Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0001 ✕ technique: T1548 ✕

Show ATT&CK heatmap
  • GCP service account impersonation attempt Informational Cloud

    An attempt to impersonate the GCP service account failed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: Gcp Audit Log
    Attacker's goals: Escalate privileges to gain elevated access to cloud resources.
    Investigative actions: Review activity on the target service account. Check which principals have permission to impersonate the service account.
  • Unusual cloud identity impersonation Informational Cloud 3 variations

    A cloud identity attempted to impersonate another identity for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)
    ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Escalate privileges and bypass access controls Avoid detection throughout their compromise.
    Investigative actions: Check the identity's designation. Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

    Variations

    Unusual cloud identity impersonation of a management role

    Informational overridden

    A cloud identity attempted to impersonate a management role for the first time. overridden

    Suspicious cloud identity impersonation was succeeded

    Medium overridden

    A cloud identity has impersonated another identity for the first time. overridden

    Suspicious cloud identity impersonation was failed

    Informational overridden

    A cloud identity has failed to impersonate another identity. overridden