Analytics Alerts
Browse the Cortex analytics alert reference.
9 alerts match the current filters. technique: T1578 ✕
Show ATT&CK heatmapA Service Principal was removed from Azure Informational Cloud
A service principal was removed from Azure. This indicates a change in access permissions and may indicate malicious activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)Required data: Azure Audit LogAttacker's goals: Evade defensive measures by deleting a possibly malicious service principal.Investigative actions: Check the Azure Active Directory audit logs for the details of the removed service principal. Check the Azure role assignments to identify which resources were impacted by the removal of the service principal.A cloud storage configuration was modified Informational Cloud
A cloud storage configuration was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Public Exposure, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: An attacker may use this API to grant storage access permission.Investigative actions: Check if the identity intended to modify the storage configuration. Check if the identity performed additional malicious operations in the cloud environment.An unusual cloud identity was granted permissions to a BigQuery resource Informational Cloud 1 variation
An unusual cloud identity was granted permissions to a BigQuery table or dataset.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578)Required data: Gcp Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides inside BigQuery tables or datasets.Investigative actions: Check if {cloud_best_identity_match} intended to change BigQuery resource policy. Verify if the affected tables or datasets did not contain any sensitive information.Variations
Cloud admin granted an unknown identity permissions to a BigQuery resource
Informational overridden
An unusual cloud identity was granted permissions to a BigQuery table or dataset. overridden
Cloud compute volume creation attempt Informational Cloud 1 variation
An attempt was made to create an EBS volume.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive data stored on snapshots.Investigative actions: Review recent activity related to the identity, the created volume and the cloud snapshot.Variations
Cloud compute volume creation attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to create an EBS volume. overridden
Cloud instance creation attempt Informational Cloud
An attempt was made to create a cloud compute instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure: Create Cloud Instance (T1578.002)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Create a new cloud instance to evade detection or leverage it for further malicious activity.Investigative actions: Review recent activity related to the identity and the created cloud instance.Cloud instance deletion attempt Informational Cloud 1 variation
An attempt was made to delete a cloud compute instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: To remove evidence or disrupt operations.Investigative actions: Review recent activity associated with the identity and the deleted instance.Variations
Cloud instance deletion attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to delete a cloud compute instance. overridden
Cloud snapshot created or modified Informational Cloud 3 variations
A cloud identity has created or modified a cloud snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.Variations
Cloud snapshot was configured for public access
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Cloud snapshot was shared with an unusual AWS account(s)
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Previously unseen GCP principal was bound to cloud snapshot
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
EBS volume attachment attempt Informational Cloud 2 variations
An attempt was made to attach an EBS volume to an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)Required data: AWS Audit LogAttacker's goals: Attach a volume to a cloud instance to exfiltrate sensitive data stored on EBS volumes.Investigative actions: Review recent activity related to the identity, the attached volume and the cloud instance.Variations
EBS volume attachment attempt for volume with sensitive data
Informational overridden
An attempt was made to attach an EBS volume with sensitive data to an EC2 instance. overridden
EBS volume attachment attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to attach an EBS volume to an EC2 instance. overridden
EBS volume detachment attempt Informational Cloud 1 variation
An attempt was made to detach an AWS EBS volume from an EC2 instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)Required data: AWS Audit LogAttacker's goals: Exfiltrate sensitive data stored on the detached volume.Investigative actions: Review recent activity related to the identity and the detached volume.Variations
EBS volume detachment attempt using Cloud Formation or Terraform
Informational overridden
An attempt was made to detach an AWS EBS volume from an EC2 instance. overridden