Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0001 ✕ technique: T1496 ✕
Show ATT&CK heatmapAbnormal Allocation of compute resources in multiple regions Informational Cloud 4 variations
An identity allocated an unusual compute resource pool, suspected as mining activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Leverage cloud compute resources to generate virtual currency.Investigative actions: Verify that the identity creating the resources is legitimate. Check for unusual behavior from this identity, including potential compromise (e.g., exposed access keys or service accounts).Variations
Abnormal Unusual allocation of compute resources in multiple regions
High overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Abnormal Suspicious allocation of compute resources in multiple regions
High overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Abnormal Allocation of compute resources in a high number of regions
High overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Abnormal Allocation of compute resources in multiple regions by an unusual identity
Low overridden
An identity allocated an unusual compute resource pool, suspected as mining activity. overridden
Allocation of multiple cloud compute resources Informational Cloud 5 variations
An identity allocated multiple compute resources.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage cloud compute resources to earn virtual currency.Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, service account, etc.Variations
Unusual allocation of multiple cloud compute resources
High overridden
An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen across all the projects during the past 30 days. overridden
Unusual allocation of multiple cloud compute resources
Medium overridden
An identity allocated multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden
Unusual allocation of multiple cloud compute resources
Medium overridden
An identity allocated multiple compute resources.The allocated instances contains GPU accelerators, such pattern is related to a crypto mining activity. overridden
Allocation of multiple cloud compute resources with accelerator gear
Low overridden
An identity allocated multiple compute resources.his activity is unusual for this identity in past 30 days. overridden
Unusual allocation attempt of multiple cloud compute resources
Low overridden
An identity attempted to allocate multiple compute resources.This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days. overridden
Suspicious heavy allocation of compute resources - possible mining activity Medium Cloud 3 variations
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Impact (TA0040) Initial Access (TA0001)ATT&CK techniques: Resource Hijacking (T1496) Valid Accounts (T1078)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Leverage cloud compute resources to earn virtual currency.Investigative actions: Check the identity created resources and its legitimacy. Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. access key, service account, etc.Variations
Suspicious heavy allocation of compute resources - possible mining activity
Low overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden
Suspicious heavy allocation of compute resources - possible mining activity
High overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden
Suspicious heavy allocation of compute resources - possible mining activity
Medium overridden
An identity allocated an unusual heavy compute resource, suspected as mining activity.Heavy machines normally have a high amount of CPU cores or attached with GPU, which are targeted by adversaries to mine Cryptocurrency. overridden