LoFP LoFP / t1485

t1485

TitleTags
a kms customer managed key may be disabled or scheduled for deletion by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. key deletions by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a log stream may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. log stream deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
admin activity
administrator or network operator can execute this command. please update the filter macros to remove false positives.
administrator or network operator can use this application for automation purposes. please update the filter macros to remove false positives.
administrators may legitimately access, delete, and replace objects in s3 buckets. ensure that the sequence of events is not part of a legitimate operation before taking action.
any user deleting files that way.
appending null bytes to files.
certain utilities that delete files for disk cleanup or administrators manually removing backup files.
clusters or instances may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster or instance deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
deletion of a resource group may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. resource group deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
device or device configuration being modified or deleted may be performed by a system administrator.
device or device configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
eks cluster being created or deleted may be performed by a system administrator.
eks cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
file system or mount being deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. file system mount deletion by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
files that are interacted with that have these extensions legitimately
it is possible for a legitimate file with these extensions to be created. if this is a true ransomware attack, there will be a large number of files created with these extensions.
it's possible that a legitimate file could be created with the same name used by ransomware note files.
legitimate overwrite of files.
legitimate usage of sdelete
linux package installer/uninstaller may cause this event. please update you filter macro to remove false positives.
scripts and administrative tools used in the monitored environment
snapshots may be deleted by a system administrator. verify whether the user identity should be making changes in your environment. snapshot deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
storage buckets may be deleted by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. bucket deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
system administrator usage
the deletionprotection feature must be disabled as a prerequisite for deletion of a db instance or cluster. ensure that the instance should not be modified in this way before taking action.
the uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. a filter is necessary to reduce false positives.
user may execute and use this application
users may delete a large number of pictures or files in a folder, which could trigger this detection. additionally, heavy usage of powerbi and outlook may also result in false positives.
users or system administrator cleaning out folders.
verify whether the user identity, user agent, and/or hostname should be making changes in your environment. log group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
while this search has no known false positives, it is possible that it is a legitimate admin activity. please consider filtering out these noisy events using useragent, user_arn field names.
windows defender av updates may trigger this alert. please adjust the filter macros to mitigate false positives.