Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

9 alerts match the current filters. technique: T1565 ✕

Show ATT&CK heatmap
  • Data Sharing between GCP and Google Workspace was disabled Informational Identity Threat Module 3 variations

    An identity has modified data sharing settings between GCP and Google Workspace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Defense Evasion (TA0005) Impact (TA0040)
    ATT&CK techniques: Indicator Removal (T1070) Impair Defenses (T1562) Data Manipulation (T1565) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.
    Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). Check whether Google Workspace audit log events were configured to be sent to Google Cloud. Follow further actions done by the account.

    Variations

    Data Sharing between GCP and Google Workspace was disabled by a suspicious identity

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

    Data Sharing between GCP and Google Workspace was disabled from an unusual ASN

    Low overridden

    An identity has modified data sharing settings between GCP and Google Workspace. overridden

  • Disable encryption operations Low Cloud

    Encryption was disabled on the servers that host EC2 instances, both for data-at-rest and data-in-transit.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation (T1565)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Protection Tampering, Data Detection & Response
    Attacker's goals: Decrypt sensitive data host on EC2 instance, this may be a step in a flow for data exfiltration.
    Investigative actions: Check if Identity intended to disable the encryption.
  • GCP Storage Bucket Configuration Modification Informational Cloud

    A GCP storage bucket configuration has been modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: Gcp Audit Log
    Detector tags: Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Manipulate stored data.
    Investigative actions: Check if there were any services/procedures affected by the modification. Check what other actions were taken by the identity that modified the configuration.
  • Logging was impaired via external encryption key Medium Cloud

    The resource was configured with an external key This might be an attempt to disrupt log inspection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Impact (TA0040) Defense Evasion (TA0005)
    ATT&CK techniques: Data Manipulation (T1565) Impair Defenses (T1562)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Modifying the key used to encrypt the logs to remain undetected.
    Investigative actions: Check the identity that updated the resource configuration. Check the key used to encrypt the logs.
  • Suspicious AI Dataset Download Low Cloud 1 variation

    A model dataset was accessed by an identity that typically doesn't interact with dataset files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Manipulate datasets used by ML models.
    Investigative actions: Determine which dataset was accessed. Examine the changes made to the dataset.

    Variations

    Suspicious First-Time AI Dataset Download by Identity

    Medium overridden

    A model dataset was accessed by an identity that typically doesn't interact with dataset files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection. overridden

  • Suspicious AI Dataset Label Modification Low Cloud

    AI Dataset labels were modified by an identity that typically doesn't interact with labels.MITRE ATLAS Technique: AML.T0020 - Poison Training Data.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Contaminating training set, so that predictions on new data will be modified.
    Investigative actions: Check the identity that modified the dataset's labels. Check that the dataset is correctly labeled.
  • Unusual AI Knowledge Base Modification Low Cloud 1 variation

    An AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases.MITRE ATLAS Technique: AML.T0070 - RAG Poisoning.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Contaminating knowledge base, so that contextual information will be incorrect, biased or harmful.
    Investigative actions: Check the identity that modified the knowledge base. Check recent additions to the knowledge base.

    Variations

    Suspicious AI Knowledge Base Modification

    Medium overridden

    An AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases, adding a new data source type. overridden

  • Unusual AI RAG Knowledge Base Modification Low Cloud

    AI knowledge base was modified by an identity that typically doesn't interact with knowledge bases.MITRE ATLAS Technique: AML.T0070 - RAG Poisoning.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Contaminating knowledge base, so that contextual information will be incorrect, biased or harmful.
    Investigative actions: Check the identity that modified the knowledge base. Check recent additions to the knowledge base.
  • Unusual AI dataset modification Low Cloud 1 variation

    A cloud identity modified an AI dataset.MITRE ATLAS Techniques: AML.T0059 - Erode Dataset Integrity, AML.T0018.000 - Backdoor ML Model: Poison ML Model.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Impact (TA0040)
    ATT&CK techniques: Data Manipulation: Stored Data Manipulation (T1565.001)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Poison datasets used by ML models.
    Investigative actions: Examine changed datasets and determine which ML models were affected. Investigate any unusual activity originating from the suspected identity.

    Variations

    Unusual AI dataset modification from an internal IP address

    Informational overridden

    A cloud identity modified an AI dataset.MITRE ATLAS Techniques: AML.T0059 - Erode Dataset Integrity, AML.T0018.000 - Backdoor ML Model: Poison ML Model.OWASP Top 10 LLM Technique: LLM04 - Data and Model Poisoning. overridden