This alert gets triggered when a native datastore collection was deleted. Datastore is a highly scalable NoSQL database for your applications. Datastore automatically handles sharding and replication, providing you with a highly available and durable database that scales automatically to handle your applications' load. Collection in datastore handles the fields created in the individual database. Impact The collection document serves as the repository for all raw data. Therefore, unintended or mistaken deletion of this document could profoundly affect business operations, customer experience, applications, and data visibility. Moreover, such an incident could result in reputational damage and substantial penalties from compliance authorities. Mitigation Reviewing the deletion of the collection document is vital due to its potential critical impacts on business operations. Analyze the logs to assess the data's significance, then reach out to the user responsible to verify the activity. If the deletion is business-approved, it may be disregarded; otherwise, engage the engineering team to restore it from backup files and ensure any resulting impacts are resolved. Additionally, consider restricting permissions for unauthorized users to mitigate future occurrences. MITRE Tactic: TA0040 MITRE Technique: T1485

This alert gets triggered when a datastore entity was deleted. Data objects in Datastore are known as entities. An entity has one or more named properties, each of which can have one or more values. Impact An entity comprises one or multiple named properties, each capable of holding one or more values. Entities of identical types are not required to possess identical properties, and the values within an entity for a specific property need not all conform to the same data type. Deleting entities can result in permanent data loss unless a backup is made. Unauthorized or accidental entity deletions can significantly impact business operations, applications, integrations, customer experience, and more. Mitigation Reviewing entity deletions is crucial due to their potential critical impacts on business operations. Thoroughly examine the logs to assess the importance of the data affected, then contact the user responsible for the deletion to verify the activity. If the action is approved by the business, it can be disregarded; otherwise, engage the engineering team to restore the data from backup files and ensure that any resulting impacts are rectified. Additionally, consider restricting permissions for unauthorized users to prevent similar incidents in the future. MITRE Tactic: TA0040 MITRE Technique: T1485

This alert gets triggered when a user downloads the files/data from the datastore. Data from a Datastore mode database can be exported and seamlessly imported into another Datastore mode database, even across different projects. Note: Please whitelist any users/admins expected to perform this action to fine-tune the alert query. Impact Exporting data to offline storage, another project, or a different datastore can potentially jeopardize data security, leading to risks such as exposure, unauthorized access, and leakage. Additionally, such actions could result in compliance violations and substantial penalties for the organization. Mitigation Ensure that crucial operations like data export are limited to administrator users possessing monitoring capabilities, adhering to the Zero Trust framework for robust data security. Verify the destination of data export in collaboration with the user and assess its business justification; if none exists, promptly remove the exported data. MITRE Tactic: TA0010 MITRE Technique: T1567

This alert gets triggered when a database is deleted by a user. The database houses a collection of entities, datasets, and values, enabling the processing and presentation of results to the connected application. Impact The deletion of a database can significantly disrupt business operations, leading to data loss, damage to brand reputation, and potential compliance penalties. Data loss may also erode trust among existing and potential users, as they may question the organization's commitment to protecting their data through robust security measures. Mitigation Implement stringent access controls and establish an approval process for critical events. Ensure daily database backups are enabled to meet compliance requirements. Upon reviewing logs, if the deletion pertains to staging or sandbox environments, you may close the alert. Otherwise, contact the user to request a business justification. In the event of accidental deletion, restore the database from backup and investigate the associated business impact. MITRE Tactic: TA0040 MITRE Technique: T1485