain undetected.Investigative actions: Check why the identity deleted the log stream. Check which resource is affected by this change.AWS Config Recorder stopped Informational Cloud
Configuration Recorder was stopped for a resource in AWS Config.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: An attacker may change the configuration of the affected resource to remain undetected.Investigative actions: Check the identity which stopped the configuration recording. Check what resources are affected by this change.AWS Flow Logs deletion Informational Cloud
A cloud identity has deleted one or more Flow Logs records.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Exfiltrate information.Investigative actions: Check if the Identity intended to delete the Flow Logs record/s. Check what VPC is affected by this.AWS Guard-Duty detector deletion Low Cloud
AWS Guard-Duty detector was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: This action may assist an attacker to evade detection.Investigative actions: Check why the identity deleted the detector. Check what resources are relevant to the deleted detector.AWS S3 bucket was exposed to public access Low Cloud 2 variations
AWS bucket was publicly shared.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the identity intended to change the state of the bucket to public. Change the bucket or ACL policy for bucket. Restrict permissions for the identity if needed.Variations
AWS S3 bucket was exposed to public access by admin cloud identity
Informational overridden
AWS bucket was publicly shared. overridden
AWS S3 bucket was exposed to public access containing sensitive information
High overridden
AWS bucket was publicly shared. overridden
AWS config resource deletion Informational Cloud
An AWS config resource deletion this includes:Config rule, organization rule, configuration recorder, remediation configuration, conformance pack, configuration aggregator, delivery channel, retention configuration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: An attacker may modify Config configuration to evade detection.Investigative actions: Check why the identity deleted the configuration. Check what resources are relevant to the deleted config.AWS data asset shared public Low Cloud
A data asset was publicly shared.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.AWS network ACL rule deletion Informational Cloud
An AWS network ACL rule was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Deleting an ingress rule may allow an attacker to gain persistence in the cloud environment.Deleting an egress rule may enable data exfiltration.Investigative actions: Identify which VPC and associated resources are affected. Check the rule number, as ACL rules are evaluated in order. Determine whether the rule is ingress or egress.AWS web ACL deletion Informational Cloud 1 variation
Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: To impair defense, this may assist data exfiltration.Investigative actions: Verify if the identity intended to delete the Web ACL. Check what resources are affected by the Web ACL deletion.Variations
Successful AWS web ACL deletion by a non-admin identity
Low overridden
Web ACL defines a collection of rules to use to inspect and control web requests.A Web ACL has been deleted. overridden
An AWS GuardDuty IP set was created Informational Cloud
An AWS GuardDuty IP set has been created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Evade detection.Investigative actions: Check which IP set has been modified and confirm the changes.An AWS S3 bucket configuration was modified Informational Cloud
An AWS S3 bucket configuration has been modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Impair Defenses (T1562) Data Encrypted for Impact (T1486)Required data: AWS Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Modify storage configuration to detection or allow access to sensitive information.Investigative actions: Examine AWS S3 access to identify any suspicious activity. Check which S3 buckets were affected.An Azure Firewall policy deletion Low Cloud
An Azure Firewall policy was deleted. An attacker might use this technique to disable network defenses.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Exfiltrate information, network persistence of a service/resource.Investigative actions: Check which subnets or specific IP addresses were affected by the change. Check which services were accessed after the firewall change and via which protocols or network traffic.An Azure Firewall rule collection group was modified or deleted Informational Cloud
An Azure Firewall rule collection group was modified or deleted. This could indicate a malicious actor attempting to bypass security measures.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Azure Audit LogAttacker's goals: Bypass security measures to gain access to cloud resources.Investigative actions: Check the Azure Firewall rule collection group to identify the modified or deleted rules.An Azure Firewall was modified Informational Cloud
An Azure Firewall was modified or deleted. This may indicate a security risk.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Azure Audit LogAttacker's goals: Bypass security measures.Investigative actions: Verify whether the identity should be making this action. Check what changes were made to Azure Firewall.An Azure Network Security Group was modified Informational Cloud
An Azure Network Security Group was modified or deleted. This could indicate malicious activity or a misconfiguration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security measures to gain access to cloud resources.Investigative actions: Check the network security settings of the Azure account to identify any recent changes.An Azure Point-to-Site VPN was modified Informational Cloud
