Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

9 alerts match the current filters. technique: T1578 ✕

Show ATT&CK heatmap
  • A Service Principal was removed from Azure Informational Cloud

    A service principal was removed from Azure. This indicates a change in access permissions and may indicate malicious activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)
    Required data: Azure Audit Log
    Attacker's goals: Evade defensive measures by deleting a possibly malicious service principal.
    Investigative actions: Check the Azure Active Directory audit logs for the details of the removed service principal. Check the Azure role assignments to identify which resources were impacted by the removal of the service principal.
  • A cloud storage configuration was modified Informational Cloud

    A cloud storage configuration was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Public Exposure, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: An attacker may use this API to grant storage access permission.
    Investigative actions: Check if the identity intended to modify the storage configuration. Check if the identity performed additional malicious operations in the cloud environment.
  • An unusual cloud identity was granted permissions to a BigQuery resource Informational Cloud 1 variation

    An unusual cloud identity was granted permissions to a BigQuery table or dataset.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578)
    Required data: Gcp Audit Log
    Detector tags: Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides inside BigQuery tables or datasets.
    Investigative actions: Check if {cloud_best_identity_match} intended to change BigQuery resource policy. Verify if the affected tables or datasets did not contain any sensitive information.

    Variations

    Cloud admin granted an unknown identity permissions to a BigQuery resource

    Informational overridden

    An unusual cloud identity was granted permissions to a BigQuery table or dataset. overridden

  • Cloud compute volume creation attempt Informational Cloud 1 variation

    An attempt was made to create an EBS volume.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive data stored on snapshots.
    Investigative actions: Review recent activity related to the identity, the created volume and the cloud snapshot.

    Variations

    Cloud compute volume creation attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to create an EBS volume. overridden

  • Cloud instance creation attempt Informational Cloud

    An attempt was made to create a cloud compute instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure: Create Cloud Instance (T1578.002)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Create a new cloud instance to evade detection or leverage it for further malicious activity.
    Investigative actions: Review recent activity related to the identity and the created cloud instance.
  • Cloud instance deletion attempt Informational Cloud 1 variation

    An attempt was made to delete a cloud compute instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: To remove evidence or disrupt operations.
    Investigative actions: Review recent activity associated with the identity and the deleted instance.

    Variations

    Cloud instance deletion attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to delete a cloud compute instance. overridden

  • Cloud snapshot created or modified Informational Cloud 3 variations

    A cloud identity has created or modified a cloud snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the snapshot.
    Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.

    Variations

    Cloud snapshot was configured for public access

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Cloud snapshot was shared with an unusual AWS account(s)

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Previously unseen GCP principal was bound to cloud snapshot

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

  • EBS volume attachment attempt Informational Cloud 2 variations

    An attempt was made to attach an EBS volume to an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)
    Required data: AWS Audit Log
    Attacker's goals: Attach a volume to a cloud instance to exfiltrate sensitive data stored on EBS volumes.
    Investigative actions: Review recent activity related to the identity, the attached volume and the cloud instance.

    Variations

    EBS volume attachment attempt for volume with sensitive data

    Informational overridden

    An attempt was made to attach an EBS volume with sensitive data to an EC2 instance. overridden

    EBS volume attachment attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to attach an EBS volume to an EC2 instance. overridden

  • EBS volume detachment attempt Informational Cloud 1 variation

    An attempt was made to detach an AWS EBS volume from an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive data stored on the detached volume.
    Investigative actions: Review recent activity related to the identity and the detached volume.

    Variations

    EBS volume detachment attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to detach an AWS EBS volume from an EC2 instance. overridden