# Suspected Attacks

The Suspected Attacks page uses AI-assisted detection to identify and surface potential sequences of suspicious events across your cloud environment that together indicate a possible breach or attack in progress.

<figure><img src="/files/UIKOOkF2qiaFKOLqeQdp" alt=""><figcaption></figcaption></figure>

***

### What Is an Attack Chain?

An attack chain is a series of correlated events that suggest an attempt or successful data compromise. DataDefender maps detected events against MITRE ATT\&CK techniques and groups related events into a single chain so you can see the full picture of an attack rather than individual alerts.

***

### Status Filter

Use the status filter buttons to narrow down the attack chains by their current state:

| Status                  | Meaning                                              |
| ----------------------- | ---------------------------------------------------- |
| **All**                 | Show every detected chain                            |
| **Attacks**             | Categorizes single activities that indicate attacks  |
| **Multi-Stage Attacks** | Categorizes multi-stage events that indicate attacks |

The count next to each button shows how many chains are in that state. Click on a specific type of attack to see an icon-based view of potential threats.

<figure><img src="/files/yUQMvsA0UqSXs60MowTJ" alt=""><figcaption></figcaption></figure>

***

### Filtering and Sorting

**Filtering:** Select the time zone and severity. Click 'More Filters' to access more granular controls like Account ID, Location, and more. You can also add filters to search for specific attacks.

**Sort:** Use the sort dropdown to change the ordering (e.g. by date, severity, or completion). Use the arrow button next to it to toggle between ascending and descending order.

<figure><img src="/files/B1sOY7a8XG9dzckKcs8J" alt=""><figcaption></figcaption></figure>

***

### Attack Chain Cards

Each card in the list represents one detected attack chain. Cards show:

* Scenario name and description
* Current status badge (Occurred / Attempted / Blocked / Incomplete)
* Date of first and last detected activity

Click a card to expand it and see the full attack details, including:

* **Summary:** Brief summary of attack and outcome
* **Affected resources:** Which storage resources were involved
* **Threat Category:** Type of threat (Access Control, Data Exfiltration, etc.)
* **Threat State:** Current threat level of the finding

<figure><img src="/files/YiKaiVkvdicWculZaVme" alt=""><figcaption></figcaption></figure>

***

### Pagination

Use the **Previous** and **Next** buttons to navigate through the list of attack chains.

***

### Related Pages

* [Security Holes](/portal-overview/data-security-insights/security-holes.md): See the misconfigurations that may enable attacks
* [Forensic Analysis](/portal-overview/supporting-information/forensic-analysis.md): Search raw CloudTrail logs for specific events
  * Consider checking [File Access by User](/portal-overview/supporting-information/forensic-analysis.md#file-access-by-user) to investigate which files were accessed by certain identities during a potential attack


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.datadefender.io/portal-overview/data-security-insights/suspected-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.