An Azure Point-to-Site VPN was modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security controls.Investigative actions: Determine how the Azure Point-to-Site VPN was modified or deleted. Verify whether the identity performing this action is authorized to make such changes.An Azure Suppression Rule was created Informational Cloud
An Azure Suppression Rule was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security measures.Investigative actions: Investigate the user's activity to determine the cause of the alert.An Azure VPN Connection was modified Informational Cloud
Modification or removal of an Azure VPN connection was detected. This alert indicates a change to an existing VPN connection or the deletion of an existing connection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Bypass security measures.Investigative actions: Check how Azure VPN Connection was modified. Verify whether the identity should be making this action.An Azure firewall rule group was modified Informational Cloud
An Azure firewall rule group was modified or deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Azure Audit LogAttacker's goals: Bypass security controls to gain access to restricted resources within the Azure cloud environment.Investigative actions: Check the Azure Firewall rule configuration to identify the changes made. Verify whether the identity should be making this action.An identity disabled bucket logging Informational Cloud
An identity disabled bucket logging.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Avoid detection by disabling cloud logging capabilities.Investigative actions: Determine whether this activity was done on purpose. Examine additional API calls made by the identity.Azure Automation Runbook Deletion Informational Cloud
An Azure Automation runbook was deleted. This could disrupt business automation processes or remove a malicious runbook that was part of an attack.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Impair Defenses (T1562) Service Stop (T1489)Required data: Azure Audit LogAttacker's goals: Stop business services.Investigative actions: Check which runbook was deleted and whether it is malicious or valid.Azure Event Hub Deletion Low Cloud
An Azure event hub was deleted. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Evade detection.Investigative actions: Check what actions were taken by the identity that deleted the event hub.Azure Kubernetes events were deleted Informational Cloud
Events have been deleted in Azure Kubernetes. This could indicate malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogAttacker's goals: Remove evidence or hinder defenses.Investigative actions: Look for any suspicious activity initiated by the identity.Azure Network Watcher Deletion Low Cloud
Azure Network Watchers are used for monitoring and diagnosing Azure resources. An attacker might use this technique to avoid security mitigations.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Avoid security mitigations and detections.Investigative actions: Check which devices are monitored by the deleted Network Watcher.Azure Resource Group Deletion Informational Cloud
Resource group deletion permanently deletes all resources within the group, An attacker might use this technique to avoid detection or destroy procedures/data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Destruction (T1485) Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Evade detection.Investigative actions: Check which resource group was deleted.Azure diagnostic configuration deletion Informational Cloud
An attacker might delete the Azure diagnostic settings to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit LogAttacker's goals: Evade detection.Investigative actions: Check the identity and its actions after the deletion action.Azure storage account was publicly shared Informational Cloud
Azure Storage Account network permissions modified to public, exposing data to any network and unauthorized identities.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Azure Audit LogDetector tags: Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: Attackers want to maintain indirect control over the resource. Attackers intend to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the storage account should be accessed from all networks. Disable public network access if needed. Check if the identity performed additional malicious activity and restrict permissions for the identity if required.Chrome OS Remote Access policy was modified in Google Workspace Informational Identity Threat Module 1 variation
A user modified Chrome OS Remote Access configuration in Google Workspace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Lateral Movement (TA0008)ATT&CK techniques: Impair Defenses (T1562) Remote Services (T1021)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may modify remote access settings to maintain persistent access and bypass security controls.Investigative actions: Verify if the configuration change was authorized. Investigate the source IP address and account involved for malicious activity. Follow further actions performed by the account and Remote Access connections performed.Variations
Suspicious Chrome OS Remote Access policy was modified in Google Workspace
Low overridden
This is the first time the user performs this operation in the last 30 days. overridden
Cloud AI agent was modified Informational Cloud 1 variation
A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit Log Gcp Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Modify AI agents to evade certain restrictions and potentially access sensitive data.Investigative actions: Examine changed AI agent and determine how it was affected. Investigate any unusual activity originating from the suspected identity.Variations
Unusual modification of AI agent
Low overridden
A cloud identity modified AI agent.MITRE ATLAS Technique: AML.T0015 - Evade ML Model. overridden
Cloud Organizational policy was created or modified Informational Cloud 1 variation
