Zero Networks asset is no longer monitored by cloud connector

This rule is part of a beta feature. To learn more, contact Support.
zero-networks

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1078-valid-accounts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects assets that are no longer being monitored by cloud connector.

Strategy

Monitor audit logs and notify when an asset is no longer monitored by cloud connector. This may indicate that an unauthorized user disabled monitoring to avoid detection.

Triage and Response

  1. Review audit logs to identify any events or actions that caused the asset to stop being monitored by the cloud connector.
  2. Check the health and status of the cloud connector to ensure it is functioning correctly and maintaining connectivity with the affected asset.
  3. Review user role {{@user_role}} and enforcement source {{@enforcement_source}} to identify the user role or system triggering the event.
  4. Evaluate if the unmonitored asset poses any immediate security risks (such as unauthorized access).
  5. Implement immediate measures based on the audit log findings to address any security concerns.