Zero Networks asset is no longer monitored by cloud connector

This rule is part of a beta feature. To learn more, contact Support.
zero-networks

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1078-valid-accounts

Goal

Detects assets that are no longer being monitored by cloud connector.

Strategy

Monitor audit logs and notify when an asset is no longer monitored by cloud connector. This may indicate that an unauthorized user disabled monitoring to avoid detection.

Triage and Response

  1. Review audit logs to identify any events or actions that caused the asset to stop being monitored by the cloud connector.
  2. Check the health and status of the cloud connector to ensure it is functioning correctly and maintaining connectivity with the affected asset.
  3. Review user role {{@user_role}} and enforcement source {{@enforcement_source}} to identify the user role or system triggering the event.
  4. Evaluate if the unmonitored asset poses any immediate security risks (such as unauthorized access).
  5. Implement immediate measures based on the audit log findings to address any security concerns.