Cloud organizational policy was created or modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Domain or Tenant Policy Modification (T1484)Required data: Gcp Audit LogAttacker's goals: Gain elevated privileges, disable security measures, misuse resources or cause disruption.Investigative actions: Check which services were affected by the policy creation. Check The cloud identity activity prior/after the policy creation.Variations
Cloud Organizational policy was created or modified
Low overridden
Cloud organizational policy was created or modified. overridden
Cloud Watch alarm deletion Informational Cloud
A Cloud Watch alarm was deleted.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: Delete alarm to evade detection.Investigative actions: Check the identity that deleted the alarm. Check the which resource were related to the deleted alarm.Cloud resource logging was disabled Informational Cloud 3 variations
Cloud resource logging was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: Avoiding detection of their activities by limiting the amount of data collected. This action may be preliminary to resource deletion or data exhilaration from the resource. Setting the stage for further attacks, like a Ransomware Attack.Investigative actions: Confirm that the identity intended to disable logging on this resource. Follow further actions done by the identity. Monitor other (non-disabled) activity logs related to this resource.Variations
Cloud resource logging was disabled - failed attempt
Informational overridden
A failed attempt to disable cloud resource logging. overridden
Cloud resource logging was disabled on an Azure DB/storage resource
Informational overridden
Cloud resource logging was disabled on a DB/storage resource. overridden
Cloud resource logging was disabled on a GCP DB/storage resource
Low overridden
Cloud resource logging was disabled on a DB/storage resource. overridden
CloudTrail logging deletion Informational Cloud 2 variations
CloudTrail logging trail deletion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Verify whether the identity attempted to delete the trail. Determine whether an additional trail needs to be enabled.Variations
Successful CloudTrail logging deletion by a non-admin identity
Medium overridden
CloudTrail logging trail deletion. overridden
Successful CloudTrail logging deletion by an unusual identity
Low overridden
CloudTrail logging trail deletion. overridden
Data Sharing between GCP and Google Workspace was disabled Informational Identity Threat Module 3 variations
An identity has modified data sharing settings between GCP and Google Workspace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)ATT&CK techniques: Indicator Removal (T1070) Impair Defenses (T1562) Data Manipulation (T1565) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check whether Google Workspace audit log events were configured to be sent to Google Cloud. Follow further actions done by the account.Variations
Data Sharing between GCP and Google Workspace was disabled by a suspicious identity
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data Sharing between GCP and Google Workspace was disabled from an unusual ASN
Low overridden
An identity has modified data sharing settings between GCP and Google Workspace. overridden
Data encryption was disabled Informational Cloud
A cloud identity has disabled data encryption.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Weaken Encryption (T1600) Impair Defenses (T1562)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Data Detection & ResponseAttacker's goals: An attacker is trying to access sensitive data in plaintext. An attacker might try to exfiltrate plaintext data to an endpoint controlled by the attacker and avoid detection. An attacker can re-encrypt the data with a key that is available only to the attacker.Investigative actions: Check if the identity intended to disable data encryption. Check which cloud assets were affected by manipulating the above-mentioned configuration file. Check if the identity performed additional suspicious actions to affected assets.Disable Microsoft Defender Antivirus via registry Low
Disable Microsoft Defender Antivirus via registry.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adversary may attempt to disable defender antivirus to execute malicious tools and move through the network without triggering alarms.Investigative actions: Investigate the process that set or create the registry key.Exchange DKIM signing configuration disabled Low Identity Threat Module Email 1 variation
A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Variations
A recently configured Exchange DKIM signing configuration was disabled
Informational overridden
A user disabled an Exchange DomainKeys Identified Mail (DKIM) signing configuration. DKIM helps ensure that emails are authorized and not spoofed. overridden
Exchange Safe Attachment policy disabled or removed Low Identity Threat Module Email
A user disabled an Exchange Safe Attachment policy, which provides phishing protection to email attachments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Attachment (T1566.001)Required data: Office 365 AuditAttacker's goals: An attacker may attempt to disable the Safe Attachment policy to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Exchange Safe Link policy disabled or removed Low Identity Threat Module Email
A user disabled an Exchange Safe Link policy, which provides phishing protection to emails that contain hyperlinks.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing: Spearphishing Link (T1566.002)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to bypass security measures associated with hyperlinks in email messages.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for email messages received with hyperlinks. Check for a possible phishing campaign on the organization.Exchange anti-phish policy disabled or removed Low Identity Threat Module Email 1 variation
