Document toolboxDocument toolbox

Alert Pack: Impact (MITRE Att&ck Tactic: TA0040)

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
2 min read
[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

This alert pack brings our SecOps-related content to our non-SecOps customers and helps jump-start threat coverage. This pack contains a multitude of detections that alert when an attacker is using common impact-focused MITRE Attack tactics. These tactics are often used to disrupt environments and availability.

These tactics can cause extensive damage to your organization and its reputation with customers. These alerts provide your team with actionable information as soon as the attackers attempt these tactics.

Security Operations application

SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.

SecOpsLog4ShellVulnOverDomainsUnionTableConnectionsWithLookup

SecOpsGCPIAMCustomRoleDeletion

SecOpsAWSIAMDeletePolicy

SecOpsLog4ShellVulnerabilityCloudAzure

SecOpsGCPPrivateCloudNetworkDeletion

SecOpsAwsKmsKeyDeletion

SecOpsAzureNWDeviceModified

SecOpsGCPStorageBucketDeletion

SecOpsAwsS3EncryptWithKMSKey

SecOpsAzureAutomationRunbookDeleted

SecOpsGCPIAMServiceAccountDisabled

SecOpsAwsMasterKeyDisabledOrDeletion

SecOpsGCPSQLDatabaseModification

SecOpsGCPIAMServiceAccountDeletion

SecOpsAWSIamSuccessfulGroupDeletion

SecOpsGCPPrivateCloudRouteDeletion

SecOpsAWSIamFailureGroupDeletion

SecOpsWinBackupCatalogDeleted

 

What is Impact?

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.