Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0001 ✕ technique: T1059 ✕
Show ATT&CK heatmapA Command Line Interface (CLI) command was executed from an AWS serverless compute service Low Cloud 2 variations
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Initial Access (TA0001) Credential Access (TA0006) Execution (TA0002)ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Steal Application Access Token (T1528) Unsecured Credentials (T1552) Command and Scripting Interpreter: Cloud API (T1059.009)Required data: AWS Audit LogDetector tags: Cloud Serverless Function Credentials Theft AnalyticsAttacker's goals: Exfiltrate serverless token and abuse it.Investigative actions: Verify whether the serverless-attached identity's credentials were intentionally used in CLI. Check what CLI commands were executed using the serverless attached token. Check if the suspected serverless function is compromised.Variations
A Command Line Interface (AWS-CLI) command was executed from an AWS serverless compute service
Informational overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
Unusual Command Line Interface (CLI) command was executed from an AWS serverless compute service
Low overridden
AWS serverless compute service token was used to execute a Command Line Interface (CLI) command. This may indicate token theft due to the nature of serverless compute. overridden
Unusual Process Spawned by Nginx in Ingress-Nginx pod Low 1 variation
Unusual Process Spawned by Nginx in Ingress-Nginx pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Initial Access (TA0001)ATT&CK techniques: Command and Scripting Interpreter (T1059) Exploit Public-Facing Application (T1190)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: An attacker attempts to use nginx for lateral movement or privilege escalation.Investigative actions: Investigate the child processes for malicious activity and network connections to an external host.Variations
Unusual process spawned by ingress-nginx with a critical-severity vulnerability found the workload
High overridden
Unusual Process Spawned by Nginx in Ingress-Nginx pod. overridden