A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Initial Access (TA0001)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001) Phishing (T1566)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Check for a possible phishing campaign on the organization.Variations
Recently configured Exchange anti-phish policy disabled or removed
Informational overridden
A user disabled or removed an Exchange anti-phish policy, which may indicate evasion of a possible phishing campaign. overridden
Exchange audit log disabled Low Identity Threat Module Email
A user disabled the Exchange audit log. This may indicate an attempt to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).Exchange mailbox audit bypass Low Identity Threat Module Email
A user added mailbox audit bypass for an account. This will allow the account to perform actions without being logged, and may indicate an attempt to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Office 365 AuditAttacker's goals: An attacker may abuse the audit bypass mechanism to conceal actions and evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected.Exchange malware filter policy removed Low Identity Threat Module Email
A user removed an Exchange malware filter policy, which may prevent the detection of malware.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to evade detection.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Investigate if any other security policies have been changed or removed. Monitor for signs of malware in future messages.GCP Firewall Rule Modification Informational Cloud
A GCP firewall rule was modified. An attacker might use this technique to access restricted resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Gcp Audit LogAttacker's goals: Access restricted resources.Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.GCP Firewall Rule creation Informational Cloud
A GCP VPN firewall rule was created. An attacker might use this technique to block or open access to/from restricted areas.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Gcp Audit LogAttacker's goals: Access restricted resources.Investigative actions: Check if there were any network attempts that fit the created rule. Check the cloud identity activity before and after the rule creation.GCP Logging Bucket Deletion Informational Cloud
A GCP logging bucket was deleted. An attacker might delete the bucket to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Data Detection & ResponseAttacker's goals: Evade detection.Investigative actions: Check which logs were affected by the bucket deletion. Check The cloud identity activity prior/after to the bucket deletion.GCP VPC Firewall Rule Deletion Informational Cloud
A GCP VPC firewall rule was deleted. An attacker might use this technique to access restricted resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Hours
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Cloud Firewall (T1562.007)Required data: Gcp Audit LogAttacker's goals: Access restricted resources.Investigative actions: Check if there were any network attempts that fit the deleted rule. Check The cloud identity activity prior/after to the rule deletion.GCP data asset shared public Low Cloud
The GCP data asset was publicly shared.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: Gcp Audit LogDetector tags: Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: The attacker wants to maintain indirect control over the resource. The attacker intends to allow public access, making it harder to detect future activity. Attackers are constantly monitoring for public assets to steal sensitive information.Investigative actions: Check if the identity intended to change the state of the data asset to public. Change the access policy for the affected asset. Restrict permissions for the identity if needed.GCP logging sink deletion Informational Cloud 1 variation
A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Gcp Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Identify the logs impacted by the deletion. Review cloud identity activity before and after the deletion.Variations
GCP logging sink deletion
Low overridden
A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.An attacker might use this technique to evade detection. overridden
GCP logging sink modification Informational Cloud 2 variations
A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: Gcp Audit LogAttacker's goals: Evade detection by limiting collected data.Investigative actions: Identify the relevant logs impacted by the modification. Review The cloud identity activity before and after the logging sink modification.Variations
GCP logging sink modification
Medium overridden
A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden
GCP logging sink modification
Low overridden
A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection. overridden
Indicator blocking Informational 1 variation
Auditing or logging configuration changes on Linux host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Indicator Blocking (T1562.006)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Impairing host defenses.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Indicator blocking in a Kubernetes pod
Low overridden
Auditing or logging configuration changes on Linux host. overridden
Iptables configuration command was executed Informational 7 variations
The iptables process was executed with a command to add or delete rules on the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR AgentAttacker's goals: Adding or deleting system firewalls rules to avoid possible detection.Investigative actions: Verify that this isn't IT activity. Look for other hosts executing similar commands.Variations
Rare iptables port forward command was executed
Low overridden
An iptables command was executed to perform port forward, This command is unpopular. overridden
Uncommon iptables port forward command was executed on the host
