Alert Pack: Data Destruction (MITRE Att&ck Technique T1485)
- Juan Tomás Alonso Nieto (Deactivated)
Purpose
This alert pack will help you to protect against data being deleted outside of normal procedures. When that happens the SOC can launch an investigation and quickly remove any potential threats within the system and restore whatever damage has been done. Data destroyed can not only cause disruptions to the business, or to its users but can also cause fees or taxes from the government regulations and compliance audits.
Â
What is Data Destruction?
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology
Prerequisites
To use this alert pack, you must have the following data sources available on your domain:
cloud.gcplearn morebox.unixlearn more
Open the Alert Pack
Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).
Use alert pack
The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.