LoFP LoFP / t1485

t1485

TitleTags
a kms customer managed key may be disabled or scheduled for deletion by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. key deletions by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a log stream may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. log stream deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
admin activity
administrator or network operator can execute this command. please update the filter macros to remove false positives.
administrator or network operator can use this application for automation purposes. please update the filter macros to remove false positives.
any user deleting files that way.
appending null bytes to files.
certain utilities that delete files for disk cleanup or administrators manually removing backup files.
clusters or instances may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster or instance deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
deletion of a resource group may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. resource group deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
device or device configuration being modified or deleted may be performed by a system administrator.
device or device configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
eks cluster being created or deleted may be performed by a system administrator.
eks cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
file system or mount being deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. file system mount deletion by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
it is possible for a legitimate file with these extensions to be created. if this is a true ransomware attack, there will be a large number of files created with these extensions.
it's possible that a legitimate file could be created with the same name used by ransomware note files.
legitimate overwrite of files.
legitimate usage of sdelete
linux package installer/uninstaller may cause this event. please update you filter macro to remove false positives.
scripts and administrative tools used in the monitored environment
storage buckets may be deleted by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. bucket deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
system administrator usage
the uninstallation of a large software application or the use of cleanmgr.exe may trigger this detection. a filter is necessary to reduce false positives.
user may execute and use this application
users may delete a large number of pictures or files in a folder, which could trigger this detection. additionally, heavy usage of powerbi and outlook may also result in false positives.
users or system administrator cleaning out folders.
windows defender av updates may trigger this alert. please adjust the filter macros to mitigate false positives.