Informational overridden
An iptables command was executed to perform port forward, This command is uncommon for the host. overridden
Rare iptables delete command was executed
Low overridden
An iptables command was executed to delete rule, This command is unpopular. overridden
A rare iptables delete command was executed on the host
Informational overridden
An iptables command was executed to delete rule, This command is uncommon for the host. overridden
A rare iptables flush all command was executed
Low overridden
An iptables command was executed to flush all rules, This command is unpopular. overridden
A rare iptables flush command was executed
Low overridden
An iptables command was executed to flush all rules, This command is unpopular. overridden
A rare iptables flush command was executed on the host
Informational overridden
An iptables command was executed to flush rules, This command is uncommon for the host. overridden
Kubernetes cluster events deletion Informational Cloud
Kubernetes cluster events deletion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Adversaries may delete Kubernetes events to avoid possible detection.Investigative actions: Check whether these changes are expected.Linux system firewall was modified Low
The system firewall was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Exfiltrate data or move laterally in the organization.Investigative actions: Examine the command to understand which IPs or ports were affected. Check the communication allowed by the modified firewall rule.Logging was impaired via external encryption key Medium Cloud
The resource was configured with an external key This might be an attempt to disrupt log inspection.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)ATT&CK techniques: Data Manipulation (T1565) Impair Defenses (T1562)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Modifying the key used to encrypt the logs to remain undetected.Investigative actions: Check the identity that updated the resource configuration. Check the key used to encrypt the logs.MFA device was removed/deactivated from an IAM user Informational Cloud
Deactivate an MFA device and disassociate it from an IAM user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562)Required data: AWS Audit LogAttacker's goals: This may allow an attacker to gain access to the IAM user.Investigative actions: Check if IAM requires MFA to be enabled.Microsoft 365 DLP policy disabled or removed Informational Identity Threat Module Email 1 variation
A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Office 365 AuditAttacker's goals: An attacker is attempting to bypass Microsoft 365 Data Loss Prevention (DLP) policies.Investigative actions: Follow further actions done by the account. Verify that the configuration change was expected. Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Monitor the user's activity for any access to sensitive data or data exfiltration. Investigate if any other security policies have been changed or removed.Variations
Rare Microsoft 365 DLP policy removal
Low overridden
A user disabled or removed a Microsoft 365 data loss prevention (DLP) policy, which may indicate DLP monitoring evasion. overridden
Microsoft Teams application setup policy was modified Informational Identity Threat Module 1 variation
Microsoft Teams the application setup policy, which is responsible for application management, was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)ATT&CK techniques: Impair Defenses (T1562) Cloud Application Integration (T1671)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may modify the application setup policy to maintain persistent access to compromised Teams accounts and conversations.Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. If the policy change causes an application installed for the whole organization, confirm that the application was created by a certified and trusted entity. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID or the unique token identifier.Variations
A user changed the Microsoft Teams application setup policy for the first time
Low overridden
Microsoft Teams the application setup policy, which is responsible for application management, was modified. overridden
Microsoft Teams external communication policy was modified Informational Identity Threat Module 1 variation
Microsoft Teams external communication policy was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.Variations
Microsoft Teams external communication policy was modified by an unusual user
Low overridden
Microsoft Teams external communication policy was modified. overridden
New addition to Windows Defender exclusion list Low 1 variation
Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Hide Artifacts: File/Path Exclusions (T1564.012) Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Check the excluded object type (process, path or extension) and nature. Check if the excluded object is malicious.Variations
New addition to Windows Defender exclusion list from an unsigned process
Medium overridden
Windows Defender keeps the exclusion list in the registry, and any addition to it will cause it to ignore a process, path or file extension. overridden
Security object deletion in Google Workspace Admin Console Informational Identity Threat Module 1 variation
A security object was deleted in Google Workspace Admin Console.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may modify or disable security rules to avoid detection of their activities.Investigative actions: Investigate the security object name deleted and whether it was intended. Check if the user was recently granted new elevated permissions that allowed them to delete security rules. Follow other administrative or suspicious actions performed by this user around the same time.Variations
Security object deletion in Google Workspace Admin Console for the first time
Low overridden
A security object was deleted in Google Workspace Admin Console. overridden
Suspicious SSH Downgrade Low 2 variations
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Defense Evasion (TA0005)ATT&CK techniques: Remote Services (T1021) Impair Defenses: Downgrade Attack (T1562.010)Required data: Palo Alto Networks Firewall EAL LogsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may attempt to move laterally over the network by exploiting problems in a lower version of SSH.Investigative actions: Audit the authentication attempts in the SSH server from the alerted host.If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.Variations
A Host Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the source host used in the past. overridden
A Target Server Performed an SSH Downgrade For The First Time In The Last 30 Days
Low overridden
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the remote host used in the past. overridden
Suspicious activity on logging bucket Informational Cloud 1 variation
An identity performed a suspicious activity on bucket used to store logs.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)Required data: AWS Audit LogAttacker's goals: Evade detection by tampering the logs.Investigative actions: Verify whether the identity attempted to access the bucket. Verify no logs were modified in the bucket.Variations
Suspicious deletion on CloudTrail logging bucket
Medium overridden
An identity performed a suspicious activity on bucket used to store CloudTrail logs. overridden
Suspicious disablement of the Windows Firewall Low
The Windows Firewall has been disabled. Malware may turn it off to exfiltrate data and communicate with C2 servers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR AgentAttacker's goals: An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.Investigative actions: Check whether the command line executed is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if the process is legitimately disabling the firewall.Suspicious disablement of the Windows Firewall using PowerShell commands Medium
The Windows Firewall has been disabled using PowerShell. Malware may turn it off to exfiltrate data and communicate with C2 servers.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.Investigative actions: Check Windows event logs to see the PowerShell command or script that was executed. Check whether the PowerShell command is benign or normal for the host and/or user performing it. Investigate the endpoint to determine if it's a legitimate process that disabled the firewall.Tampering with Internet Explorer Protected Mode configuration Informational 2 variations
When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR AgentAttacker's goals: When an add-on is running inside Protected Mode attempts to launch a broker process, this key is checked to determine how the process should be launched. Attackers may change this value to make the process launch with higher privileges.Investigative actions: Check whether the injecting process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Tampering with Internet Explorer Protected Mode default configuration
Medium overridden
When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/. overridden
Tampering with Internet Explorer Protected Mode specific app configuration
Informational overridden
When an add-on is running inside Protected Mode attempts to launch a broker process (or any other program), the ElevationPolicy Registry key is checked to determine how the process should be launched. Internet Explorer will run a broker process with higher rights that can use the current user's permissions to take actions that would otherwise be prohibited when rendering content inside the Protected Mode sandbox. https://blogs.msdn.microsoft.com/ieinternals/2009/11/30/understanding-the-protected-mode-elevation-dialog/. overridden
The Linux system firewall was disabled Low
The system firewall was disabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 10 Minutes
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004)Required data: XDR AgentAttacker's goals: Exfiltrate data or move laterally in the organization.Investigative actions: Examine the command to understand which ip or port were affected. Check the communication allowed by the created firewall rule.Unusual Netsh PortProxy rule Low 2 variations
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004) Proxy: Internal Proxy (T1090.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.Investigative actions: Check the connect address and if it's a known IP/domain. Check whether the causality group owner (CGO) process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unusual Netsh PortProxy rule by non-netsh process
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden
Unusual Netsh PortProxy rule by an unsigned causality actor
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden
User set insecure CA registry setting for global SANs Low Identity Analytics
A user enabled the EDITF_ATTRIBUTESUBJECTALTNAME2 registry flag, allowing custom Subject Alternative Names (SANs) to be specified on all certificate templates. This could enable attackers to bypass security controls by requesting certificates with user-defined SANs.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Impair Defenses: Disable or Modify Tools (T1562.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Certificate Services AnalyticsAttacker's goals: This flag can allow an attacker to obtain a certificate with higher privileges and escalate to Domain Admin.Investigative actions: Confirm whether the registry change was authorized by the user or system administrator. Monitor certificate enrollments with Subject Alternate Names. Restore the secure configuration by disabling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag and enforcing strict certificate policies. Investigate any unusual authentication attempts or certificates issued to high-privilege users or accounts.